Detect Delete Network Security Group Rule Events

To follow cloud security best practices and meet compliance requirements, you need to be aware of all the configuration changes made at the network security group level, including deletion operations. In this case, the activity detected by the Trend Micro Cloud One™ – Conformity RTMA feature could be a user action initiated through the Microsoft Azure Portal or an API request initiated programmatically using Azure CLI, that triggers the "Delete Network Security Group Rule" operational event.

To implement the Principle of Least Privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Trend Micro Cloud One™ – Conformity recommends that you avoid as much as possible to provide your non-privileged (non-administrator) Azure users the permission to change the network security group rules within your Azure cloud account. The communication channels for sending RTMA notifications can be quickly configured within your Conformity account. The list of supported communication channels that you can use to receive notification alerts for network security group rule changes are SMS, Email, Slack, PagerDuty, Zendesk, and ServiceNow.

Rationale

Monitoring is an important part of understanding the availability, state, configuration, and usage of your Microsoft Azure network security group rules. With Trend Micro Cloud One™ – Conformity RTMA monitoring feature you can have full visibility over your network security group rule changes. This can help you to reduce the time it takes to detect suspicious activity such as unsolicited delete requests for network security group rules. By using Microsoft Azure network security groups, you can control the traffic to and from cloud resources such as Azure virtual machines (VMs), therefore, monitoring any configuration change performed at the security rule level is fundamental for keeping your cloud applications secure.