SOLVED
Home

Log Analytics query to create a alert for IP's blocked by firewall in Azure SQl Database.

%3CLINGO-SUB%20id%3D%22lingo-sub-442819%22%20slang%3D%22en-US%22%3ELog%20Analytics%20query%20to%20create%20a%20alert%20for%20IP's%20blocked%20by%20firewall%20in%20Azure%20SQl%20Database.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-442819%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20a%20Help%20in%20writing%20a%20Query%20to%20create%20a%20alert%20to%20get%20IP's%20Blocked%20by%20Firewall%20in%20Azure%20SQL%20Database.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-442819%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-454531%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20query%20to%20create%20a%20alert%20for%20IP's%20blocked%20by%20firewall%20in%20Azure%20SQl%20Database.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-454531%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F319881%22%20target%3D%22_blank%22%3E%40Syed_Aman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20think%20we%20need%20to%20know%20more.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAre%20you%20trying%20to%20see%20what%20Firewall%20%3CEM%3Edeny%3C%2FEM%3E%20messages%20have%20occurred%20and%20to%20write%20them%20into%20SQL%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20Firewall%20are%20you%20using%2C%20as%20they%20store%20the%20logs%20in%20different%20tables%20in%20Log%20Analytics%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAzure%20Firewall%20-%20example%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CPRE%3EAzureDiagnostics%0A%7C%20where%20ResourceType%20%3D%3D%20%22AZUREFIREWALLS%22%0A%7C%20where%20Category%20%3D%3D%20%22AzureFirewallApplicationRule%22%0A%7C%20where%20msg_s%20has%20%22Deny%22%20%20%20%2F%2F%20only%20see%20deny%0A%7C%20parse%20msg_s%20with%20*%20%22from%22%20ipa%20%22%3A%22%20*%20%20%2F%2F%20get%20just%20IP%20address%20%0A%7C%20project%20ipa%2C%20msg_s%3C%2FPRE%3E%0A%3CP%3E%3CSTRONG%3ECisco%20-%20for%20example%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CPRE%3ECommonSecurityLog%0A%7C%20where%20DeviceVendor%20%3D%3D%20%22Cisco%22%0A%0A%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-456118%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20query%20to%20create%20a%20alert%20for%20IP's%20blocked%20by%20firewall%20in%20Azure%20SQl%20Database.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-456118%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20explain.%20i%20have%20azure%20SQL%20database%20(PaaS)%20in%20our%20environment%20and%20i%20have%20enabled%20the%20diagnostics%20setting%20and%20configured%20to%20send%20the%20logs%20to%20Log%20analytics.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20whitelisted%20few%20IP%20ranges%20in%20SQL%20firewall%20to%20access%20the%20database.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20to%20write%20a%20query%20in%20Log%20Analytics%20to%20trigger%20a%20alert%20if%20any%20external%20user%20is%20trying%20to%20access%20the%20database%20and%20got%20blocked%20by%20the%20SQL%20firewall.%3C%2FP%3E%3CP%3EI%20need%20to%20fetch%20those%20details%20by%20using%20the%20Log%20Analytics%20query.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20created%20a%20sample%20query%20to%20collect%203%20consecutive%20failed%20connection%20while%20access%20the%20database.%3C%2FP%3E%3CP%3E%3CSTRONG%3EQuery%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EAzureDiagnostics%3CBR%20%2F%3E%7C%20where%20ResourceProvider%20%3D%3D%20%22MICROSOFT.SQL%22%20%7C%20where%20ResourceType%20%3D%3D%20%22SERVERS%2FDATABASES%22%20%7C%20where%20ResourceGroup%20%3D%3D%20%22AZRG-OC-TDS-STORAGE%22%20%7C%20distinct%20LogicalServerName_s%2C%20event_time_t%2C%20action_name_s%2C%20client_ip_s%2C%20server_principal_name_s%2C%20application_name_s%2C%20host_name_s%2C%20TimeGenerated%20%7C%20where%20action_name_s%20%3D%3D%20%22DATABASE%20AUTHENTICATION%20FAILED%22%20%7C%20where%20TimeGenerated%20%26gt%3B%20ago(5m)%20%7C%20summarize%20logoncount%20%3D%20count()%20by%20client_ip_s%20%7C%20where%20logoncount%20%26gt%3B%203%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENeed%20help%20to%20create%20a%20query%20to%20fetch%20the%20IP%20details%20which%20got%20blocked%20by%20SQL%20firewall%20in%20order%20to%20trigger%20a%20alert.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20Advance%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-456522%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20query%20to%20create%20a%20alert%20for%20IP's%20blocked%20by%20firewall%20in%20Azure%20SQl%20Database.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-456522%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F319881%22%20target%3D%22_blank%22%3E%40Syed_Aman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAh!%26nbsp%3BI%20think%20you%20need%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-firewall-configure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-firewall-configure%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CEM%3E%22You%20can%20use%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-auditing%22%20data-linktype%3D%22relative-path%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESQL%20Database%20Auditing%3C%2FA%3E%26nbsp%3Bto%20audit%20server-level%20and%20database-level%20firewall%20changes.%22%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20also%20might%20be%20worth%20looking%20in%20the%20%3CSTRONG%3EAzureActivity%3C%2FSTRONG%3E%20log%20-%20sorry%20I%20don't%20have%20any%20DBs%20configured%20with%20Auditing%20or%20DB%20level%20firewalls.%26nbsp%3B%20%26nbsp%3BIf%20you%20get%20an%20example%20record%20we%20can%20help%20you%20parse%20for%20the%26nbsp%3B%20IP%20address%20if%20needed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-457718%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20query%20to%20create%20a%20alert%20for%20IP's%20blocked%20by%20firewall%20in%20Azure%20SQl%20Database.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-457718%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdding%20to%20what%20Clive%20has%20suggested%20the%20following%20website%20article%20gives%20a%20little%20more%20detail%20on%20what%20to%20%22query%22%20for%20with%20regards%20to%20the%20%22Denied%20Access%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.sqlservercentral.com%2Farticles%2F10-steps-to-securing-your-sql-server%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%3Ehttps%3A%2F%2Fwww.sqlservercentral.com%2Farticles%2F10-steps-to-securing-your-sql-server%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EThis%20is%20a%20snippet%20from%20the%20article%3C%2FFONT%3E%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EI%20also%20like%20to%20turn%20on%20auditing%20of%20any%20type%20of%20permission%20denied%3C%2FP%3E%3CP%3Eerror%2C%20like%20%23229.%20If%20you%20find%20all%20the%20items%20you%E2%80%99d%20like%20to%20audit%2C%20you%20can%20write%20a%3C%2FP%3E%3CP%3Escript%20to%20update%20the%20sysmessages%20table%20(which%20holds%20all%20the%20SQL%20Server%20errors)%3C%2FP%3E%3CP%3Eto%20turn%20on%20logging%20as%20shown%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%E2%80%94%20Error%20Message%20%23229%3A%20%25ls%20permission%20denied%20on%20object%20%E2%80%98%25.*ls%E2%80%99%2C%3C%2FP%3E%3CP%3Edatabase%20%E2%80%98%25.*ls%E2%80%99%2C%20owner%20%E2%80%98%25.*ls%E2%80%99.%3C%2FP%3E%3CP%3EUPDATE%20sysmessages%20SET%20dlevel%20%3D%20(dlevel%20%7C%200x80)%20WHERE%20error%20%3D%20229%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Syed_Aman
Occasional Contributor

Hi All,

 

I need a Help in writing a Query to create a alert to get IP's Blocked by Firewall in Azure SQL Database.

 

4 Replies

@Syed_Aman 

 

I think we need to know more. 

 

Are you trying to see what Firewall deny messages have occurred and to write them into SQL? 

 

What Firewall are you using, as they store the logs in different tables in Log Analytics?

 

Azure Firewall - example 

AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| where msg_s has "Deny"   // only see deny
| parse msg_s with * "from" ipa ":" *  // get just IP address 
| project ipa, msg_s

Cisco - for example 

CommonSecurityLog
| where DeviceVendor == "Cisco"

 

 

 

Thanks you @Clive Watson .

 

Let me explain. i have azure SQL database (PaaS) in our environment and i have enabled the diagnostics setting and configured to send the logs to Log analytics.

 

I have whitelisted few IP ranges in SQL firewall to access the database.

 

I need to write a query in Log Analytics to trigger a alert if any external user is trying to access the database and got blocked by the SQL firewall.

I need to fetch those details by using the Log Analytics query.

 

I had created a sample query to collect 3 consecutive failed connection while access the database.

Query:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SQL" | where ResourceType == "SERVERS/DATABASES" | where ResourceGroup == "AZRG-OC-TDS-STORAGE" | distinct LogicalServerName_s, event_time_t, action_name_s, client_ip_s, server_principal_name_s, application_name_s, host_name_s, TimeGenerated | where action_name_s == "DATABASE AUTHENTICATION FAILED" | where TimeGenerated > ago(5m) | summarize logoncount = count() by client_ip_s | where logoncount > 3

 

 

Need help to create a query to fetch the IP details which got blocked by SQL firewall in order to trigger a alert.

 

Thanks in Advance :)

Solution

@Syed_Aman 

 

Ah! I think you need https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure 
"You can use SQL Database Auditing to audit server-level and database-level firewall changes."

 

It also might be worth looking in the AzureActivity log - sorry I don't have any DBs configured with Auditing or DB level firewalls.   If you get an example record we can help you parse for the  IP address if needed.

Highlighted

@Clive Watson 

 

Adding to what Clive has suggested the following website article gives a little more detail on what to "query" for with regards to the "Denied Access"

 

https://www.sqlservercentral.com/articles/10-steps-to-securing-your-sql-server

 

This is a snippet from the article

I also like to turn on auditing of any type of permission denied

error, like #229. If you find all the items you’d like to audit, you can write a

script to update the sysmessages table (which holds all the SQL Server errors)

to turn on logging as shown below:

 — Error Message #229: %ls permission denied on object ‘%.*ls’,

database ‘%.*ls’, owner ‘%.*ls’.

UPDATE sysmessages SET dlevel = (dlevel | 0x80) WHERE error = 229

 

Related Conversations