Send email notification for high severity alerts is not enabled

ID

security_center_contact_email_alerts

Severity

low

Vendor

Azure

Resource

Security Center

Tags

reachable

Description

Security Center should have email alerts enabled.

Azure Security Center is a solution that provides unified security management across hybrid cloud workloads. It offers threat protection for data centers within both cloud workloads and on-premises. The platform also works with hybrid clouds that are not part of the Azure ecosystem.

Enabling security alert emails to sent to your organization’s security staff ensures that they receive security alert emails from Microsoft ensuring that they are quickly aware of any potential security issues and can mitigate the risk identified as fast as possible.

See Security alerts and incidents to learn more about this topic.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Security/securityContacts",
      "name": "bad", (1)
      "apiVersion": "2017-08-01-preview",
      "properties": {
        "email": "[parameters('emailSecurityContact')]",
        "alertNotifications": "off",
        "alertsToAdmins": "on"
      }
    }
  ]
}
1 Security Center with alertNotifications disabled.

Terraform

resource "azurerm_security_center_contact" "bad" {
  name  = "contact"
  email = "contact@example.com"
  phone = "+1-555-555-5555"

  alert_notifications = false # FLAW (1)
  alerts_to_admins    = true
}
1 Security Center with alerts disabled.

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Security/securityContacts",
      "name": "good", (1)
      "apiVersion": "2017-08-01-preview",
      "properties": {
        "email": "[parameters('emailSecurityContact')]",
        "alertNotifications": "on",
        "alertsToAdmins": "on"
      }
    }
  ]
}
1 Security Center with alertNotifications enabled.

Terraform

resource "azurerm_security_center_contact" "good" {
  name  = "contact"
  email = "contact@example.com"
  phone = "+1-555-555-5555"

  alert_notifications = true # FIXED
  alerts_to_admins    = true
}

Runtime

Azure Portal

To change the policy, log into Azure Portal and then:

  • Navigate to Security Center.

  • Click Security Policy.

  • Navigate to Security Policy Subscription, click Edit Settings.

  • Click Email notifications.

  • Set Send email notification for high severity alerts to On.

  • Click Save.

CLI

To set Send email notification for high severity alerts to On, use the following command:

$ az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/default?api-version=2017-08-01-preview -d@"payload.json"'

Where payload.json contains the Request body json data, detailed below:

{
  "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityC
ontacts/default1",,
  "name": "default",
 "type": "Microsoft.Security/securityContacts",
  "properties": {
     "email": "<email address>",
     "phone": "<phone number>",
     "alertNotifications": "On",
     "alertsToAdmins": "On"
  }
}

See Get a token for utilities to access Azure.