Verify that That 'Notify about alerts with the following severity' is Set to 'High'

Framework Reference: A.5.25 Integration: Azure – Microsoft Defender for Cloud

Why this matters

Enabling security alert notifications ensures that designated security contacts or subscription owners are notified of high-severity threats in real time. This allows your team to quickly respond to incidents, reducing the potential damage from compromised resources or ongoing attacks.

What this check does

Check Logic

Verifies that the security contact settings have:

• alertNotifications set to "On"

• alertsToAdmins set to "On"

• minimalSeverity set appropriately (e.g., High)

Applies to

• All Azure subscriptions using Microsoft Defender for Cloud

How to fix it

Azure Portal

1. Go to Microsoft Defender for Cloud

2. Under Management, select Environment settings

3. Click on the appropriate Subscription

4. Click Email notifications

5. Check the box Notify about alerts with the following severity (or higher)

6. Select an appropriate severity level (e.g., High)

7. Click Save

8. Repeat for each subscription

Azure CLI

Prepare a file named input.json:

{  "id": "/subscriptions/<subscriptionId>/providers/Microsoft.Security/securityContacts/default",  "name": "default",  "type": "Microsoft.Security/securityContacts",  "properties": {    "email": "<validEmailAddress>",    "alertNotifications": "On",    "alertsToAdmins": "On"  } } 

Then run:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c \ 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" \ https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/securityContacts/default?api-version=2017-08-01-preview \ -d@"input.json"'

PowerShell

Not officially documented; CLI or Portal is preferred.

Exceptions

None

Further resources

• Provide security contact details in Defender for Cloud

• Azure Security Contacts API

• Azure Security Benchmark: IR-2