Detect Delete Security Solution Events

To follow cloud security best practices and meet compliance requirements, you must be aware of all the configuration changes performed within Azure Security Center. The activity detected by Trend Micro Cloud One™ – Conformity RTMA could be, for example, a user action initiated through Microsoft Azure Portal or an API request initiated programmatically using Azure Command Line Interface (Azure CLI), that triggers the "Delete Security Solution" operational event within your cloud account.

To avoid permitting your non-privileged (non-administrator) users to delete security solutions in your Azure account using Microsoft Azure Security Center, Trend Micro Cloud One™ – Conformity recommends implementing the Principle of Least Privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks) when you configure user permissions.

The communication channels for sending RTMA notifications can be configured within your Conformity account. The list of supported communication channels that you can use to receive notification alerts for deleting security solutions are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

Rationale

Monitoring is an important part of understanding the availability, state, configuration, and usage of the security solutions deployed within your Microsoft Azure cloud account. With Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) feature you can achieve complete visibility over your security solution status changes. Monitoring your Azure cloud account for "Delete Security Solution" operational events (i.e. "Microsoft.Security/securitySolutions/delete" events), can help you to reduce the time it takes to detect unsolicited delete requests for installed security solutions.