Detections
Analytics

Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule

MEDIUM

Description

Description:

Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event.

Rationale:

Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Remediation

From Azure Console

  1. Go to 'Monitor'
  2. Select 'Alerts'
  3. Click On 'New Alert Rule'
  4. Under 'Scope', click 'Select resource'
  5. Select the appropriate subscription under 'Filter by subscription'
  6. Select 'SQL servers' under 'Filter by resource type'
  7. Select All for Filter by location
  8. Click on the subscription from the entries populated under Resource
  9. Verify Selection preview shows SQL servers and your selected subscription name
  10. Under 'Condition' click 'Add Condition'
  11. Select 'All Administrative operations' signal
  12. Click 'Done'
  13. Under 'Action group', select 'Add action groups' and complete creation process or select appropriate action group
  14. Under 'Alert rule details', enter 'Alert rule name' and 'description'
  15. Select appropriate resource group to save the alert to
  16. Check 'Enable alert rule upon creation' checkbox
  17. Click 'Create alert rule'

Using Azure Command Line Interface

Use the below command to create an Activity Log Alert for 'Create or Update or Delete SQL Firewall Rule'

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@"input.json"'

Where 'input.json' contains the Request body JSON data as mentioned below.

{
"location": "Global",
"tags": {},
"properties": {
"scopes": [
"/subscriptions/"
],
"enabled": true,
"condition": {
"allOf": [
{
"containsAny": null,
"equals": "Administrative",
"field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Sql/servers/firewallRules/write",
"field": "operationName"
}
]
},
"actions": {
"actionGroups": [
{
"actionGroupId": "/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/",
"webhookProperties": null
}
]
},
}
}

Configurable Parameters for command line:

Configurable Parameters for 'input.json':

in scopes
in actionGroupId
in actionGroupId
in actionGroupId
.

Policy Details

Rule Reference ID: AC_AZURE_0337
CSP: Azure
Remediation Available: Yes
Domain: Logging and Monitoring
Resource: azurerm_monitor_activity_log_alert
Resource Category: Logging and Monitoring
Resource Type: Monitor

Frameworks