Yes. we know the root cause of how they got into the server- our networking engineer made some network port changes in ipconfig table so that the sql server is open to all inbound and outbound via NAT server on port 1433.

We already restored the databases before the point of intrusion.

I have disabled the sa account for now.

I would like to know the best practices to implement in sqlserver to avoid these kind of situations and getting alerting ahead of time. Please list some suggestions.