Quick Start Security for Azure CosmoDB
Thank you!
We got your information.
Coralogix Extension For Azure CosmoDB Includes:
Alerts - 8
Stay on top of Azure CosmoDB key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Multiple Tables Created
This alert detects when more than 3 CosmoDB tables are created in 15 mins. Impact A threat actor may create their own CosmoDB table to export sensitive information from the organization without anyone noticing. Mitigation Check if this activity was legitimate. If not, investigate further. If needed, delete the table. MITRE Tactic: TA0007 MITRE Technique: T1058
Backup Was Deleted
This alert detects when a backup for a CosmoDB table is deleted. Deleting a backup makes it impossible to recover the table in case of any failures. Impact Threat actors delete database backups to impact the normal business operations of an organization. Mitigation 1. Validate if the relevant user is aware of the action. 2. If there is a suspicion that the user was compromised, disable the user and block their access to the AWS console and account. 3. Create a new backup entry for the relevant table. MITRE Tactic: TA0040 MITRE Technique: T1490
Deletion Protection Disabled
This alert detects when deletion protection on a database table is disabled. Deletion Protection makes sure that a CosmoDB table doesn''t get accidentally deleted. It is useful for database tables having mission-critical or production data. Impact A threat actor may disable deletion protection on a database table so that they can delete the table later and thus can impact the business operations of an organization. Mitigation Check if disabling the deletion protection was authorized, if not, revert the action and investigate further. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 001
A Table Item Was Deleted
This alert detects whenever single or multiple items in the CosmoDB table are deleted. This alert may throw potential false positives as administrators and power users may delete table records for administrative activities so it can be fine-tuned according to specific machines or user groups. Impact After an adversary has access to your CosmoDB database and has the necessary permissions, it can delete database table items/records in order to disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, investigate it further. Additionally, administrators can check database user accounts for any excessive privileges to delete database records. Take regular database backups so that database tables can be recovered in the case when the deletion was not intentional. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001
Customer-Managed Keys for Data Encryption in Cosmos DB
The use case involves utilizing customer-managed keys for encrypting data stored in Azure Cosmos DB. Instead of relying on Microsoft-managed keys, organizations opt to manage their own keys, providing additional control over data security. This use case ensures that data at rest is protected using customer-managed keys, enhancing overall data security in Azure Cosmos DB. Impact The impact of implementing customer-managed keys for data encryption in Cosmos DB includes: Enhanced Control: Organizations have increased control over their encryption keys, allowing them to manage key rotation, access, and lifecycle independently. Reduced Dependency: Decreases reliance on Microsoft-managed keys, providing organizations with autonomy over their encryption key management. Regulatory Compliance: Meets regulatory requirements for organizations that need to manage their own encryption keys for data at rest. Mitigation Key Lifecycle Management: Implement robust key lifecycle management practices, including secure generation, rotation, and secure disposal of keys when necessary. Access Control: Enforce strict access controls for customer-managed keys, ensuring that only authorized personnel have access to key management operations. Key Storage: Safeguard the storage of customer-managed keys by utilizing secure and compliant key management systems or Hardware Security Modules (HSMs). Monitoring and Auditing: Set up monitoring and auditing mechanisms to track key management activities, including key usage, rotations, and any potential unauthorized access. Key Rotation: Regularly rotate customer-managed keys to mitigate the risk associated with prolonged key usage and potential exposure. Mitre Tactic : TA0007 Mitre Technique : T1595
Network Access Restriction for Azure Cosmos DB
This use case focuses on restricting network access to Azure Cosmos DB, a globally distributed, multi-model database service provided by Microsoft Azure. By limiting network access, organizations aim to reduce the attack surface and enhance the security posture of their Azure Cosmos DB instances. Access restriction involves configuring firewall rules and virtual network service endpoints to control which networks or resources can connect to the Cosmos DB service. Impact The impact of effectively restricting network access to Azure Cosmos DB includes: Reduced Attack Surface: By allowing access only from trusted networks or specific resources, organizations minimize the potential exposure to malicious actors and unauthorized entities. Enhanced Data Security: Network access restrictions contribute to safeguarding sensitive data stored in Cosmos DB by preventing unauthorized access attempts from untrusted sources. Compliance Alignment: Implementing network access controls helps organizations align with regulatory requirements and security best practices, ensuring data confidentiality and integrity. Mitigation Configuring Firewall Rules: Define and configure Azure Cosmos DB firewall rules to specify the IP addresses or IP ranges allowed to access the database service. Regularly review and update firewall rules based on changes in organizational requirements. Virtual Network Service Endpoints: Leverage Azure Virtual Network service endpoints to extend the private address space of a virtual network to Azure Cosmos DB, ensuring that only resources within the designated network can access the database service. Implement network security groups (NSGs) to control inbound and outbound traffic to and from Cosmos DB. Role-Based Access Control (RBAC): Utilize RBAC to control access at the Azure AD level, defining roles and permissions for users or applications interacting with Cosmos DB. Regularly review and audit RBAC configurations to align with the principle of least privilege. Mitre Tactic: TA0005 Mitre Technique : T1058
Azure User Viewed CosmosDB Connection String
Triggers when a user views a CosmoDB connection string via the Azure API. Impact An attcker can access or modify the CosmoDB database. Mitigation Ensure the user is authorized to view the connection string for CosmoDB database. If unauthorized, investigate the issue. Mitre Tactic: TA0007 Mitre Technique : T1058
Azure User Viewed CosmosDB Access Keys
Triggers when a user views a CosmoDB access key through the Azure API. Impact An attacker with proper privileges can access and manage the CosmoDB database Mitigation Confirm if user is authorized to view the CosmoDB access keys. Automate to prevent viewing the CosmoDB access keys. Mitre Tactic: TA0007 Mitre Technique: T1058
Integration
Learn more about Coralogix's out-of-the-box integration with Azure CosmoDB in our documentation.