🛡️ Azure Subscription Activity Log Alert for Create or Update SQL Server Firewall Rule does not exist🟢

• Contextual name: 🛡️ Activity Log Alert for Create or Update SQL Server Firewall Rule does not exist🟢
• ID: /ce/ca/azure/subscription/activity-log-alert-for-create-or-update-sql-server-firewall-rule
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Stats

not available

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Subscription
  • 🔌 Azure Activity Log Alert - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Create Alert for 'Create, Update or Delete SQL Server Firewall Rule' Events
• Internal: dec-x-02eed49a

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-02eed49a	1

Description

Open File

Description

Create an activity log alert for the Create or Update SQL Server Firewall Rule event.

Rationale

Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Impact

There will be a substantial increase in log size if there are a large number of administrative actions on a server.

Audit

This policy flags an Azure Subscription as INCOMPLIANT if it does not have an enabled related Azure Activity Log Alert scoped to the subscription whose Condition JSON filters on the Administrative category and the Microsoft.Sql/servers/firewallRules/write operation.

Default Value

By default, no monitoring alerts are created or active.

References

1. https://azure.microsoft.com/en-us/updates?id=classic-alerting-monitoring-retirement
2. https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-activity-log-alert-rule
3. https://learn.microsoft.com/en-us/rest/api/monitor/activity-log-alerts/create-or-update

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Navigate to the Monitor blade.
2. Select Alerts.
3. Select Create.
4. Select Alert rule.
5. Choose a subscription.
6. Select Apply.
7. Select the Condition tab.
8. Click See all signals.
9. Select Create/Update server firewall rule (Server Firewall Rule).
10. Click Apply.
11. Select the Actions tab.
12. Click Select action groups to select an existing action group, or Create action group to create a new action group.
13. Follow the prompts to choose or create an action group.
14. Select the Details tab.
15. Select a Resource group, provide an Alert rule name and an optional Alert rule description.
16. Click Review + create.
17. Click Create.

From Azure CLI

az monitor activity-log alert create \
    --resource-group {{resource-group-name}} \
    --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/write and level={{verbose | information | warning | error | critical}} \
    --scope /subscriptions/{{subscription-id}} \

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 36a change management —information security is addressed as part of the change management process and the information asset inventory is updated;		8	8		no data
💼 APRA CPG 234 → 💼 67b scanning for unauthorised hardware, software and changes to configurations;		8	8		no data
💼 CIS Azure v1.5.0 → 💼 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.0.0 → 💼 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.1.0 → 💼 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule - Level 1 (Automated)		1	1		no data
💼 CIS Azure v3.0.0 → 💼 6.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule (Automated)			1		no data
💼 CIS Azure v4.0.0 → 💼 7.1.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule (Automated)			1		no data
💼 CIS Azure v5.0.0 → 💼 6.1.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule (Automated)			1		no data
💼 CIS Azure v6.0.0 → 💼 6.1.2.7 Ensure that Activity Log Alert Exists for Create or Update SQL Server Firewall Rule (Automated)			1		no data
💼 Cloudaware Framework → 💼 Alerting and Notification			42		no data
💼 FedRAMP High Security Controls → 💼 AU-3(1) Additional Audit Information (M)(H)			15		no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		74		no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		49	57		no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			74		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3(1) Additional Audit Information (M)(H)			15		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			74		no data
💼 ISO/IEC 27001:2022 → 💼 5.28 Collection of evidence		16	22		no data
💼 ISO/IEC 27001:2022 → 💼 8.15 Logging		20	35		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			185		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			105		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			182		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3(1) Content of Audit Records _ Additional Audit Information		15	15		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	48	74		no data