Description:
The 'Notify about alerts with the following severity (or higher)' setting in Microsoft Defender for Cloud enables automated notifications for security alerts based on the severity level. This feature helps ensure that your security team is promptly notified about critical security events, allowing them to take immediate action to mitigate potential threats. By specifying the severity level (e.g., Low, Medium, High), you can configure the system to notify you about alerts that meet or exceed the defined severity threshold.
Rationale:
Enabling alert notifications based on severity ensures that your team is focused on the most critical security issues. This helps to prioritize response efforts and ensures compliance with regulatory requirements, such as SOC 2, HIPAA, and NIST, which mandate prompt detection and remediation of security incidents. By automating notifications for alerts with specified severity, you can proactively manage security risks and avoid potential breaches.
Impact:
Enabling this feature improves your organization's security posture by ensuring that alerts are acted upon in a timely manner. However, configuring notifications for high-severity alerts may result in a higher volume of alerts that need to be reviewed by your security team. The feature ensures that no critical alerts are missed, but you may need to tune your alerting thresholds to avoid excessive noise from lower-severity issues.
Default Value:
By default, alert notifications based on severity are disabled in Microsoft Defender for Cloud and need to be explicitly configured.
Pre-requisites:
Microsoft Defender for Cloud: Ensure that Microsoft Defender for Cloud is enabled for your environment.
Permissions: Ensure you have Owner or Contributor role permissions to configure alert notifications in Microsoft Defender for Cloud.
Alert Severity Levels: Be aware of the different alert severity levels (e.g., Low, Medium, High) and how they correspond to the priority of security events.
Remediation:
Automated Steps to Ensure 'Notify About Alerts with the Following Severity (or Higher)' is Enabled:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to Microsoft Defender for Cloud:
In the Azure portal, go to Microsoft Defender for Cloud and select it.
Go to Environment Settings:
In the Microsoft Defender for Cloud dashboard, click on Environment settings under the Management section.
Configure Alert Notifications:
Under Security policy settings, find the Alert Severity Notification option.
Enable the notification setting by toggling it to On.
Set Severity Threshold:
Specify the severity level (e.g., Medium, High) for which you want to receive alerts. Configure the system to notify you about alerts with the defined severity or higher.
Save Settings:
After configuring the severity threshold and enabling notifications, save the changes. Microsoft Defender for Cloud will now send notifications for alerts with the specified severity.
Automated Implementation Using Azure CLI:
You can also automate this process using Azure CLI by configuring the necessary alert notification settings:
az security alert rule update --name "notify-on-severity" --enabled true --severity "High"
This command will enable notifications for High severity alerts. You can replace "High" with "Medium" or "Low" based on your organization’s needs.
Backout Plan:
To disable alert notifications for specific severity levels:
Sign in to the Azure portal with appropriate permissions.
Navigate to Microsoft Defender for Cloud:
Go to Microsoft Defender for Cloud in the Azure portal.
Go to Environment Settings:
In the Microsoft Defender for Cloud dashboard, click on Environment settings.
Disable Severity Notification:
In the Alert Severity Notification section, toggle the setting to Off.
Save Settings:
Ensure the changes are saved, and the system will no longer send notifications based on severity levels.