Control: 2.1.20 Ensure That 'Notify about alerts with the following severity' is Set to 'High'

Description

Enables emailing security alerts to the subscription owner or other designated security contact.

Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.

Remediation

From Azure Portal

1. From Azure Home select the Portal Menu.
2. Select Microsoft Defender for Cloud.
3. Click on Environment Settings.
4. Click on the appropriate Management Group, Subscription, or Workspace.
5. Click on Email notifications.
6. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher): and select High from the drop down menu.
7. Click Save.

From Azure CLI

Use the below command to set Send email notification for high severity alerts to On.

az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type:
application/json"
https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/ securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses:

{
  "id":"/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityC ontacts/default1",
  "name": "default1",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
    "email": "<validEmailAddress>",
    "alertNotifications": "On",
    "alertsToAdmins": "On"
  }
}

Default Value

By default, Notify about alerts with the following severity (or higher): is set to High.