Overview of Microsoft Defender for Azure Cosmos DB
Microsoft Defender for Azure Cosmos DB detects potential SQL injections, known bad actors, and suspicious access patterns based on Microsoft Threat Intelligence. It also identifies potential exploitation of your database through compromised identities or malicious insiders. It uses advanced threat detection capabilities and Microsoft Threat Intelligence data to provide contextual security alerts. These alerts include steps to mitigate detected threats and prevent future attacks. You can enable protection for all your databases (recommended), or enable Microsoft Defender for Azure Cosmos DB at either the subscription level or the resource level.
Defender for Azure Cosmos DB continually analyzes the personal data stream generated by the Azure Cosmos DB service. When potentially malicious activities are detected, security alerts are generated. These alerts are displayed in Defender for Cloud. They provide details of the suspicious activity along with relevant investigation steps, remediation actions, and security recommendations.
Importantly, Defender for Azure Cosmos DB doesn't access the Azure Cosmos DB account data and doesn't affect its performance.
Defender for Cosmos DB is billed as shown on the pricing page.
Protected Azure Cosmos DB API:
| Supported | Not supported |
|---|---|
| Azure Cosmos DB for NoSQL | Azure Cosmos DB for Apache Cassandra Azure Cosmos DB for MongoDB Azure Cosmos DB for Table Azure Cosmos DB for Apache Gremlin |
For cloud availability, check out the Defender for Cloud support matrices for Azure commercial/other clouds
What are the benefits of Microsoft Defender for Azure Cosmos DB
Microsoft Defender for Azure Cosmos DB uses advanced threat detection capabilities and Microsoft Threat Intelligence data. Defender for Azure Cosmos DB continuously monitors your Azure Cosmos DB accounts for threats like SQL injection, compromised identities, and data exfiltration.
This service provides action-oriented security alerts in Microsoft Defender for Cloud with details of the suspicious activity and guidance on how to mitigate threats. Use this information to quickly remediate security issues and improve the security of your Azure Cosmos DB accounts.
Alerts include details of the incident that triggered them and recommendations on how to investigate and remediate threats. You can export alerts to Microsoft Sentinel or any partner Security Information and Event Management (SIEM) solution or external tool. To learn how to stream alerts, see Stream alerts to a SIEM, SOAR, or IT classic deployment model solution.
Tip
For a comprehensive list of all Defender for Azure Cosmos DB alerts, see the alerts reference page. This is useful for workload owners who want to know what threats can be detected and help SOC teams gain familiarity with detections before investigating them. Learn more how to manage and respond to security alerts in Microsoft Defender for Cloud.
Alert types
Threat intelligence security alerts are triggered for:
Potential SQL injection attacks:
Due to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks don't work in Azure Cosmos DB. However, some variations of SQL injections can succeed and might result in exfiltrating data from your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects both successful and failed attempts and helps you harden your environment to prevent these threats.Anomalous database access patterns:
For example, access from an Onion Router (TOR) exit node, known suspicious IP addresses, unusual applications, and locations.Suspicious database activity:
For example, suspicious key-listing patterns that resemble known malicious lateral movement techniques and data extraction patterns.