Introduction to Microsoft Defender for Azure Cosmos DB

Microsoft Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitation of your database through compromised identities, or malicious insiders.

Defender for Azure Cosmos DB uses advanced threat detection capabilities, and Microsoft Threat Intelligence data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks.

You can enable protection for all your databases (recommended), or enable Microsoft Defender for Azure Cosmos DB at either the subscription level, or the resource level.

Defender for Azure Cosmos DB continually analyzes the telemetry stream generated by the Azure Cosmos DB service. When potentially malicious activities are detected, security alerts are generated. These alerts are displayed in Defender for Cloud together with the details of the suspicious activity along with the relevant investigation steps, remediation actions, and security recommendations.

Defender for Azure Cosmos DB doesn't access the Azure Cosmos DB account data, and doesn't have any effect on its performance.

Availability

Aspect Details
Release state: Preview.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Protected Azure Cosmos DB API SQL/Core API
Cassandra API
MongoDB API
Table API
Gremlin API
Clouds: Commercial clouds
Azure Government
Azure China 21Vianet

What are the benefits of Microsoft Defender for Azure Cosmos DB

Microsoft Defender for Azure Cosmos DB uses advanced threat detection capabilities and Microsoft Threat Intelligence data. Defender for Azure Cosmos DB continuously monitors your Azure Cosmos DB accounts for threats such as SQL injection, compromised identities and data exfiltration.

This service provides action-oriented security alerts in Microsoft Defender for Cloud with details of the suspicious activity and guidance on how to mitigate the threats. You can use this information to quickly remediate security issues and improve the security of your Azure Cosmos DB accounts.

Alerts include details of the incident that triggered them, and recommendations on how to investigate and remediate threats. Alerts can be exported to Microsoft Sentinel or any other third-party SIEM or any other external tool. To learn how to stream alerts, see Stream alerts to a SIEM, SOAR, or IT classic deployment model solution.

Tip

For a comprehensive list of all Defender for Storage alerts, see the alerts reference page. This is useful for workload owners who want to know what threats can be detected and help SOC teams gain familiarity with detections before investigating them. Learn more about what's in a Defender for Cloud security alert, and how to manage your alerts in Manage and respond to security alerts in Microsoft Defender for Cloud.

Alert types

Threat intelligence security alerts are triggered for:

  • Potential SQL injection attacks:
    Due to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks can’t work in Azure Cosmos DB. However, there are some variations of SQL injections that can succeed and may result in exfiltrating data from your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects both successful and failed attempts, and helps you harden your environment to prevent these threats.

  • Anomalous database access patterns:
    For example, access from a TOR exit node, known suspicious IP addresses, unusual applications, and unusual locations.

  • Suspicious database activity:
    For example, suspicious key-listing patterns that resemble known malicious lateral movement techniques and suspicious data extraction patterns.

Next steps

In this article, you learned about Microsoft Defender for Azure Cosmos DB.