Azure Microsoft Defender for Cloud

Azure Tip: Set up email notifications for high-severity security alerts in Microsoft Defender for Cloud


See how to set up email notifications for high-severity security alerts triggered by Microsoft Defender for Cloud in an Azure subscription through either Azure PowerShell or the Azure portal in this blog post.

As you may already know, with the enhanced security features enabled, Microsoft Defender for Cloud can detect threats and generate security alerts to provide real-time notifications about those potential threats and suspicious activities detected on the cloud infrastructure.

The goal of these alerts is to allow cloud or security administrators to quickly identify and respond to any of those security incidents, thereby improving their organization’s cloud security posture.

What’s good to know is that the severity of the alerts can range from low to high, depending on the level of risk posed by the detected security issue. But most important is that, depending on the severity, the right individuals in the organization are informed.

These alerts* appear in the Azure portal, and Microsoft Defender for Cloud can also send them by email to the relevant personnel in your organization. Alerts can also be streamed to SIEM, SOAR, or IT Service Management solutions as required.

*This reference guide provides a detailed list of all security alerts you may receive from Microsoft Defender for Cloud and any Microsoft Defender plans: Security alerts – a reference guide


When you prefer email, you should keep in mind that, by default, only the Azure subscription owners will receive an email when a high-severity alert is triggered for an Azure subscription in Microsoft Defender for Cloud.


However, for some Azure subscriptions, it can be necessary to add other Azure roles or a specific shared mailbox, like the one used by your general administrators, resource administrators, or support engineers.

In this way, those people can also be informed about these alerts, or even about alerts with a lower severity.

Although you can configure and customize these extra security contacts via the REST API, this is mostly an automated action performed with Azure PowerShell or a manual action you perform via the Azure portal whenever you onboard a new Azure subscription into Microsoft Defender for Cloud.


Configure with Azure PowerShell

By configuring the security contacts for Microsoft Defender for Cloud using Azure PowerShell, you can automate the process of adding essential security controls programmatically.

To do so, in my example, I will use Windows Terminal, but you can also use Visual Studio Code or the Azure Cloud Shell.

Launch Windows Terminal and execute the Connect-AzAccount cmdlet to connect to Azure using an authenticated account.

Connect-AzAccount



Then set the right subscription context by running the Set-AzContext cmdlet.

Set-AzContext -Subscription <your subscription name here>



Next, run the Set-AzSecurityContact cmdlet to add all the extra security contact email addresses.

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Configure security contacts

Set-AzSecurityContact -Name "<your first security contact name here>" -Email "<your first email address here>" -AlertAdmin -NotifyOnAlert
Set-AzSecurityContact -Name "<your second security contact name here>" -Email "<your second email address here>" -AlertAdmin -NotifyOnAlert

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




Configure via the Azure Portal

To add these extra security contacts through the Azure portal, first of all, logon to the portal and type in “defender” in the global search box in the top bar. Then select Microsoft Defender for the Cloud


On the Microsoft Defender for Cloud page (blade), scroll down to the Management section and click on Environment settings.


On the management group hierarchy, find the specific subscription. As a tip, I want to mention that you can easily make all subscriptions visible by clicking on the “Collapse all” button. When you have found the subscription, click on the three ellipses… on the right side of the screen and select Edit settings.


Then open Email notifications, which opens the Email notifications page. Over here, first specify which roles next to the Owner will need to receive notifications.

To do so, just open the drop-down list next to “All users with the following roles” and select the required Azure roles.


Then, in the second field, enter the email addresses of all other contacts who need to receive those notifications. There’s no limit to the number of email addresses that you can enter; you just need to separate them with commas.


If you also want to be notified about medium and low alerts next to the high-severity alerts, you can select those on the drop-down list under Notification types.


To apply your new email notification settings for this Azure subscription, click Save.



Remember to configure the email notification settings separately for each Azure subscription in your environment.


Conclusion

Setting up email notifications to inform the right people about high-severity security alerts in Microsoft Defender for Cloud can be a crucial step in securing your Azure environment.

Because this will allow those recipients to quickly take the necessary measures to mitigate all the risks from these treats and to protect all your data, identities, and resources. 

Although you can configure and customize these extra security contacts via the REST API, this is mostly an automated action performed with Azure PowerShell or a manual action you perform via the Azure portal whenever you onboard a new Azure subscription into Microsoft Defender for Cloud.

So, this should be part of your new subscription’s or landing zone’s onboarding procedure.

When configuring those email notification settings in a customer’s environment, I mostly specify the owner’s role and some IT-management shared mailboxes, such as a general administrator, resource administrator, or support mailbox.

If you have any questions related to the use of Microsoft Defender for Cloud in your environment, feel free to contact me through my Twitter handle (@wmatthyssen) or to just leave a comment. I am always happy to help.


0 comments on “Azure Tip: Set up email notifications for high-severity security alerts in Microsoft Defender for Cloud

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: