Fixed properties used by Azure.DefenderCloud.Contact #3117 (#3161)

docs/CHANGELOG-v1.md

@@ -29,6 +29,12 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 ## Unreleased
 
+- Updated rules:
+  - Microsoft Defender for Cloud:
+    - Updated `Azure.DefenderCloud.Contact` to use `emails` property and removed `phone` by @BernieWhite.
+      [#3117](https://github.com/Azure/PSRule.Rules.Azure/issues/3117)
+      - Renamed rule to `Azure.Defender.SecurityContact` to better align with naming for defender rules.
+      - Bumped rule set to `2024_12`.
 - Bug fixes:
   - Fixed evaluation of `Azure.NSG.LateralTraversal` with empty string properties by @BernieWhite.
     [#3130](https://github.com/Azure/PSRule.Rules.Azure/issues/3130)

docs/en/rules/Azure.Defender.SecurityContact.md

@@ -0,0 +1,109 @@
+---
+severity: Important
+pillar: Security
+category: SE:12 Incident response
+resource: Microsoft Defender for Cloud
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Defender.SecurityContact/
+ms-content-id: 18fcf75f-a5e6-4a34-baba-74bd49502cd7
+---
+
+# Defender for Cloud notification contact not set
+
+## SYNOPSIS
+
+Important security notifications may be lost or not processed in a timely manner when a clear security contact is not identified.
+
+## DESCRIPTION
+
+Microsoft Defender for Cloud allows one or more email addresses to be specified for receiving security alerts.
+This is in addition to subscription owners or other configured role.
+
+Directing security notifications to the correct party enables triage and response to security incidents in a timely manner.
+
+## RECOMMENDATION
+
+Consider configuring a security notification email address to assist timely notification and incident response.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy subscriptions that pass this rule:
+
+- Set the `properties.emails` property to an email address for security incident response.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.Security/securityContacts",
+  "apiVersion": "2023-12-01-preview",
+  "name": "default",
+  "properties": {
+    "isEnabled": true,
+    "notificationsByRole": {
+      "roles": [
+        "Owner"
+      ],
+      "state": "On"
+    },
+    "emails": "[email protected]",
+    "notificationsSources": [
+      {
+        "sourceType": "Alert",
+        "minimalSeverity": "High"
+      },
+      {
+        "sourceType": "AttackPath",
+        "minimalRiskLevel": "High"
+      }
+    ]
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy subscriptions that pass this rule:
+
+- Set the `properties.emails` property to an email address for security incident response.
+
+For example:
+
+```bicep
+resource securityContact 'Microsoft.Security/securityContacts@2023-12-01-preview' = {
+  name: 'default'
+  properties: {
+    isEnabled: true
+    notificationsByRole: {
+      roles: [
+        'Owner'
+      ]
+      state: 'On'
+    }
+    emails: '[email protected]'
+    notificationsSources: [
+      {
+        sourceType: 'Alert'
+        minimalSeverity: 'High'
+      }
+      {
+        sourceType: 'AttackPath'
+        minimalRiskLevel: 'High'
+      }
+    ]
+  }
+}
+```
+
+### Configure with Azure CLI
+
+```bash
+az security contact update -n 'default' --emails '[email protected]'
+```
+
+## LINK
+
+- [SE:12 Incident response](https://learn.microsoft.com/azure/well-architected/security/incident-response)
+- [Quickstart: Configure email notifications for security alerts](https://learn.microsoft.com/azure/defender-for-cloud/configure-email-notifications)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.security/securitycontacts)

docs/examples/resources/defender.bicep

@@ -6,20 +6,27 @@ targetScope = 'subscription'
 // Bicep documentation examples
 
 // Configures security contacts to be notified for Microsoft Defender alerts
-resource securityContact 'Microsoft.Security/securityContacts@2020-01-01-preview' = {
+resource securityContact 'Microsoft.Security/securityContacts@2023-12-01-preview' = {
   name: 'default'
   properties: {
+    isEnabled: true
     notificationsByRole: {
       roles: [
         'Owner'
       ]
       state: 'On'
     }
     emails: '[email protected]'
-    alertNotifications: {
-      minimalSeverity: 'High'
-      state: 'On'
-    }
+    notificationsSources: [
+      {
+        sourceType: 'Alert'
+        minimalSeverity: 'High'
+      }
+      {
+        sourceType: 'AttackPath'
+        minimalRiskLevel: 'High'
+      }
+    ]
   }
 }
 

docs/examples/resources/defender.json

@@ -5,26 +5,33 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "2395927344385178299"
+      "templateHash": "7941752543000454149"
     }
   },
   "resources": [
     {
       "type": "Microsoft.Security/securityContacts",
-      "apiVersion": "2020-01-01-preview",
+      "apiVersion": "2023-12-01-preview",
       "name": "default",
       "properties": {
+        "isEnabled": true,
         "notificationsByRole": {
           "roles": [
             "Owner"
           ],
           "state": "On"
         },
         "emails": "[email protected]",
-        "alertNotifications": {
-          "minimalSeverity": "High",
-          "state": "On"
-        }
+        "notificationsSources": [
+          {
+            "sourceType": "Alert",
+            "minimalSeverity": "High"
+          },
+          {
+            "sourceType": "AttackPath",
+            "minimalRiskLevel": "High"
+          }
+        ]
       }
     },
     {

src/PSRule.Rules.Azure/en/PSRule-rules.psd1

@@ -26,7 +26,7 @@
     AccessPolicyLeastPrivilege = "One or more access policies grant all or purge permission."
     DiagnosticSettingsNotConfigured = "Diagnostic settings are not configured."
     DiagnosticSettingsLoggingNotConfigured = "Diagnostic settings is not configured to log events for '{0}'."
-    SecurityCenterNotConfigured = "Security Center is not configured."
+    SecurityContactsNotConfigured = "Security contacts are not configured."
     LateralTraversalNotRestricted = "A rule to limit lateral traversal was not found."
     AllInboundRestricted = "The first inbound rule denies traffic from all sources."
     APIMProductSubscription = "The product '{0}' does not require a subscription to use."

src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1

@@ -8,13 +8,18 @@
 #region Rules
 
 # Synopsis: Microsoft Defender for Cloud email and phone contact details should be set
-Rule 'Azure.DefenderCloud.Contact' -Alias 'Azure.SecurityCenter.Contact' -Ref 'AZR-000209' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } {
-    Reason $LocalizedData.SecurityCenterNotConfigured;
-    $contacts = @(GetSubResources -ResourceType 'Microsoft.Security/securityContacts');
-    $Null -ne $contacts -and $contacts.Length -gt 0;
+Rule 'Azure.Defender.SecurityContact' -Alias 'Azure.DefenderCloud.Contact', 'Azure.SecurityCenter.Contact' -Ref 'AZR-000209' -Type 'Microsoft.Subscription', 'Microsoft.Security/securityContacts' -Tag @{ release = 'GA'; ruleSet = '2024_12'; 'Azure.WAF/pillar' = 'Security'; } {
+    $contacts = @($TargetObject);
+    if ($PSRule.TargetType -eq 'Microsoft.Subscription') {
+        $contacts = @(GetSubResources -ResourceType 'Microsoft.Security/securityContacts');
+    }
+
+    if ($contacts.Length -eq 0) {
+        return $Assert.Fail($LocalizedData.SecurityContactsNotConfigured);
+    }
+
     foreach ($c in $contacts) {
-        $Assert.HasFieldValue($c, 'Properties.Email')
-        $Assert.HasFieldValue($c, 'Properties.Phone');
+        $Assert.HasFieldValue($c, 'properties.emails')
     }
 }