Detect Update Security Policy Event

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: SecurityCenter-026

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected "Update Security Policy" events in your Microsoft Azure cloud account.

A security policy defines the set of controls that are recommended for the cloud resources deployed within your Azure account. The security policies that you enable in Azure Security Center for your cloud account, drive security recommendations and monitoring, and must be in accordance with your organization's security requirements, the types of workloads used, or the data sensitivity and confidentiality level configured for each Azure subscription. After you enable security policies for a subscription's resources, Microsoft Azure Security Center analyzes the security of your cloud resources to identify potential vulnerabilities.

This rule resolution is part of the Cloud Conformity Real-Time Threat Monitoring

Security

The Real-Time Threat Monitoring and Analysis (RTMA) feature can detect any API call related to configuration changes made to your security policies. The activity detected by Trend Micro Cloud One™ – Conformity RTMA could be, for example, a user action initiated through the Microsoft Azure Portal or an API request initiated programmatically using the REST API or Windows PowerShell, that triggers an "Update Security Policy" operational event. To adhere to cloud security best practices and implement the Principle of Least Privilege (POLP), Trend Micro Cloud One™ – Conformity strongly recommends that you avoid providing your non-privileged, non-administrator users the permission to update the security policies enabled for your Azure cloud subscriptions.

The communication channels for sending RTMA notifications can be configured within your Conformity account. The list of supported communication channels that you can use to receive notification alerts for security policy update events are SMS, Email, Slack, Zendesk, ServiceNow, and PagerDuty.

Rationale

Monitoring your Microsoft Azure account subscriptions for "Update Security Policy" events can provide insight into the security configuration changes made at the subscription level and can help you to reduce the time it takes to detect suspicious activity such as unsolicited or unauthorized update requests made for security policies. Security policies should reflect long-term viable objectives that align with your organization's security strategy and risk tolerance, therefore, monitoring any security policy configuration changes is essential for keeping your Azure cloud account secure.

References

Publication date Jun 30, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Detect Update Security Policy Event

Risk level: High