Detect Create or Update Network Security Group Rule Events

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected "Create Network Security Group Rule" or "Update Network Security Group Rule" events within your Microsoft Azure cloud account.

To filter traffic to and from the cloud resources provisioned within your Azure virtual network, you can use network security groups to create and configure security rules. These network security group rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny traffic. A flow record is created for existing connections and the communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful. For example, if you specify an outbound security rule to any address over port 80 (HTTP), it's not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true, i.e. if inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over that port.


As a cloud security best practice, you have to be aware of all the configuration changes made at the network security group level, including creating and updating security rules. In this case, the activity detected by Trend Micro Cloud One™ – Conformity RTMA could be, for example, a user action initiated through the Microsoft Azure Portal or an API request initiated programmatically using Azure CLI, that is triggering one of the following operational events:

"Create Network Security Group Rule" – Creates a new Azure network security group rule. You can create the security rule by using the Azure Portal, Azure Command Line Interface (Azure CLI), Azure PowerShell, or a REST API.

"Update Network Security Group Rule" – Modifies an existing network security group rule. For example, change the configured IP address to allow public access (i.e. '') from the Internet.

To implement the Principle of Least Privilege (POLP) and reduce the attack surface, avoid providing your non-privileged (non-administrator) users the permission to change network security group rules in your Azure cloud account.

The communication channels for sending RTMA notifications can be quickly configured within your Conformity account. The list of supported communication channels that you can use to receive notification alerts for network security group rule changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.


Monitoring your Microsoft Azure cloud account for "Create Network Security Group Rule" and "Update Network Security Group Rule" events is essential for keeping your Azure virtual network and the resources within the network secure. With Trend Micro Cloud One™ – Conformity RTMA monitoring feature you can have complete visibility over your network security group rule changes. This can help you to reduce the time it takes to detect suspicious activity and ultimately prevent any accidental or intentional modifications that may lead to unauthorized access. Beyond prevention, you should be able to maintain the access to your Azure cloud resources secure by taking actions upon detection of any unusual activity at the network security group level and send real-time notifications, extremely useful when, for example, an unauthorized user is modifying a network security group rule to allow unrestricted inbound access to TCP port 22 (SSH), which increases the opportunities for malicious activity such as hacking, Man-In-The-Middle (MITM) and brute-force attacks.


Publication date Feb 16, 2021

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Detect Create or Update Network Security Group Rule Events

Risk level: High