Logo of Trend Micro

Security Contact Emails In Use

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-016

Ensure that appropriate contact information, in this case one or more email addresses, is set for the administrator who should be notified when Azure Security Center detects compromised resources within your Microsoft Azure cloud account. The contact information is used by Microsoft to contact your account administrator if the Microsoft Security Response Center (MSRC) discovers that your cloud resources and/or data has been accessed by an unauthorized actor or system.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Azure Security Center strongly recommends that you provide at least one valid security contact email address for each Microsoft Azure subscription that you own. Security Center reaches out to the designated administrator using the defined security contact in case the Microsoft security team finds that your Azure cloud resources are compromised. This ensures that the right people become aware of the potential security risks found in order to mitigate these risk in a timely manner.

Audit

To determine if security contact email addresses are defined within Azure Security Center settings, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Pricing & settings to access your Azure account subscriptions.

04 On Pricing & Settings page, click on the name of the Azure subscription that you want to examine.

05 In the blade navigation panel, choose Email notifications and check the Email address configuration field. If Email address field is empty, there are no security contact email addresses defined in the Azure Security Center configuration settings available for the selected Microsoft Azure subscription.

06 Repeat step no. 4 and 5 for each Microsoft Azure subscription available in your account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to describe the security contact email address or addresses set for Azure Security Center within the current Microsoft Azure subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2017-08-01-preview' | jq '.|.value[1]'|jq '.properties.email'

02 The command output should return the requested contact information (if any). 

""

If the command output returns an empty string, i.e. "", or don't return anything at all, there are no security contact email addresses defined within Azure Security Center settings available for the selected Microsoft Azure subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your account.

Remediation / Resolution

To set security contact email addresses in order to be notified when Azure Security Center detects compromised resources within your Azure cloud account, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Pricing & settings to access your Azure account subscriptions.

04 On Pricing & Settings page, click on the name of the Azure subscription that you want to examine.

05 In the blade navigation panel, choose Email notifications and enter one or more valid email addresses, separated by comma, in the Email address field.

06 Click Save to apply the changes. When Azure Security Center detects compromised resources inside your Azure cloud account, the subscription administrator(s) will receive alert notifications on the email address(es) configured at the previous step.

07 If required, repeat steps no. 4 – 6 for other Microsoft Azure cloud subscription available.

Using Azure CLI and PowerShell

01 Define the necessary parameters for the account get-access-token command, where <security-email-address> represents the security contact email address where you want to be notified when Azure Security Center detects compromised resources within your Azure account. Save the following content to a JSON file named security-contact-information.json and replace the highlighted details, i.e. <azure-subscription-id>, <security-phone-number> and <security-email-address>, with your own configuration and contact details: 

{
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default1",
   "name":"default1",
   "type":"Microsoft.Security/securityContacts",
   "properties":{
  	"phone":"<security-phone-number>",
  	"email":"<security-email-address>"
   }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the parameters defined at the previous step (i.e. security-contact-information.json file) to set the email address where you want to receive notifications alerts from Azure Security Center, within the selected Microsoft Azure cloud subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"security-contact-information.json"'

03 If successful, the command output should return the updated Security Center configuration policy: 

{
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Security/securityContacts/default1",
   "name":"default1",
   "type":"Microsoft.Security/securityContacts",
   "properties":{  
  	"email":"secops@cloudconformity.com",
  	"phone":"+1-425-1234567",
  	"alertNotifications":"Off",
  	"alertsToAdmins":"Off"
   }
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscription available.

References

Publication date May 31, 2019

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Security Contact Emails In Use

Risk level: Medium