🛡️ Azure Subscription Activity Log Alert for Create or Update SQL Server Firewall Rule does not exist🟢

• Contextual name: 🛡️ Activity Log Alert for Create or Update SQL Server Firewall Rule does not exist🟢
• ID: /ce/ca/azure/subscription/activity-log-alert-for-create-or-update-sql-server-firewall-rule
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Subscription
  • 🔌 Azure Activity Log Alert - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Create Alert for 'Create, Update or Delete SQL Server Firewall Rule' Events
• Internal: dec-x-02eed49a

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-02eed49a	1

Description

Open File

Description

Create an activity log alert for the Create or Update SQL Server Firewall Rule event.

Rationale

Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Impact

There will be a substantial increase in log size if there are a large number of administrative actions on a server.

Audit

This policy evaluates Azure Subscriptions for the presence of an Azure Activity Log Alert that captures Create or Update SQL Server Firewall Rule events. A subscription is marked as INCOMPLIANT if it does not have an Activity Log Alert whose Condition JSON filters on the Microsoft.Sql/servers/firewallRules/write operation.

Default Value

By default, no monitoring alerts are created or active.

References

1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Navigate to the Monitor blade.
2. Select Alerts.
3. Select Create.
4. Select Alert rule.
5. Choose a subscription.
6. Select Apply.
7. Select the Condition tab.
8. Click See all signals.
9. Select Create/Update server firewall rule (Server Firewall Rule).
10. Click Apply.
11. Select the Actions tab.
12. Click Select action groups to select an existing action group, or Create action group to create a new action group.
13. Follow the prompts to choose or create an action group.
14. Select the Details tab.
15. Select a Resource group, provide an Alert rule name and an optional Alert rule description.
16. Click Review + create.
17. Click Create.

From Azure CLI

az monitor activity-log alert create --resource-group "<resource group name>" --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/write and level=<verbose | information | warning | error | critical> --scope "/subscriptions/<subscription ID>" --name "<activity log rule name>" --subscription <subscription id> --action-group <action group ID>

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 36a change management —information security is addressed as part of the change management process and the information asset inventory is updated;		7	8		no data
💼 APRA CPG 234 → 💼 67b scanning for unauthorised hardware, software and changes to configurations;		7	8		no data
💼 CIS Azure v1.5.0 → 💼 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.0.0 → 💼 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.1.0 → 💼 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Level 1 (Automated)		1	1		no data
💼 CIS Azure v3.0.0 → 💼 6.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule (Automated)			1		no data
💼 CIS Azure v4.0.0 → 💼 7.1.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule (Automated)			1		no data
💼 Cloudaware Framework → 💼 Alerting and Notification			27		no data
💼 FedRAMP High Security Controls → 💼 AU-3(1) Additional Audit Information (M)(H)			14		no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		65		no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	51		no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			65		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3(1) Additional Audit Information (M)(H)			14		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			65		no data
💼 ISO/IEC 27001:2022 → 💼 5.28 Collection of evidence		14	21		no data
💼 ISO/IEC 27001:2022 → 💼 8.15 Logging		18	34		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			85		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			142		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3(1) Content of Audit Records _ Additional Audit Information		13	14		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	65		no data