Logo of Trend Micro

Enable Alert Notifications for Subscription Owners

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-019

Ensure that appropriate contact information is set for the administrator who should be notified when Azure Security Center detects compromised resources within your Microsoft Azure cloud account. The contact information, in this case one or more email addresses, is used by the Azure security team to contact your account administrator if the Microsoft Security Response Center (MSRC) discovers that your cloud resources and/or data has been accessed by an unauthorized actor or system.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Enabling security alert emails to subscription owners ensures that they receive important alert notifications from Microsoft Security Response Center, in order to become aware of the security issues identified, and take actions to mitigate the risks in a timely fashion.

Audit

To determine if Azure Security Center is configured to send alert email notifications to Azure subscription owners, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Pricing & settings to access your Azure account subscriptions.

04 On Pricing & Settings page, click on the name of the Azure subscription that you want to examine.

05 In the blade navigation panel, choose Email notifications to access the page with the contact information required to receive email notifications from Microsoft Azure Security Center.

06 In the Email recipients settings section, check the All users with following roles field. If Owner is unchecked, the "Send email also to subscription owners" feature is not enabled in the current Azure cloud subscription.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available in your account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to get the "Send email also to subscription owners" feature configuration status for the selected Azure subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2017-08-01-preview' | jq '.|.value[1]'|jq '.properties.alertsToAdmins'

02 The command output should return the requested feature configuration status: 

"Off"

If the command output returns "Off", as shown in the example above, sending alert email notifications to Azure subscription owners is not enabled within the Azure Security Center settings.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your account.

Remediation / Resolution

To enable high severity alert email notifications in the Azure Security Center settings, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Pricing & settings to access your Azure account subscriptions.

04 On Pricing & Settings page, click on the name of the Azure subscription that you want to examine.

05 In the blade navigation panel, choose Email notifications to access the page with the contact information required to receive alert notifications from Microsoft Azure Security Center.

06 In the Email recipients section, check the checkbox for Owners next to All users with following roles to send security alert email notifications to the owner of the selected Microsoft Azure subscription.

07 Click Save to apply the changes and enable the security feature.

08 If required, repeat steps no. 4 – 7 for other Microsoft Azure cloud subscription available.

Using Azure CLI and PowerShell

01 Define the necessary parameters for the account get-access-token command, where alertsToAdmins configuration attribute is set to On in order to enable the "Send email also to subscription owners" feature. Save the following content to a JSON file named enable-subscription-owner-alerts.json and replace the highlighted details, i.e. <azure-subscription-id>, <security-email-address> and <security-phone-number>, with your own configuration and contact information: 

{
"id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default1",
   "name":"default1",
   "type":"Microsoft.Security/securityContacts",
   "properties":{
  	"email":"<security-email-address>",
  	"phone":"<security-phone-number>",
  	"alertNotifications": "On",
  	"alertsToAdmins":"On"
   }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the parameters defined at the previous step to enable sending security alert email notifications to the owner of the selected Microsoft Azure subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"enable-subscription-owner-alerts.json"'

03 If successful, the command output should return the updated Security Center configuration policy: 

{
"id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default1",
   "name":"default1",
   "type":"Microsoft.Security/securityContacts",
   "properties":{
  	"email":"<security-email-address>",
  	"phone":"<security-phone-number>",
  	"alertNotifications": "On",
  	"alertsToAdmins":"On"
   }
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscription available.

References

Publication date May 31, 2019

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Alert Notifications for Subscription Owners

Risk level: Medium