Detections
Analytics

Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule

MEDIUM

Description

Description:

Create an activity log alert for the Create or Update SQL Server Firewall Rule event.

Rationale:

Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

There will be a substantial increase in log size if there are a large number of administrative actions on a server.

Remediation

From Azure Portal

  1. Navigate to the Monitor blade.
  2. Select 'Alerts'.
  3. Select 'Create'.
  4. Select 'Alert rule'.
  5. Under 'Filter by subscription', choose a subscription.
  6. Under 'Filter by resource type', select 'Server Firewall Rule (servers/firewallRules)'.
  7. Under 'Filter by location', select 'All'.
  8. From the results, select the subscription.
  9. Select 'Done'.
  10. Select the 'Condition' tab.
  11. Under 'Signal name', click 'Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)'.
  12. Select the 'Actions' tab.
  13. To use an existing action group, click 'Select action groups'. To create a new action group, click 'Create action group'. Fill out the appropriate details for the selection.
  14. Select the 'Details' tab.
  15. Select a 'Resource group', provide an 'Alert rule name' and an optional 'Alert rule description'.
  16. Click 'Review + create'.
  17. Click 'Create'.

From Azure CLI

az monitor activity-log alert create --resource-group "" --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/write and level=<verbose | information | warning | error | critical>--scope "/subscriptions/" --name "" --subscription --action-group --location global

From PowerShell

Create the 'Conditions' object.

$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Sql/servers/firewallRules/write -Field operationName
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level

Retrieve the 'Action Group' information and store in a variable, then create the 'Actions' object.

$actionGroup = Get-AzActionGroup -ResourceGroupName -Name
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id

Create the 'Scope' object

$scope = "/subscriptions/"

Create the 'Activity Log Alert Rule' for 'Microsoft.Sql/servers/firewallRules/write'

New-AzActivityLogAlert -Name "" -ResourceGroupName "" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true

Policy Details

Rule Reference ID: AC_AZURE_0072
CSP: Azure
Remediation Available: Yes
Domain: Logging and Monitoring
Resource: azurerm_monitor_activity_log_alert
Resource Category: Logging and Monitoring
Resource Type: Monitor

Frameworks