Logo of Trend Micro

Security Contact Phone Numbers In Use

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-017

Ensure that a security contact international phone number (including the country code, e.g. +1-425-1234567) is set for the administrator who should be notified when Azure Security Center detects compromised resources.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

As best practice, Azure Security Center recommends that you provide valid security contact details for each Microsoft Azure subscription. If appropriate contact information is provided, the Azure Security Center calls the designated security contact in case its security team finds that your cloud resources are compromised in some way. The main purpose of this feature is to ensure that the right people get notified for potential security risks in order to mitigate those risks in a timely fashion.

Note: Make sure that the contact information (i.e. phone number) provided is valid, as the communication is not digitally signed.

Audit

To determine if a valid security contact phone number is defined within Azure Security Center settings, perform the following actions:

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to describe the security contact phone number set for alert notifications within the subscription's Azure Security Center settings: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2017-08-01-preview' | jq '.|.value[1]'|jq '.properties.phone'

02 The command output should return the requested contact information (if any available). 

""

If the command output returns an empty string, i.e. "", there are no security contact phone numbers configured for alert notifications in the Azure Security Center configuration settings, within the selected Microsoft Azure subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your account.

Remediation / Resolution

To set a security contact phone number in order to be notified when Azure Security Center detects compromised resources in your Azure cloud account, perform the following actions:

Using Azure CLI and PowerShell

01 Define the necessary parameters for the account get-access-token command, where <security-phone-number> represents the security contact phone number where you want to be notified when Azure Security Center service detects compromised resources within your Azure cloud account. Save the following content to a JSON file named security-contact-information.json and replace the highlighted details, i.e. <azure-subscription-id>, <security-email-address> and <security-phone-number>, with your own contact information: 

{
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default1",
   "name":"default1",
   "type":"Microsoft.Security/securityContacts",
   "properties":{
  	"email":"<security-email-address>",
  	"phone":"<security-phone-number>",
    "alertNotifications":"Off",
    "alertsToAdmins":"Off"
   }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the parameters defined at the previous step (i.e. security-contact-information.json file) to set the valid international phone number where you want to receive notifications alerts from Azure Security Center, within the selected Microsoft Azure cloud subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"security-contact-information.json"'

03 If successful, the command output should return the updated Security Center configuration policy, for example: 

{
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Security/securityContacts/default1",
   "name":"default1",
   "type":"Microsoft.Security/securityContacts",
   "properties":{
  	"email":"notifyme@cloudconformity.com",
  	"phone":"+1-425-1234567",
  	"alertNotifications":"Off",
  	"alertsToAdmins":"Off"
   }
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscription available.

References

Publication date May 31, 2019

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Security Contact Phone Numbers In Use

Risk level: Medium