Detect Delete Network Security Group Rule Events

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected "Delete Network Security Group Rule" events within your Microsoft Azure cloud account.

You can use network security groups to filter network traffic to and from Azure cloud resources running within your Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, different types of cloud resources. For each rule, you can specify source and destination, port, and protocol. When a "Delete Network Security Group Rule" action is performed, Microsoft removes the specified security rule from the network security group, blocking the access to or from the associated resource, or removing the layer of protection, depending on the rule configuration.


To follow cloud security best practices and meet compliance requirements, you need to be aware of all the configuration changes made at the network security group level, including deletion operations. In this case, the activity detected by the Trend Micro Cloud One™ – Conformity RTMA feature could be a user action initiated through the Microsoft Azure Portal or an API request initiated programmatically using Azure CLI, that triggers the "Delete Network Security Group Rule" operational event.

To implement the Principle of Least Privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Trend Micro Cloud One™ – Conformity recommends that you avoid as much as possible to provide your non-privileged (non-administrator) Azure users the permission to change the network security group rules within your Azure cloud account. The communication channels for sending RTMA notifications can be quickly configured within your Conformity account. The list of supported communication channels that you can use to receive notification alerts for network security group rule changes are SMS, Email, Slack, PagerDuty, Zendesk, and ServiceNow.


Monitoring is an important part of understanding the availability, state, configuration, and usage of your Microsoft Azure network security group rules. With Trend Micro Cloud One™ – Conformity RTMA monitoring feature you can have full visibility over your network security group rule changes. This can help you to reduce the time it takes to detect suspicious activity such as unsolicited delete requests for network security group rules. By using Microsoft Azure network security groups, you can control the traffic to and from cloud resources such as Azure virtual machines (VMs), therefore, monitoring any configuration change performed at the security rule level is fundamental for keeping your cloud applications secure.


Publication date Feb 16, 2021

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Detect Delete Network Security Group Rule Events

Risk level: High