Detect Create or Update Network Security Group Events

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected "Create Network Security Group" or "Update Network Security Group" events within your Microsoft Azure cloud account.

An Azure network security group acts as a virtual firewall and contains security rules that allow or deny inbound and outbound network traffic to and from cloud resources provisioned within your Azure virtual network. For each network security group rule, you can specify source and destination, port, and protocol. You can deploy resources from several Azure cloud services into an Azure virtual network. Then, you can associate a network security group to each virtual network subnet and network interface within your virtual network.


The Real-Time Threat Monitoring and Analysis (RTMA) feature can detect essentially any API call related to configuration changes made to your network security groups such as adding or removing inbound and outbound security rules. The activity detected by Trend Micro Cloud One™ – Conformity RTMA could be, for example, a user action initiated through the Microsoft Azure Portal or an API request initiated programmatically using Azure CLI, that triggers any of the following operational events:

"Create Network Security Group" – Creates a new Microsoft Azure network security group.

"Update Network Security Group" – Modifies an existing network security group.

If a network security group is created and/or modified by an inexperienced user, it can allow attackers to use port scanners and other probing techniques to identify applications and services running on your virtual machines and exploit their vulnerabilities. To adhere to Azure cloud security best practices and implement the Principle of Least Privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Trend Micro Cloud One™ – Conformity strongly recommends that you avoid as much as possible to provide your Azure users (except the network administrators) the permission to change the network security group configuration within your Azure cloud account.

The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for network security group configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.


Monitoring configuration changes for your Microsoft Azure network security groups is crucial for keeping your cloud environment secure. With Trend Micro Cloud One™ – Conformity RTMA network configuration monitoring, you can gain complete visibility over your network security group changes. This can help prevent any accidental or intentional modifications that may lead to unauthorized access or other related security breaches. Beyond prevention, you should be able to maintain your Azure virtual network secure by taking actions upon detection of any unusual activity at the network level and send real-time notifications, extremely useful when, for example, an unauthorized user is modifying a network security group to allow unrestricted inbound access to a virtual network subnet, which increases the opportunities for malicious activity such as hacking and brute-force attacks.


Publication date Feb 16, 2021

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Detect Create or Update Network Security Group Events

Risk level: High