Defender for Cloud notification contact not set

March 21, 2025 ยท View on GitHub

SYNOPSIS

Important security notifications may be lost or not processed in a timely manner when a clear security contact is not identified.

DESCRIPTION

Microsoft Defender for Cloud allows one or more email addresses to be specified for receiving security alerts. This is in addition to subscription owners or other configured role.

Directing security notifications to the correct party enables triage and response to security incidents in a timely manner.

RECOMMENDATION

Consider configuring a security notification email address to assist timely notification and incident response.

EXAMPLES

Configure with Azure template

To deploy subscriptions that pass this rule:

  • Set the properties.emails property to an email address for security incident response.

For example:

{
  "type": "Microsoft.Security/securityContacts",
  "apiVersion": "2023-12-01-preview",
  "name": "default",
  "properties": {
    "isEnabled": true,
    "notificationsByRole": {
      "roles": [
        "Owner"
      ],
      "state": "On"
    },
    "emails": "security@contoso.com",
    "notificationsSources": [
      {
        "sourceType": "Alert",
        "minimalSeverity": "High"
      },
      {
        "sourceType": "AttackPath",
        "minimalRiskLevel": "High"
      }
    ]
  }
}

Configure with Bicep

To deploy subscriptions that pass this rule:

  • Set the properties.emails property to an email address for security incident response.

For example:

resource securityContact 'Microsoft.Security/securityContacts@2023-12-01-preview' = {
  name: 'default'
  properties: {
    isEnabled: true
    notificationsByRole: {
      roles: [
        'Owner'
      ]
      state: 'On'
    }
    emails: 'security@contoso.com'
    notificationsSources: [
      {
        sourceType: 'Alert'
        minimalSeverity: 'High'
      }
      {
        sourceType: 'AttackPath'
        minimalRiskLevel: 'High'
      }
    ]
  }
}

Configure with Azure CLI

az security contact update -n 'default' --emails 'security@contoso.com'