Detect Create, Update or Delete Security Solution Events

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: SecurityCenter-027

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected "Create Security Solution", "Update Security Solution" or "Delete Security Solution" events in your Microsoft Azure cloud account.

Security solutions that can be deployed within your Azure cloud account from Microsoft Azure Security Center can be Web Application Firewalls (WAFs), anti-malware and vulnerability assessment solutions. These security solutions can be partner solutions or customer solutions that can be added to your cloud account using Azure Security Center. The benefits of integrating security solutions with Microsoft Azure Security Center include simplified deployment – Security Center offers streamlined provisioning of partner security solutions, integrated detections – security events from partner solutions are automatically collected, aggregated, and displayed as part of Azure Security Center alerts and incidents, and unified health monitoring and management – which provides basic management and enables you to use integrated health events to monitor all partner security solutions at a glance.

This rule resolution is part of the Cloud Conformity Real-Time Threat Monitoring

Security

As a cloud security best practice, you have to be aware of all the configuration changes performed within Azure Security Center. The activity detected by Conformity RTMA could be a user action initiated through the Microsoft Azure Portal or an API request initiated programmatically using Azure CLI, that triggers any of the security solution operational events listed below:

"Create Security Solution" – Adds a new security solution to Microsoft Azure Security Center.

"Update Security Solution" – Updates the configuration of an existing security solution available in Azure Security Center.

"Delete Security Solution" – Deletes security solutions in your Azure account using Microsoft Azure Security Center.

In order to avoid providing your non-privileged Azure users the permission to add or update security solutions within your cloud account using Azure Security Center, Conformity strongly recommends that you implement the Principle of Least Privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks) when you configure user permissions.

The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for adding or updating security solutions are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

Rationale

Security Center is a unified infrastructure security management system made available by Microsoft Azure. A high visibility into Azure Security Center activity is a key aspect of security and operational best practices and helps you maintain a strong security profile for your Azure cloud account. Therefore, monitoring your Microsoft Azure account for "Create Security Solution", "Update Security Solution" (i.e. "Microsoft.Security/securitySolutions/write" events), and "Delete Security Solution" events (i.e. "Microsoft.Security/securitySolutions/delete" events) can give you valuable insight into the changes made to your Azure security solutions and can help you reduce the time it takes to detect suspicious activity.

References

Publication date Jun 30, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Detect Create, Update or Delete Security Solution Events

Risk level: High