Advanced Threat Protection for Azure Cosmos DB (Preview)

APPLIES TO: SQL API

Advanced Threat Protection for Azure Cosmos DB provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts. This layer of protection allows you to address threats, even without being a security expert, and integrate them with central security monitoring systems.

Security alerts are triggered when anomalies in activity occur. These security alerts are integrated with Azure Security Center, and are also sent via email to subscription administrators, with details of the suspicious activity and recommendations on how to investigate and remediate the threats.

Note

  • Advanced Threat Protection for Azure Cosmos DB is currently available only for the SQL API.
  • Advanced Threat Protection for Azure Cosmos DB is currently not available in Azure government and sovereign cloud regions.

For a full investigation experience of the security alerts, we recommended enabling diagnostic logging in Azure Cosmos DB, which logs operations on the database itself, including CRUD operations on all documents, containers, and databases.

Threat types

Advanced Threat Protection for Azure Cosmos DB detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. It can currently trigger the following alerts:

  • Access from unusual locations: This alert is triggered when there is a change in the access pattern to an Azure Cosmos account, where someone has connected to the Azure Cosmos DB endpoint from an unusual geographical location. In some cases, the alert detects a legitimate action, meaning a new application or developer’s maintenance operation. In other cases, the alert detects a malicious action from a former employee, external attacker, etc.

  • Unusual data extraction: This alert is triggered when a client is extracting an unusual amount of data from an Azure Cosmos DB account. This can be the symptom of some data exfiltration performed to transfer all the data stored in the account to an external data store.

Configure Advanced Threat Protection

You can configure advanced threat protection in any of several ways, described in the following sections.

  1. Launch the Azure portal at https://portal.azure.com.

  2. From the Azure Cosmos DB account, from the Settings menu, select Advanced security.

    Set up ATP

  3. In the Advanced security configuration blade:

    • Click the Advanced Threat Protection option to set it to ON.
    • Click Save to save the new or updated Advanced Threat Protection policy.