iCompaas Support

Description:

Azure SQL Server Firewall Rules determine which IP addresses or networks are allowed to access SQL databases. Creating or updating these rules can expand access to new networks, expose workloads to the internet, or permit unauthorized inbound connections. Configuring an Activity Log Alert for Create or Update operations on SQL Server Firewall Rules ensures visibility into access control changes and enables timely investigation by security teams.

Rationale:

This rule verifies whether an Activity Log Alert is configured to detect Create or Update SQL Server Firewall Rule operations using the event Microsoft.Sql/servers/firewallRules/write. If no alert exists, the environment is marked NON_COMPLIANT. Monitoring changes to SQL Firewall Rules is critical because unauthorized or accidental modifications can expose sensitive databases to untrusted networks and increase the risk of exploitation.

Impact:

• Ensures real-time detection of suspicious or unauthorized SQL firewall changes.

• Improves compliance with auditing requirements for access control.

• Helps incident responders investigate network access-related anomalies.

• Reduces the risk of accidental exposure of SQL databases to untrusted networks.

Default Value:

Azure does not automatically configure Activity Log Alerts for SQL firewall rule write operations. Administrators must manually create monitoring alerts in Azure Monitor.

Pre-Requisites:

PermissionManagerRulesMicrosoft.Insights/activityLogAlerts/write,

Microsoft.Sql/servers/firewallRules/read, Microsoft.Resources/subscriptions/resourceGroups/read

Existing Action Group (email, SMS, webhook, Teams, etc.)

Test Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Navigate to Monitor

3. Select Alerts and Open Alert rules

4. Verify an Activity Log Alert exists for Create or Update SQL Server Firewall Rule

5. Verify the alert scope includes the required subscription

6. Verify that an Action Group is associated

7. If the alert does not exist, follow the implementation steps

Implementation Steps:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Navigate to Monitor

3. Select Alerts

4. Click Create and select Alert rule

5. Set the Scope to the required subscription

6. Under Condition, click See all signals, search for Create or Update SQL Server Firewall Rule, and select the signal.

7. Associate an existing Action Group or create a new one

8. Provide an alert rule name and resource group

9. Click Review + Create

10. Click Create

Backout Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Navigate to Monitor

3. Select Alerts

4. Open Alert rules

5. Locate the Create or Update SQL Server Firewall Rule alert

6. Delete the alert rule

7. Confirm the deletion

Reference:

• https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-types
• https://learn.microsoft.com/azure/defender-for-cloud/concept-security-solutions
• https://learn.microsoft.com/azure/security-benchmark/azure-security-benchmark-monitoring-logging
• https://learn.microsoft.com/azure/governance/policy/samples/cis-azure-1-3-0