'Delete SQL Server Firewall Rule' activity log alert should be configured

Description

To improve the monitoring of network access changes and reduce the time it takes to detect suspicious activity, it is advised to create an activity log alert specifically for the “Delete SQL Server Firewall Rule” event. By enabling this alert, you can gain valuable insights into deletions of SQL Server firewall rules. It is important to note that enabling this alert may result in a significant increase in log size, particularly if there are numerous administrative actions performed on a server. However, the enhanced security monitoring provided by the alert outweighs the potential impact on log size.

Remediation

From the console

  1. Navigate to the Monitor blade.
  2. Select Alerts > Create > Alert rule.
  3. Under Filter by subscription, choose a subscription.
  4. Under Filter by resource type, select Server Firewall Rule (servers/firewallRules).
  5. Under Filter by location, select All.
  6. From the results, select the subscription, then click Done.
  7. Click the Condition tab.
  8. Under Signal name, click Delete Delete server firewall rule (Microsoft.Sql/servers/firewallRules).
  9. Click the Actions tab.
  10. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection.
  11. Click the Details tab.
  12. Select a Resource group, then provide an Alert rule name and an optional Alert rule description.
  13. Click Review + create.
  14. Click Create.
PREVIEWING: mcretzman/DOCS-9337-add-cloud-info-byoti