Description:
This policy ensures that an Activity Log Alert exists for Create or Update SQL Server Firewall Rule events. This will help to detect unauthorized changes to SQL Server firewall rules, which could be used to gain unauthorized access to your Azure SQL Server instances.

Rationale:
SQL Server firewall rules control which IP addresses are allowed to connect to your Azure SQL Server instances. If an unauthorized user is able to create or update a SQL Server firewall rule, they could potentially gain unauthorized access to your Azure SQL Server instances. This could have a significant impact on your organization's security and compliance posture.

Impact:
If an unauthorized user is able to create or update a SQL Server firewall rule, they could potentially gain unauthorized access to your Azure SQL Server instances. This could have a significant impact on your organization's security and compliance posture.

Default Value:
Azure will not recommend an Activity Log Alert for Create or Update SQL Server Firewall Rule events by default.

Pre-requisites:

  • You must have access to the Azure portal.
  • You must have the Azure CLI installed.

Remediation Steps:

  1. In the Azure portal, navigate to the Alerts blade.
  2. Click Create alert rule.
  3. In the Create alert rule dialog box, select Activity log alert.
  4. In the Event types section, select Create or Update SQL Server Firewall Rule.
  5. In the Alert settings section, configure the alert settings as desired.
  6. Click Create.

Test Plan:

  1. Verify that the alert rule is created successfully.
  2. Simulate a Create or Update SQL Server Firewall Rule event.
  3. Verify that the alert is triggered.

Implementation Plan:

  1. Implement the alert rule in all Azure subscriptions that contain SQL Server firewall rules.
  2. Document the process for creating and managing the alert rule.

Azure Console:

  1. In the Azure portal, navigate to the Alerts blade.
  2. Click Create alert rule.
  3. In the Create alert rule dialog box, select Activity log alert.
  4. In the Event types section, select Create or Update SQL Server Firewall Rule.
  5. In the Alert settings section, configure the alert settings as desired.
  6. Click Create.

Azure CLI:

az monitor alert create \  --name "CreateOrUpdateSQLServerFirewallRuleAlert" \  --resource-group "my-resource-group" \  --scopes "/subscriptions/my-subscription-id/resourceGroups/my-resource-group" \  --condition "event_type eq 'Microsoft.Sql/servers/firewallRules/write'" \  --severity "Critical" \  --action "email" \  --email-subject "Create or Update SQL Server Firewall Rule Alert" \  --email-to "[email protected]"

Backout Plan:

  1. Delete the alert rule.

Note:

Tags and Keywords:

  • azure
  • activity log alert
  • sql server firewall rule
  • create
  • update
  • security
  • compliance