Security Center ‘Send email notification for high severity alerts’ should be enabled

Description

Security Center email notifications ensure that the appropriate individuals in an organization are notified when issues occur, speeding up time to remediation. If using the Azure CLI or API, notifications are sent for “high” or greater severity alerts. If using the Azure Portal, users have the additional option of configuring the severity level.

Azure Portal

  • Navigate to Security Center.

  • In the left navigation, select Pricing & settings.

  • Select the relevant subscription and in the left navigation, select Email notifications.

  • In the Email recipients section:

    • Select the role.

    • Enter any additional email addresses.

  • In the Notification types section:

    • Check the Notify about alerts with the following severity (or higher) checkbox and select High from the drop-down.

  • Click Save.

Azure CLI

  • To enable email notifications for high severity alerts:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'
  • In the input.json, enter your subscription ID and valid email addresses.

{ "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1", "name": "default1", "type": "Microsoft.Security/securityContacts", "properties": { "email": "<validEmailAddress>", "alertNotifications": "On", "alertsToAdmins": "On" } }

Azure Resource Manager

{
  "properties": {
    "alertNotifications": "On"
  }
}

Example Configuration

{
  "type": "Microsoft.Security/securityContacts",
  "apiVersion": "2017-08-01-preview",
  "name": "SecurityContactSettings",
  "properties": {
    "alertNotifications": "On"
  }
  # other required fields here
}