Detect Delete Security Solution Events

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected "Delete Security Solution" events in your Microsoft Azure cloud account.

Microsoft Azure Security Center provides several types of security solutions for your Azure cloud account, from basic web application firewalls to anti-malware and advanced vulnerability assessment solutions. The security solutions provided by Azure Security Center can be partner solutions or customer solutions. The benefits of integrating security solutions with Microsoft Azure Security Center include simplified deployment – Security Center offers streamlined provisioning of partner security solutions, integrated detections – security events from partner solutions are automatically collected, aggregated, and displayed as part of Security Center alerts and incidents, and unified health monitoring and management – which provides basic management and enables you to use integrated health events to easily monitor all partner security solutions.


To follow cloud security best practices and meet compliance requirements, you must be aware of all the configuration changes performed within Azure Security Center. The activity detected by Trend Micro Cloud One™ – Conformity RTMA could be, for example, a user action initiated through Microsoft Azure Portal or an API request initiated programmatically using Azure Command Line Interface (Azure CLI), that triggers the "Delete Security Solution" operational event within your cloud account.

To avoid permitting your non-privileged (non-administrator) users to delete security solutions in your Azure account using Microsoft Azure Security Center, Trend Micro Cloud One™ – Conformity recommends implementing the Principle of Least Privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks) when you configure user permissions.

The communication channels for sending RTMA notifications can be configured within your Conformity account. The list of supported communication channels that you can use to receive notification alerts for deleting security solutions are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.


Monitoring is an important part of understanding the availability, state, configuration, and usage of the security solutions deployed within your Microsoft Azure cloud account. With Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) feature you can achieve complete visibility over your security solution status changes. Monitoring your Azure cloud account for "Delete Security Solution" operational events (i.e. "Microsoft.Security/securitySolutions/delete" events), can help you to reduce the time it takes to detect unsolicited delete requests for installed security solutions.


Publication date Feb 16, 2021

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Detect Delete Security Solution Events

Risk level: High