Detect Create or Update Security Solution Events

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected "Create Security Solution" or "Update Security Solution" events in your Microsoft Azure cloud account.

Security solutions that can be deployed within your Azure cloud account from Microsoft Azure Security Center can be Web Application Firewalls (WAFs), anti-malware and vulnerability assessment solutions. These security solutions can be partner solutions or customer solutions that can be added to your cloud account using Azure Security Center. The benefits of integrating security solutions with Microsoft Azure Security Center include simplified deployment – Security Center offers streamlined provisioning of partner security solutions, integrated detections – security events from partner solutions are automatically collected, aggregated, and displayed as part of Azure Security Center alerts and incidents, and unified health monitoring and management – which provides basic management and enables you to use integrated health events to monitor all partner security solutions at a glance.


As a cloud security best practice, you have to be aware of all the configuration changes performed within Azure Security Center. The activity detected by Trend Micro Cloud One™ – Conformity RTMA could be a user action initiated through the Microsoft Azure Portal or an API request initiated programmatically using Azure CLI, that triggers any of the security solution operational events listed below:

"Create Security Solution" – Adds a new security solution to Microsoft Azure Security Center.

"Update Security Solution" – Updates the configuration of an existing security solution available in Azure Security Center.

In order to avoid providing your non-privileged Azure users the permission to add or update security solutions within your cloud account using Azure Security Center, Trend Micro Cloud One™ – Conformity strongly recommends that you implement the Principle of Least Privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks) when you configure user permissions.

The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for adding or updating security solutions are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.


Security Center is a unified infrastructure security management system made available by Microsoft Azure. A high visibility into Azure Security Center activity is a key aspect of security and operational best practices and helps you maintain a strong security profile for your Azure cloud account. Therefore, monitoring your Microsoft Azure account for "Create Security Solution" and "Update Security Solution" events (i.e. "Microsoft.Security/securitySolutions/write" events), can give you valuable insight into the changes made to your Azure security solutions and can help you reduce the time it takes to detect suspicious activity.


Publication date Feb 16, 2021

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Detect Create or Update Security Solution Events

Risk level: High