Enable Microsoft Defender

Security · Cosmos DB · Rule · 2023_06 · Critical

Enable Microsoft Defender for Azure Cosmos DB.

Description

Microsoft Defender for Azure Cosmos DB provides additional security insight for Azure Cosmos DB accounts.

Protection is provided by analyzing onboarded Cosmos DB accounts for unusual and potentially harmful attempts to access or exploit the accounts. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.

Security alerts for onboarded Cosmos DB accounts shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.

Microsoft Defender for Cosmos DB can be enabled at the resource level, but the general recommendation is to enable it at the subscription level and by doing so ensures all Cosmos DB accounts in the subscription will be protected, including future ones. However, enabling it at resource level can be done to protect a specific Azure Cosmos DB account.

Recommendation

Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.

Examples

Configure with Azure template

To enable Microsoft Defender for Azure Cosmos DB accounts:

• Deploy a Microsoft.DBforMySQL/servers/securityAlertPolicies sub-resource (extension resource).
• Set the properties.isEnabled property to true.

For example:

Azure Template snippet

{
  "type": "Microsoft.Security/advancedThreatProtectionSettings",
  "apiVersion": "2019-01-01",
  "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('accountName'))]",
  "name": "current",
  "properties": {
    "isEnabled": true
  },
  "dependsOn": [
    "cosmosDbAccount"
  ]
}

Configure with Bicep

To enable Microsoft Defender for Azure Cosmos DB accounts:

• Deploy a Microsoft.DBforMySQL/servers/securityAlertPolicies sub-resource (extension resource).
• Set the properties.isEnabled property to true.

For example:

Azure Bicep snippet

resource defenderForCosmosDb 'Microsoft.Security/advancedThreatProtectionSettings@2019-01-01' = {
  scope: cosmosDbAccount
  name: 'current'
  properties: {
    isEnabled: true
  }
}

Notes

Microsoft Defender for Azure Cosmos DB is currently available only for the NoSQL API. When Microsoft Defender for Cosmos DB is enabled at the subscription level, the resource level enablement has no effect as it will be handled by the plan at the subscription level.

Links

• SE:10 Monitoring and threat detection
• What is Microsoft Defender for Cloud?
• Overview of Microsoft Defender for Azure Cosmos DB
• Enable Microsoft Defender for Azure Cosmos DB
• Quickstart: Enable enhanced security features
• Azure security baseline for Azure Cosmos DB
• DP-2: Monitor anomalies and threats targeting sensitive data
• LT-1: Enable threat detection capabilities
• Azure Policy built-in policy definitions
• Azure deployment reference

Comments