|   Trend Micro Cloud One™
Open menu

Security Contact Emails In Use

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 22 September 2020
Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-016

Ensure that appropriate contact information, in this case one or more email addresses, is set for the administrator who should be notified when Azure Security Center detects compromised resources within your Microsoft Azure cloud account. The contact information is used by Microsoft to contact your account administrator if the Microsoft Security Response Center (MSRC) discovers that your cloud resources and/or data has been accessed by an unauthorized actor or system.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Azure Security Center strongly recommends that you provide at least one valid security contact email address for each Microsoft Azure subscription that you own. Security Center reaches out to the designated administrator using the defined security contact in case the Microsoft security team finds that your Azure cloud resources are compromised. This ensures that the right people become aware of the potential security risks found in order to mitigate these risk in a timely manner.

Audit

To determine if security contact email addresses are defined within Azure Security Center settings, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Pricing & settings to access your Azure account subscriptions.

04 On Pricing & Settings page, click on the name of the Azure subscription that you want to examine.

05 In the blade navigation panel, choose Email notifications and check the Email address configuration field. If Email address field is empty, there are no security contact email addresses defined in the Azure Security Center configuration settings available for the selected Microsoft Azure subscription.

06 Repeat step no. 4 and 5 for each Microsoft Azure subscription available in your account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to describe the security contact email address or addresses set for Azure Security Center within the current Microsoft Azure subscription:

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2017-08-01-preview' | jq '.|.value[1]'|jq '.properties.email'

02 The command output should return the requested contact information (if any).

""

If the command output returns an empty string, i.e. "", or don't return anything at all, there are no security contact email addresses defined within Azure Security Center settings available for the selected Microsoft Azure subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your account.

Remediation / Resolution

To set security contact email addresses in order to be notified when Azure Security Center detects compromised resources within your Azure cloud account, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Pricing & settings to access your Azure account subscriptions.

04 On Pricing & Settings page, click on the name of the Azure subscription that you want to examine.

05 In the blade navigation panel, choose Email notifications and enter one or more valid email addresses, separated by comma, in the Email address field.

06 Click Save to apply the changes. When Azure Security Center detects compromised resources inside your Azure cloud account, the subscription administrator(s) will receive alert notifications on the email address(es) configured at the previous step.

07 If required, repeat steps no. 4 – 6 for other Microsoft Azure cloud subscription available.

Using Azure CLI and PowerShell

01 Define the necessary parameters for the account get-access-token command, where <security-email-address> represents the security contact email address where you want to be notified when Azure Security Center detects compromised resources within your Azure account. Save the following content to a JSON file named security-contact-information.json and replace the highlighted details, i.e. <azure-subscription-id>, <security-phone-number> and <security-email-address>, with your own configuration and contact details:

{
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default1",
   "name":"default1",
   "type":"Microsoft.Security/securityContacts",
   "properties":{
  	"phone":"<security-phone-number>",
  	"email":"<security-email-address>"
   }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the parameters defined at the previous step (i.e. security-contact-information.json file) to set the email address where you want to receive notifications alerts from Azure Security Center, within the selected Microsoft Azure cloud subscription:

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"security-contact-information.json"'

03 If successful, the command output should return the updated Security Center configuration policy:

{
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Security/securityContacts/default1",
   "name":"default1",
   "type":"Microsoft.Security/securityContacts",
   "properties":{  
  	"email":"secops@cloudconformity.com",
  	"phone":"+1-425-1234567",
  	"alertNotifications":"Off",
  	"alertsToAdmins":"Off"
   }
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscription available.

References

Publication date May 31, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Security Contact Emails In Use

Risk level: Medium