Description:
Create an activity log alert for the Create or Update SQL Server Firewall Rule event.
Rationale:
Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
There will be a substantial increase in log size if there are a large number of administrative actions on a server.
From Azure Portal
From Azure CLI
az monitor activity-log alert create --resource-group "" --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/write and level=<verbose | information | warning | error | critical>--scope "/subscriptions/" --name "" --subscription --action-group --location global
From PowerShell
Create the 'Conditions' object.
$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Sql/servers/firewallRules/write -Field operationName
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level
Retrieve the 'Action Group' information and store in a variable, then create the 'Actions' object.
$actionGroup = Get-AzActionGroup -ResourceGroupName -Name
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id
Create the 'Scope' object
$scope = "/subscriptions/"
Create the 'Activity Log Alert Rule' for 'Microsoft.Sql/servers/firewallRules/write'
New-AzActivityLogAlert -Name "" -ResourceGroupName "" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true