Microsoft Defender for Cosmos DB (Preview)

APPLIES TO: SQL API

Microsoft Defender for Cosmos DB provides an extra layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts. This layer of protection allows you to address threats, even without being a security expert, and integrate them with central security monitoring systems.

Security alerts are triggered when anomalies in activity occur. These security alerts show up in Microsoft Defender for Cloud. Subscription administrators also get these alerts over email, with details of the suspicious activity and recommendations on how to investigate and remediate the threats.

Note

  • Microsoft Defender for Cosmos DB is currently available only for the Core (SQL) API.
  • Microsoft Defender for Cosmos DB is not currently available in Azure government and sovereign cloud regions.

For a full investigation experience of the security alerts, we recommended enabling diagnostic logging in Azure Cosmos DB, which logs operations on the database itself, including CRUD operations on all documents, containers, and databases.

Threat types

Microsoft Defender for Cosmos DB detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. It can currently trigger the following alerts:

  • Access from unusual locations: This alert is triggered when there is a change in the access pattern to an Azure Cosmos DB account, where someone has connected to the Azure Cosmos DB endpoint from an unusual geographical location. In some cases, the alert detects a legitimate action, meaning a new application or developer’s maintenance operation. In other cases, the alert detects a malicious action from a former employee, external attacker, etc.

  • Unusual data extraction: This alert is triggered when a client is extracting an unusual amount of data from an Azure Cosmos DB account. It can be the symptom of some data exfiltration performed to transfer all the data stored in the account to an external data store.

Configure Microsoft Defender for Cosmos DB

You can configure Microsoft Defender protection in any of several ways, described in the following sections.

  1. Launch the Azure portal at https://portal.azure.com.

  2. From the Azure Cosmos DB account, from the Settings menu, select Microsoft Defender for Cloud.

    Set up Azure Defender for Cosmos DB

  3. In the Microsoft Defender for Cloud configuration blade:

    • Change the option from OFF to ON.
    • Click Save.

Manage security alerts

When Azure Cosmos DB activity anomalies occur, a security alert is triggered with information about the suspicious security event.

From Microsoft Defender for Cloud, you can review and manage your current security alerts. Click on a specific alert in Defender for Cloud to view possible causes and recommended actions to investigate and mitigate the potential threat. The following image shows an example of alert details provided in Defender for Cloud.

Threat details

An email notification is also sent with the alert details and recommended actions. The following image shows an example of an alert email.

Alert details

Azure Cosmos DB alerts

To see a list of the alerts generated when monitoring Azure Cosmos DB accounts, see the Azure Cosmos DB alerts section in the Microsoft Defender for Cloud documentation.

Next steps