The account should have a configured activity log alert for firewall rule creation or update
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0
Description
Create an activity log alert for the Create or Update SQL Server Firewall Rule event.
Default value
By default, no monitoring alerts are created or active.
Rationale
Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
Impact
There will be a substantial increase in log size if there are a large number of administrative actions on a server.
From the console
- Navigate to
Monitor blade. - Select
Alerts. - Click
Create. - Click on
Alert rule. - Under the Scope tab, click
Select scope. - In the
Select a resource window, select the appropriate filters:- Filter by subscription:
< choose the subscription alerts are needed for > - Filter by resource type: Server Firewall Rule (servers/firewallRules)
- Filter by location:
All - Click on the
subscription name or resource group that the Log Alert Rule will be applied to
- Verify that the selection preview shows:
- All server firewall rule (servers/firewallrules) or
< your selected resource > < Resource Name > - The subscription, group, or resource you selected
- Click
Done. - Under the Condition tab, click
Add Condition. The Select a signal window may automatically open without clicking. - In the
Select a signal window, under the “Signal Name” heading, click Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules). - Under the Actions tab, choose appropriately:
- Select action groups - If you have an existing action group to notify the necessary personnel.
- Create action group - If you do not have an existing action group or want to create a new one.
- Under the Details tab, fill in:
- Resource group - Select the resource group you want the alert rule to reside in
- Alert rule name - Give your alert a recognizable and standardized name
- Alert rule description - (Optional)
- Click
Review + create then verify the summary details. - Click
Create.
From the command line
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "AuthorizationBearer $1" -H "Content-Typeapplication/json" https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_To Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"'
input.json contains the following request body JSON data:
{
"location": "Global",
"tags": {},
"properties": {
"scopes": [
"/subscriptions/<Subscription_ID>"
],
"enabled": true,
"condition": {
"allOf": [
{
"containsAny": null,
"equals": "Administrative",
"field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Sql/servers/firewallRules/write",
"field": "operationName"
}
]
},
"actions": {
"actionGroups": [
{
"actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
"webhookProperties": null
}
]
},
}
}
References
- https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement
- https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
- https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
- https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
- https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
