Defender for Cloud notification contact not set
March 21, 2025 ยท View on GitHub
SYNOPSIS
Important security notifications may be lost or not processed in a timely manner when a clear security contact is not identified.
DESCRIPTION
Microsoft Defender for Cloud allows one or more email addresses to be specified for receiving security alerts. This is in addition to subscription owners or other configured role.
Directing security notifications to the correct party enables triage and response to security incidents in a timely manner.
RECOMMENDATION
Consider configuring a security notification email address to assist timely notification and incident response.
EXAMPLES
Configure with Azure template
To deploy subscriptions that pass this rule:
- Set the
properties.emailsproperty to an email address for security incident response.
For example:
{
"type": "Microsoft.Security/securityContacts",
"apiVersion": "2023-12-01-preview",
"name": "default",
"properties": {
"isEnabled": true,
"notificationsByRole": {
"roles": [
"Owner"
],
"state": "On"
},
"emails": "security@contoso.com",
"notificationsSources": [
{
"sourceType": "Alert",
"minimalSeverity": "High"
},
{
"sourceType": "AttackPath",
"minimalRiskLevel": "High"
}
]
}
}
Configure with Bicep
To deploy subscriptions that pass this rule:
- Set the
properties.emailsproperty to an email address for security incident response.
For example:
resource securityContact 'Microsoft.Security/securityContacts@2023-12-01-preview' = {
name: 'default'
properties: {
isEnabled: true
notificationsByRole: {
roles: [
'Owner'
]
state: 'On'
}
emails: 'security@contoso.com'
notificationsSources: [
{
sourceType: 'Alert'
minimalSeverity: 'High'
}
{
sourceType: 'AttackPath'
minimalRiskLevel: 'High'
}
]
}
}
Configure with Azure CLI
az security contact update -n 'default' --emails 'security@contoso.com'