Skip to main content

πŸ“ Azure Subscription Activity Log Alert for Delete SQL Server Firewall Rule does not exist 🟒

  • Contextual name: πŸ“ Activity Log Alert for Delete SQL Server Firewall Rule does not exist 🟒
  • ID: /ce/ca/azure/subscription/activity-log-alert-for-delete-sql-server-firewall-rule
  • Located in: πŸ“ Azure Subscription

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-6fc9c9491

Logic​

Description​

Open File

Description​

Create an activity log alert for the Delete SQL Server Firewall Rule event.

Rationale​

Monitoring for Delete SQL Server Firewall Rule events gives insight into SQL network access changes and may reduce the time it takes to detect suspicious activity.

Impact​

There will be a substantial increase in log size if there are a large number of administrative actions on a server.

Audit​

This policy evaluates Azure Subscriptions for the presence of an Azure Activity Log Alert that captures Delete SQL Server Firewall Rule events. A subscription is marked asΒ INCOMPLIANTΒ if it does not have an Activity Log Alert whose Condition JSON filters on theΒ Microsoft.Sql/servers/firewallRules/deleteΒ operation.

Default Value​

By default, no monitoring alerts are created or active.

References​

  1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
  2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
  3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Navigate to the Monitor blade.
  2. Select Alerts.
  3. Select Create.
  4. Select Alert rule.
  5. Choose a subscription.
  6. Select Apply.
  7. Select the Condition tab.
  8. Click See all signals.
  9. Select Delete server firewall rule (Server Firewall Rule).
  10. Click Apply.
  11. Select the Actions tab.
  12. Click Select action groups to select an existing action group, or Create action group to create a new action group.
  13. Follow the prompts to choose or create an action group.
  14. Select the Details tab.
  15. Select a Resource group, provide an Alert rule name and an optional Alert rule description.
  16. Click Review + create.
  17. Click Create.

From Azure CLI​

az monitor activity-log alert create --resource-group "<resource group name>" --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/delete and level=<verbose | information | warning | error | critical> --scope "/subscriptions/<subscription ID>" --name "<activity log rule name>" --subscription <subscription id> --action-group <action group ID>

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36a change management β€”information security is addressed as part of the change management process and the information asset inventory is updated;78
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 44b deletion or corruption of both production and backup data, either through malicious intent, user error or system malfunction;67
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67b scanning for unauthorised hardware, software and changes to configurations;78
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule - Level 1 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 6.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule (Automated)1
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 7.1.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Alerting and Notification26
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-3(1) Additional Audit Information (M)(H)14
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)265
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4851
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-3(1) Additional Audit Information (M)(H)14
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.28 Collection of evidence1421
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.15 Logging1834
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events115
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events81
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-3(1) Content of Audit Records _ Additional Audit Information1314
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44765