Defender for Cloud notification contact not set#
Security · Microsoft Defender for Cloud · Rule · 2024_12 · Important
Important security notifications may be lost or not processed in a timely manner when a clear security contact is not identified.
Description#
Microsoft Defender for Cloud allows one or more email addresses to be specified for receiving security alerts. This is in addition to subscription owners or other configured role.
Directing security notifications to the correct party enables triage and response to security incidents in a timely manner.
Recommendation#
Consider configuring a security notification email address to assist timely notification and incident response.
Examples#
Configure with Azure template#
To deploy subscriptions that pass this rule:
- Set the
properties.emailsproperty to an email address for security incident response.
For example:
Azure Template snippet
{
"type": "Microsoft.Security/securityContacts",
"apiVersion": "2023-12-01-preview",
"name": "default",
"properties": {
"isEnabled": true,
"notificationsByRole": {
"roles": [
"Owner"
],
"state": "On"
},
"emails": "security@contoso.com",
"notificationsSources": [
{
"sourceType": "Alert",
"minimalSeverity": "High"
},
{
"sourceType": "AttackPath",
"minimalRiskLevel": "High"
}
]
}
}
Configure with Bicep#
To deploy subscriptions that pass this rule:
- Set the
properties.emailsproperty to an email address for security incident response.
For example:
Azure Bicep snippet
resource securityContact 'Microsoft.Security/securityContacts@2023-12-01-preview' = {
name: 'default'
properties: {
isEnabled: true
notificationsByRole: {
roles: [
'Owner'
]
state: 'On'
}
emails: 'security@contoso.com'
notificationsSources: [
{
sourceType: 'Alert'
minimalSeverity: 'High'
}
{
sourceType: 'AttackPath'
minimalRiskLevel: 'High'
}
]
}
}
Configure with Azure CLI#
Links#
- SE:12 Incident response
- Quickstart: Configure email notifications for security alerts
- Azure deployment reference