Unexpected Azure API calls indicating Security Center contact modification
Description
AlphaSOC detected modification of Azure Security Center contacts via
Microsoft.Security/securityContacts/write. Security contacts are the email
addresses and phone numbers that receive security alerts and notifications from
Microsoft Defender for Cloud.
Adversaries may modify or remove security contacts to prevent security notifications from reaching the appropriate personnel. This enables attackers to operate undetected while security alerts about their activities are not delivered to defenders.
Impact
Modifying security contacts can disrupt security alert delivery, allowing attackers to operate without triggering responses from security teams. Critical notifications about threats, vulnerabilities, and suspicious activities may not reach the appropriate personnel, delaying incident detection and response.
Severity
| Severity | Condition |
|---|---|
Low | Security contact modification detected |
Medium | Anomalous security contact modification |
Investigation and Remediation
Review Azure Activity logs for Microsoft.Security/securityContacts/write
events. Identify what changes were made to security contacts and verify if they
were authorized. Check if legitimate contact information was removed or replaced
with attacker-controlled addresses.
If unauthorized, restore the correct security contact configuration immediately. Investigate the compromised identity for additional defense evasion activities. Review any security alerts that may have been missed during the period when contacts were modified. Implement alerts on security contact changes and restrict modification permissions.