Account should have a configured activity log alert for deleting the SQL Server firewall rule This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project,
feel free to reach out to us! Create an activity log alert for the “Delete SQL Server Firewall Rule.”
By default, no monitoring alerts are created or active.
Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
There will be a substantial increase in log size if there are a large number of administrative actions on a server.
Navigate to Monitor blade. Select Alerts. Click Create. Click on Alert rule. Under the Scope tab, click Select scope. In the Select a resource window,select the appropriate filters:Filter by subscription: < choose the subscription alerts are needed for > Filter by resource type: Server Firewall Rule (servers/firewallRules) Filter by location: All Click on the subscription name or resource group that the Log Alert Rule will be applied to Verify that the selection preview shows:All server firewall rule (servers/firewallrules) or < your selected resource >< Resource Name > - The subscription, group, or resource you selected Click Done. Under the Condition tab, click Add Condition. The Select a signal window may automatically open without clicking. In the Select a signal window, under the “Signal Name” heading, click Delete server firewall rule (Microsoft.Sql/servers/firewallRules) . Under the Actions tab, choose appropriately:Select action groups - If you have an existing action group to notify the necessary personnel Create action group - If you do not have an existing action group or want to create a new one Under the Details tab, fill in:Resource group - Select the resource group you want the alert rule to reside in Alert rule name - Give your alert a recognizable and standardized name Alert rule description - (Optional) Click Review + create then verify the summary details. Click Create. az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "AuthorizationBearer $1" -H "Content-Typeapplication/json" https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_To Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"'
input.json contains the following request body JSON data:
{
"location" : "Global" ,
"tags" : {},
"properties" : {
"scopes" : [
"/subscriptions/<Subscription_ID>"
],
"enabled" : true ,
"condition" : {
"allOf" : [
{
"containsAny" : null ,
"equals" : "Administrative" ,
"field" : "category"
},
{
"containsAny" : null ,
"equals" : "Microsoft.Sql/servers/firewallRules/write" ,
"field" : "operationName"
}
]
},
"actions" : {
"actionGroups" : [
{
"actionGroupId" : "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>" ,
"webhookProperties" : null
}
]
},
}
}
Copy
https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation 
