Description:
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event.
Rationale:
Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
From Azure Console
Using Azure Command Line Interface
Use the below command to create an Activity Log Alert for 'Create or Update or Delete SQL Firewall Rule'
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@"input.json"'
Where 'input.json' contains the Request body JSON data as mentioned below.
{
"location": "Global",
"tags": {},
"properties": {
"scopes": [
"/subscriptions/"
],
"enabled": true,
"condition": {
"allOf": [
{
"containsAny": null,
"equals": "Administrative",
"field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Sql/servers/firewallRules/write",
"field": "operationName"
}
]
},
"actions": {
"actionGroups": [
{
"actionGroupId": "/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/",
"webhookProperties": null
}
]
},
}
}
Configurable Parameters for command line:
Configurable Parameters for 'input.json':
in scopes
in actionGroupId
in actionGroupId
in actionGroupId
.