Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Additional Email Addresses for Azure Security Center Notifications

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-029

Ensure that additional email addresses are configured within Microsoft Azure Security Center settings in order to receive email-based notifications whenever a high-severity alert is triggered within your Azure subscription. For compliance, you should provide one or more security contact email addresses as additional email addresses.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

By default, there are no additional email addresses configured in the Azure Security Center (ASC) settings, therefore ASC sends email notifications about security alerts only to the subscription owner. Adding one or more security contact email addresses to the "Additional email addresses (separated by commas)" field guarantees that your organization's security team is also notified about security alerts. This ensures that the proper people within your organization are aware of any potential security issues, enabling them to mitigate the risks in a timely fashion.


Audit

To determine if security contact email addresses are configured as additional email addresses within Security Center settings, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the blade navigation panel, under Management, choose Pricing & Settings.

04 On the Pricing & Settings page, click on the name of the Azure subscription that you want to examine, to access the Security Center pricing and settings available for the selected subscription.

05 In the left navigation panel, under Settings, choose Email notifications to access the security notification settings.

06 Under Email recipients, check the Additional email addresses (separated by commas) setting box to identify the additional email address(es) where security notifications associated with the selected subscription can be sent. If the Additional email addresses (separated by commas) box setting is empty, there are no additional email addresses configured to receive email notifications from Microsoft Azure Security Center.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the additional email address(es) defined to receive security email notifications from Azure Security Center (ASC) in the current subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2017-08-01-preview' | jq '.|.value[] | select(.type=="Microsoft.Security/securityContacts")'|jq '.properties.email'

02 The command output should return the additional email address(es) configured for security notifications. If the account get-access-token command output is empty, (i.e. no data is returned), there are no additional email addresses configured to receive email notifications from Microsoft Azure Security Center.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your cloud account.

Remediation / Resolution

To configure additional email addresses for Azure Security Center (ASC) notifications, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the blade navigation panel, under Management, choose Pricing & Settings.

04 On the Pricing & Settings page, click on the name of the Azure subscription that you want to access.

05 In the left navigation panel, under Settings, choose Email notifications to access the configuration settings available for security notifications.

06 Under Email recipients, enter a valid contact email address (or multiple addresses separated by commas) in the Additional email addresses (separated by commas) box. Choose Save to apply the configuration changes. The recipients of the email addresses provided at this step will receive emails with security notifications from Azure Security Center (ASC).

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Define the specifications required for the account get-access-token command in order to configure the additional email address(es) where security notifications associated with the selected subscription can be sent. Replace the highlighted information, i.e. <azure-subscription-id> and <valid-email-address> with your own information, and save the content to a JSON file named asc-additional-email-addresses.json:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default",
  "name": "default",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
    "email": "<valid-email-address>",
    "alertNotifications": "On",
    "alertsToAdmins": "On"
  }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the specifications defined at the previous step (i.e. asc-additional-email-addresses.json file) to configure additional email addresses required to send Azure Security Center (ASC) notifications:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"asc-additional-email-addresses.json"'

03 The output should return the account get-access-token command request metadata:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default",
  "name": "default",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
    "email": "<valid-email-address>",
    "alertNotifications": "On",
    "alertsToAdmins": "On"
  }
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your cloud account.

References

Publication date Sep 29, 2021