Create an activity log alert for the "Delete SQL Server Firewall Rule."


Monitoring for Delete SQL Server Firewall Rule events gives insight into SQL network access changes and may reduce the time it takes to detect suspicious activity.


There will be a substantial increase in log size if there are a large number of administrative actions on a server.


From Azure Portal

1. Navigate to the Monitor blade

2. Click on Alerts

3. In the Alerts window, click on Alert rules

4. Hover mouse over the values in the Condition column to find an alert where

Operation name=Microsoft.Sql/servers/firewallRules/delete

5. Click on the Alert Name associated with the previous step

6. Click on the Condition name of Whenever the Activity Log has an event with

Category='Administrative', Signal name='Delete server firewall rule


7. In the Configure signal logic window, ensure the following is configured:

o Event level: All selected

o Status: All selected

o Event initiated by: * (All services and users)

8. Click Done

9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization.

From Azure CLI

az monitor activity-log alert list --subscription <subscription Id> --query


Look for Microsoft.Sql/servers/firewallRules/delete in the output

From PowerShell

Get-AzActivityLogAlert -SubscriptionId <subscription ID>|where-object

{$_.ConditionAllOf.Equal -match




From Azure Portal

1. Navigate to the Monitor blade.

2. Select Alerts.

3. Select Create.

4. Select Alert rule.

5. Under Filter by subscription, choose a subscription.

6. Under Filter by resource type, select Server Firewall Rule (servers/firewallRules).

7. Under Filter by location, select All.

8. From the results, select the subscription.

9. Select Done.

10.Select the Condition tab.

11.Under Signal name, click Delete server firewall rule (Microsoft.Sql/servers/firewallRules).

12.Select the Actions tab.

13.To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection.

14.Select the Details tab.

15.Select a Resource group, provide an Alert rule name and an optional Alert

rule description.

16.Click Review + create.

17.Click Create.

From Azure CLI

az monitor activity-log alert create --resource-group "<resource group name>"

--condition category=Administrative and

operationName=Microsoft.Sql/servers/firewallRules/delete and level=<verbose |

information | warning | error | critical>--scope

"/subscriptions/<subscription ID>" --name "<activity log rule name>" --

subscription <subscription id> --action-group <action group ID> --location global

From PowerShell

Create the Conditions object.

$conditions = @()

$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -

Equal Administrative -Field category

$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -

Equal Microsoft.Sql/servers/firewallRules/delete -Field operationName

$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -

Equal Verbose -Field level

Retrieve the Action Group information and store in a variable, then create the Actions object.

$actionGroup = Get-AzActionGroup -ResourceGroupName <resource group name> -

Name <action group name>

$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id

Create the Scope object

$scope = "/subscriptions/<subscription ID>"

Create the Activity Log Alert Rule for


New-AzActivityLogAlert -Name "<activity log alert rule name>" -

ResourceGroupName "<resource group name>" -Condition $conditions -Scope

$scope -Location global -Action $actionObject -Subscription <subscription ID>-Enabled $true

Default Value:

By default, no monitoring alerts are created or active.






5. logging-threat-detection#lt-3-enable-logging-for-security-investigation