Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Security Contact Emails

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-016

Ensure that additional email addresses are configured within Microsoft Defender for Cloud service settings in order to receive email-based notifications whenever a high-severity alert is triggered in your Azure account subscription. For compliance, you should provide one or more security contact email addresses as additional email addresses.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

By default, there are no additional email addresses configured in the Microsoft Defender for Cloud settings, therefore the security service sends email notifications about security alerts only to the subscription owner. Adding one or more security contact email addresses to the "Additional email addresses (separated by commas)" field guarantees that your organization's security team is also notified about security alerts. This ensures that the proper people within your organization are aware of any potential security issues, enabling them to mitigate the risks in a timely fashion.


Audit

To determine if security contact email addresses are configured as additional email addresses within Microsoft Defender for Cloud settings, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Settings, choose Email notifications to access the security notification settings.

06 In the Email recipients section, check the Additional email addresses (separated by commas) setting box to identify the additional email address(es) where security notifications associated with the selected subscription can be sent. If the Additional email addresses (separated by commas) box setting is empty, there are no additional email addresses configured to receive email notifications from Microsoft Defender for Cloud.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the additional email address(es) defined to receive security email notifications from Microsoft Defender for Cloud within the current subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2017-08-01-preview' | jq '.|.value[] | select(.type=="Microsoft.Security/securityContacts")'|jq '.properties.email'

02 The command output should return the additional email address(es) configured for security notifications. If the account get-access-token command output is empty, (i.e. no data is returned), there are no additional email addresses configured to receive email notifications from the Microsoft Defender for Cloud service.

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your Azure cloud account.

Remediation / Resolution

To configure additional email addresses for Microsoft Defender for Cloud security notifications, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Settings, choose Email notifications to access the security notification settings.

06 In the Email recipients section, enter a valid contact email address (or multiple addresses separated by commas) in the Additional email addresses (separated by commas) configuration box. Choose Save to apply the changes. The recipients of the email addresses provided at this step will receive emails with security notifications from Microsoft Defender for Cloud.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI and PowerShell

01 Define the configuration parameters for the account get-access-token command in order to specify the additional email address(es) where security notifications associated with the selected subscription can be sent. Save the configuration document to a JSON file named enable-additional-email-addresses.json and replace the highlighted details, i.e. <azure-subscription-id> and <valid-email-address(es)>, with your own Azure account subscription details:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default",
  "name": "default",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
    "email": "<valid-email-address(es)>",
    "alertNotifications": "On",
    "alertsToAdmins": "On"
  }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-additional-email-addresses.json file), to configure additional email addresses required to send Microsoft Defender for Cloud security notifications:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"enable-additional-email-addresses.json"'

03 The output should return the account get-access-token command request metadata:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default",
  "name": "default",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
    "email": "<valid-email-address(es)>",
    "alertNotifications": "On",
    "alertsToAdmins": "On"
  }
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date May 31, 2019