Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Security Contact Phone Number

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-017

Ensure that a security contact international phone number (including the country code, e.g. +1-425-1234567) is set for the administrator who wants be notified when Microsoft Defender for Cloud detects compromised cloud resources.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Microsoft Defender for Cloud strongly recommends that you provide valid security contact details for each Azure subscription created in your cloud account. If appropriate contact information is provided, Microsoft Defender for Cloud calls the designated security contact in case your Azure cloud resources are compromised in some way. The main purpose of this feature is to ensure that the right people get notified for potential security risks in order to mitigate those risks in a timely fashion.

Note: Make sure that the contact information (i.e. phone number) provided is valid, as the communication is not digitally signed.


Audit

To determine if a valid security contact phone number is configured within Microsoft Defender for Cloud settings, perform the following operations:

Note: Checking for Microsoft Defender for Cloud security contact details using the Microsoft Azure Portal is not currently supported.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the security contact phone number configured for alert notifications in the Microsoft Defender for Cloud settings, within the current Azure subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2017-08-01-preview' | jq '.|.value[] | select(.type=="Microsoft.Security/securityContacts")'|jq '.properties.phone'

02 The command output should return the requested contact information (i.e. phone number). If the account get-access-token command output is empty, (i.e. no data is returned), there is no security contact phone number configured for alert notifications in the Microsoft Defender for Cloud settings, within the selected Azure subscription.

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your Azure cloud account.

Remediation / Resolution

To set a security contact phone number in order to be notified when Microsoft Defender for Cloud detects compromised resources within your cloud account, perform the following operations:

Note: Setting a security contact phone number for Microsoft Defender for Cloud alert notifications using the Microsoft Azure Portal is not currently supported.

Using Azure CLI and PowerShell

01 Define the configuration parameters for the account get-access-token command, where the <security-phone-number> parameter represents the security contact phone number where you want to be notified when Microsoft Defender for Cloud detects compromised resources within your Azure cloud account. Save the configuration document to a JSON file named security-contact-information.json and replace the highlighted details, i.e. <azure-subscription-id> and <security-phone-number>, with your own Azure account subscription and contact details:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default",
  "name": "default",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
    "email": "<valid-email-address>",
    "phone": "<security-phone-number>",
    "alertNotifications": "On",
    "alertsToAdmins": "On"
  }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. security-contact-information.json file), to set a valid international phone number where you want to receive notifications alerts from Microsoft Defender for Cloud, for the selected Azure subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"security-contact-information.json"'

03 If successful, the output should return the account get-access-token command request metadata:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default",
  "name": "default",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
    "email": "<valid-email-address>",
    "phone": "<security-phone-number>",
    "alertNotifications": "On",
    "alertsToAdmins": "On"
  }
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date May 31, 2019