| title | description | ms.service | ms.topic | ms.date | ms.custom | ms.author | author | manager |
|---|---|---|---|---|---|---|---|---|
Advanced Threat Protection for Azure Cosmos DB |
Learn how Azure Cosmos DB provides encryption of data at rest and how it's implemented. |
cosmos-db |
conceptual |
12/13/2019 |
seodec18 |
memildin |
memildin |
rkarlin |
Advanced Threat Protection for Azure Cosmos DB provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts. This layer of protection allows you to address threats, even without being a security expert, and integrate them with central security monitoring systems.
Security alerts are triggered when anomalies in activity occur. These security alerts are integrated with Azure Security Center, and are also sent via email to subscription administrators, with details of the suspicious activity and recommendations on how to investigate and remediate the threats.
Note
- Advanced Threat Protection for Azure Cosmos DB is currently available only for the SQL API.
- Advanced Threat Protection for Azure Cosmos DB is currently not available in Azure government and sovereign cloud regions.
For a full investigation experience of the security alerts, we recommended enabling diagnostic logging in Azure Cosmos DB, which logs operations on the database itself, including CRUD operations on all documents, containers, and databases.
Advanced Threat Protection for Azure Cosmos DB detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. It can currently trigger the following alerts:
-
Access from unusual locations: This alert is triggered when there is a change in the access pattern to an Azure Cosmos account, where someone has connected to the Azure Cosmos DB endpoint from an unusual geographical location. In some cases, the alert detects a legitimate action, meaning a new application or developer’s maintenance operation. In other cases, the alert detects a malicious action from a former employee, external attacker, etc.
-
Unusual data extraction: This alert is triggered when a client is extracting an unusual amount of data from an Azure Cosmos DB account. This can be the symptom of some data exfiltration performed to transfer all the data stored in the account to an external data store.
You can configure advanced threat protection in any of several ways, described in the following sections.
-
Launch the Azure portal at https://portal.azure.com.
-
From the Azure Cosmos DB account, from the Settings menu, select Advanced security.
:::image type="content" source="./media/cosmos-db-advanced-threat-protection/cosmos-db-atp.png" alt-text="Set up ATP":::
-
In the Advanced security configuration blade:
- Click the Advanced Threat Protection option to set it to ON.
- Click Save to save the new or updated Advanced Threat Protection policy.
Use Rest API commands to create, update, or get the Advanced Threat Protection setting for a specific Azure Cosmos DB account.
Use the following PowerShell cmdlets:
Use an Azure Resource Manager (ARM) template to set up Cosmos DB with Advanced Threat Protection enabled. For more information, see Create a CosmosDB Account with Advanced Threat Protection.
Use an Azure Policy to enable Advanced Threat Protection for Cosmos DB.
-
Launch the Azure Policy - Definitions page, and search for the Deploy Advanced Threat Protection for Cosmos DB policy.
:::image type="content" source="./media/cosmos-db-advanced-threat-protection/cosmos-db.png" alt-text="Search Policy":::
-
Click on the Deploy Advanced Threat Protection for CosmosDB policy, and then click Assign.
:::image type="content" source="./media/cosmos-db-advanced-threat-protection/cosmos-db-atp-policy.png" alt-text="Select Subscription Or Group":::
-
From the Scope field, click the three dots, select an Azure subscription or resource group, and then click Select.
:::image type="content" source="./media/cosmos-db-advanced-threat-protection/cosmos-db-atp-details.png" alt-text="Policy Definitions Page":::
-
Enter the other parameters, and click Assign.
When Azure Cosmos DB activity anomalies occur, a security alert is triggered with information about the suspicious security event.
From Azure Security Center, you can review and manage your current security alerts. Click on a specific alert in Security Center to view possible causes and recommended actions to investigate and mitigate the potential threat. The following image shows an example of alert details provided in Security Center.
:::image type="content" source="./media/cosmos-db-advanced-threat-protection/cosmos-db-alert-details.png" alt-text="Threat details":::
An email notification is also sent with the alert details and recommended actions. The following image shows an example of an alert email.
:::image type="content" source="./media/cosmos-db-advanced-threat-protection/cosmos-db-alert.png" alt-text="Alert details":::
To see a list of the alerts generated when monitoring Azure Cosmos DB accounts, see the Cosmos DB alerts section in the Azure Security Center documentation.
- Learn more about Diagnostic logging in Azure Cosmos DB
- Learn more about Azure Security Center