Skip to content

Enable Microsoft Defender#

Security · Cosmos DB · Rule · 2023_06

Enable Microsoft Defender for Azure Cosmos DB.

Description#

Microsoft Defender for Azure Cosmos DB provides additional security insight for Azure Cosmos DB accounts.

Protection is provided by analyzing onboarded Cosmos DB accounts for unusual and potentially harmful attempts to access or exploit the accounts. Which allows Microsoft Defender for Cloud to produce security alerts that are triggered when anomalies in activity occur.

Security alerts for onboarded Cosmos DB accounts shows up in Defender for Cloud with details of the suspicious activity and recommendations on how to investigate and remediate the threats.

Microsoft Defender for Cosmos DB can be enabled at the resource level, but the general recommandation is to enable it at the subscription level and by doing so ensures all Cosmos DB accounts in the subscription will be protected, including future ones. However, enabling it at resource level can be done to protect a specific Azure Cosmos DB account.

Recommendation#

Consider using Microsoft Defender for Azure Cosmos DB to provide additional security insights for Azure Cosmos DB accounts.

Examples#

Configure with Azure template#

To enable Microsoft Defender for Azure Cosmos DB accounts:

  • Deploy a Microsoft.DBforMySQL/servers/securityAlertPolicies sub-resource (extension resource).
  • Set the properties.isEnabled property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.Security/advancedThreatProtectionSettings",
  "apiVersion": "2019-01-01",
  "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('accountName'))]",
  "name": "current",
  "properties": {
    "isEnabled": true
  },
  "dependsOn": [
    "cosmosDbAccount"
  ]
}

Configure with Bicep#

To enable Microsoft Defender for Azure Cosmos DB accounts:

  • Deploy a Microsoft.DBforMySQL/servers/securityAlertPolicies sub-resource (extension resource).
  • Set the properties.isEnabled property to true.

For example:

Azure Bicep snippet
resource defenderForCosmosDb 'Microsoft.Security/advancedThreatProtectionSettings@2019-01-01' = {
  scope: cosmosDbAccount
  name: 'current'
  properties: {
    isEnabled: true
  }
}

Notes#

Microsoft Defender for Azure Cosmos DB is currently available only for the NoSQL API. When Microsoft Defender for Cosmos DB is enabled at the subscription level, the resource level enablement has no effect as it will be handled by the plan at the subscription level.

Comments