Description

Create an activity log alert for the Delete SQL Server Firewall Rule event.

Rationale

Monitoring for Delete SQL Server Firewall Rule events gives insight into SQL network access changes and may reduce the time it takes to detect suspicious activity.

Impact

There will be a substantial increase in log size if there are a large number of administrative actions on a server.

Audit

This policy evaluates Azure Subscriptions for the presence of an Azure Activity Log Alert that captures Delete SQL Server Firewall Rule events. A subscription is marked as INCOMPLIANT if it does not have an Activity Log Alert whose Condition JSON filters on the Microsoft.Sql/servers/firewallRules/delete operation.

Default Value

By default, no monitoring alerts are created or active.

References

https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation

Rationale​

Impact​

Audit​

Default Value​

References​

Rationale

Impact

Audit

Default Value

References