Enable Email Notification for Alerts

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-018

Enable notifying email notification for alerts to the security contact email address or addresses defined within the Azure Security Center settings. Before enabling "Email Notification for Alerts" feature, make sure that at least one security contact email address is provided. The contact information provided will be used by Azure Security Center to contact you if the Microsoft Security Response Center (MSRC) detects security issues, such as Remote Desktop Protocol (RDP) attacks or customer data accessed by an unauthorized party. MSRC performs in-depth security monitoring of the Azure network and infrastructure and receives threat intelligence and abuse complaints from third-party partners.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

By enabling "Email Notification for Alerts" feature, you make sure that the right people get notified when potential security risks are identified in your Azure account, in order to able to mitigate the risks in a timely fashion.


Audit

To determine if sending email notification for alerts is enabled within Azure Security Center settings, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Pricing & settings to access your Azure account subscriptions.

04 On Pricing & Settings page, click on the name of the Azure subscription that you want to examine.

05 In the blade navigation panel, choose Email notifications to access the page with the contact information required to receive alert notifications from Microsoft Azure Security Center.

06 In the Notification types section, check the Notify about alerts with the following severity (or higher) setting configuration. If the setting is not active (i.e. it cannot be configured), follow this conformity rule to set at least one security contact email address for Azure Security Center notifications. If Notify about alerts with the following severity (or higher) is unchecked, the "Email Notification for Alerts" security feature is not enabled within the current Azure cloud subscription.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available in your account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to retrieve the "Email Notification for Alerts" security feature configuration status for the selected Azure subscription:

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2017-08-01-preview' | jq '.|.value[1]'|jq '.properties.alertNotifications'

02 The command output should return the requested configuration status:

"Off"

If the command output returns "Off", as shown in the example above, sending email notification for alerts is not enabled within the Azure Security Center settings, in the selected Microsoft Azure subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your account.

Remediation / Resolution

To enable email notification for alerts in the Azure Security Center settings, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Pricing & settings to access your Azure account subscriptions.

04 On Pricing & Settings page, click on the name of the Azure subscription that you want to examine.

05 In the blade navigation panel, choose Email notifications to access the page with the contact information required to receive alert notifications from Microsoft Azure Security Center.

06 In the Notification types section, check the checkbox next to Notify about alerts with the following severity (or higher) to send email notification for alerts to the email address(es) provided in the Email address configuration box.

07 Click Save to apply the changes. When Azure Security Center detects security breaches inside your Azure cloud account, the subscription administrator(s) will receive alert notifications on the configured security contact email address(es).

08 If required, repeat steps no. 4 – 7 for other Microsoft Azure cloud subscription available.

Using Azure CLI and PowerShell

01 Define the necessary parameters for the account get-access-token command, where alertNotifications configuration attribute is set to On in order to enable the "email notification for alerts" feature. Save the following content to a JSON file named enable-high-severity-alerts.json and replace the highlighted details, i.e. <azure-subscription-id>, <security-email-address> and <security-phone-number>, with your own configuration and contact information:

{
"id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default1",
   "name":"default1",
   "type":"Microsoft.Security/securityContacts",
   "properties":{
  	"email":"<security-email-address>",
  	"phone":"<security-phone-number>",
  	"alertNotifications": "On",
  	"alertsToAdmins":"On"
   }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the parameters defined at the previous step (i.e. enable-high-severity-alerts.json file) to enable email notification for alerts for the selected Microsoft Azure cloud subscription:

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"enable-high-severity-alerts.json"'

03 If successful, the command output should return the updated Security Center configuration policy, e.g.:

{
"id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default1",
   "name":"default1",
   "type":"Microsoft.Security/securityContacts",
   "properties":{
  	"email":"<security-email-address>",
  	"phone":"<security-phone-number>",
  	"alertNotifications": "On",
  	"alertsToAdmins":"On"
   }
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscription available.

References

Publication date May 31, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Email Notification for Alerts

Risk level: Medium