Description

Create an activity log alert for the Create or Update SQL Server Firewall Rule event.

Rationale

Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Impact

There will be a substantial increase in log size if there are a large number of administrative actions on a server.

Audit

From Azure Portal

Navigate to the Monitor blade.
Click on Alerts.
In the Alerts window, click on Alert rules.
Ensure an alert rule exists where the Condition column contains Operation name=Microsoft.Sql/servers/firewallRules/write.
Click on the Alert Name associated with the previous step.
Ensure the Condition panel displays the text Whenever the Activity Log has an event with Category='Administrative', Operation name='Create/Update server firewall rule' and does not filter on Level, Status or Caller.
Ensure the Actions panel displays an Action group is assigned to notify the appropriate personnel in your organization.

From Azure CLI

az monitor activity-log alert list --subscription <subscription Id> --query "[].{Name:name,Enabled:enabled,check:condition.allOf,Actions:actions}"

Look for Microsoft.Sql/servers/firewallRules/write in the output.

From PowerShell

Get-AzActivityLogAlert -SubscriptionId <subscription ID>|where-object {$_.ConditionAllOf.Equal -match "Microsoft.Sql/servers/firewallRules/write"}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf

From Azure Policy

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

Policy ID: b954148f-4c11-4c38-8221-be76711e194a - Name: An activity log alert should exist for specific Administrative operations

Default Value

By default, no monitoring alerts are created or active.

Rationale​

Impact​

Audit​

From Azure Portal​

From Azure CLI​

From PowerShell​

From Azure Policy​

Default Value​

References​