Send email notification for high severity alerts to admins is not enabled

security_center_contact_admin_email_alerts

Severity

low

Vendor

Azure

Resource

Security Center

Description

Security Center should have admin email alerts enabled.

Azure Security Center is a solution that provides unified security management across hybrid cloud workloads. It offers threat protection for data centers within both cloud workloads and on-premises. The platform also works with hybrid clouds that are not part of the Azure ecosystem.

Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft ensuring that they are quickly aware of any potential security issues and can mitigate the risk identified as fast as possible.

See Security alerts and incidents to learn more about this topic.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Security/securityContacts",
      "name": "bad", (1)
      "apiVersion": "2017-08-01-preview",
      "properties": {
        "email": "[parameters('emailSecurityContact')]",
        "alertNotifications": "on",
        "alertsToAdmins": "off"
      }
    }
  ]
}

1	Security Center with alertsToAdmins disabled.

Terraform

resource "azurerm_security_center_contact" "bad" {
  name  = "contact"
  email = "contact@example.com"
  phone = "+1-555-555-5555"

  alert_notifications = true
  alerts_to_admins    = false # FLAW (1)
}

1	Security Center with alerts to admins disabled.

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Security/securityContacts",
      "name": "good", (1)
      "apiVersion": "2017-08-01-preview",
      "properties": {
        "email": "[parameters('emailSecurityContact')]",
        "alertNotifications": "on",
        "alertsToAdmins": "on"
      }
    }
  ]
}

1	Security Center with alertsToAdmins enabled.

Terraform

resource "azurerm_security_center_contact" "bad" {
  name  = "contact"
  email = "contact@example.com"
  phone = "+1-555-555-5555"

  alert_notifications = true
  alerts_to_admins    = true # FIXED
}

Runtime

Azure Portal

To change the policy Log in to Azure Portal and then:

Navigate to Security Center.
Click Security Policy.
Navigate to Security Policy Subscription, click Edit Settings.
Click Email notifications.
Set Send email also to subscription owners to On.
Click Save.

CLI Command

To set Send email also to subscription owners to On, use the following command:

$ az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/default?api-version=2017-08-01-preview -d@"payload.json"'

Where payload.json contains the Request body json data, detailed below:

{
  "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityC
ontacts/default1",,
  "name": "default",
 "type": "Microsoft.Security/securityContacts",
  "properties": {
     "email": "<email address>",
     "phone": "<phone number>",
     "alertNotifications": "On",
     "alertsToAdmins": "On"
  }
}

See Get a token for utilities to access Azure.