Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Azure CosmoDB

Azure CosmoDB
Azure CosmoDB icon

Coralogix Extension For Azure CosmoDB Includes:

Alerts - 9

Stay on top of Azure CosmoDB key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

No Logs From Azure CosmoDB

This rule detects if there are no logs in the last 4 hours for Azure CosmoDB in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Multiple Tables Created

This alert detects when more than 3 CosmoDB tables are created in 15 mins. Impact A threat actor may create their own CosmoDB table to export sensitive information from the organization without anyone noticing. Mitigation Check if this activity was legitimate. If not, investigate further. If needed, delete the table. MITRE Tactic: TA0007 MITRE Technique: T1058

Backup Was Deleted

This alert detects when a backup for a CosmoDB table is deleted. Deleting a backup makes it impossible to recover the table in case of any failures. Impact Threat actors delete database backups to impact the normal business operations of an organization. Mitigation 1. Validate if the relevant user is aware of the action. 2. If there is a suspicion that the user was compromised, disable the user and block their access to the AWS console and account. 3. Create a new backup entry for the relevant table. MITRE Tactic: TA0040 MITRE Technique: T1490

Deletion Protection Disabled

This alert detects when deletion protection on a database table is disabled. Deletion Protection makes sure that a CosmoDB table doesn''t get accidentally deleted. It is useful for database tables having mission-critical or production data. Impact A threat actor may disable deletion protection on a database table so that they can delete the table later and thus can impact the business operations of an organization. Mitigation Check if disabling the deletion protection was authorized, if not, revert the action and investigate further. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 001

A Table Item Was Deleted

This alert detects whenever single or multiple items in the CosmoDB table are deleted. This alert may throw potential false positives as administrators and power users may delete table records for administrative activities so it can be fine-tuned according to specific machines or user groups. Impact After an adversary has access to your CosmoDB database and has the necessary permissions, it can delete database table items/records in order to disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, investigate it further. Additionally, administrators can check database user accounts for any excessive privileges to delete database records. Take regular database backups so that database tables can be recovered in the case when the deletion was not intentional. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Customer-Managed Keys for Data Encryption in Cosmos DB

The use case involves utilizing customer-managed keys for encrypting data stored in Azure Cosmos DB. Instead of relying on Microsoft-managed keys, organizations opt to manage their own keys, providing additional control over data security. This use case ensures that data at rest is protected using customer-managed keys, enhancing overall data security in Azure Cosmos DB. Impact The impact of implementing customer-managed keys for data encryption in Cosmos DB includes: Enhanced Control: Organizations have increased control over their encryption keys, allowing them to manage key rotation, access, and lifecycle independently. Reduced Dependency: Decreases reliance on Microsoft-managed keys, providing organizations with autonomy over their encryption key management. Regulatory Compliance: Meets regulatory requirements for organizations that need to manage their own encryption keys for data at rest. Mitigation Key Lifecycle Management: Implement robust key lifecycle management practices, including secure generation, rotation, and secure disposal of keys when necessary. Access Control: Enforce strict access controls for customer-managed keys, ensuring that only authorized personnel have access to key management operations. Key Storage: Safeguard the storage of customer-managed keys by utilizing secure and compliant key management systems or Hardware Security Modules (HSMs). Monitoring and Auditing: Set up monitoring and auditing mechanisms to track key management activities, including key usage, rotations, and any potential unauthorized access. Key Rotation: Regularly rotate customer-managed keys to mitigate the risk associated with prolonged key usage and potential exposure. Mitre Tactic : TA0007 Mitre Technique : T1595

Network Access Restriction for Azure Cosmos DB

This use case focuses on restricting network access to Azure Cosmos DB, a globally distributed, multi-model database service provided by Microsoft Azure. By limiting network access, organizations aim to reduce the attack surface and enhance the security posture of their Azure Cosmos DB instances. Access restriction involves configuring firewall rules and virtual network service endpoints to control which networks or resources can connect to the Cosmos DB service. Impact The impact of effectively restricting network access to Azure Cosmos DB includes: Reduced Attack Surface: By allowing access only from trusted networks or specific resources, organizations minimize the potential exposure to malicious actors and unauthorized entities. Enhanced Data Security: Network access restrictions contribute to safeguarding sensitive data stored in Cosmos DB by preventing unauthorized access attempts from untrusted sources. Compliance Alignment: Implementing network access controls helps organizations align with regulatory requirements and security best practices, ensuring data confidentiality and integrity. Mitigation Configuring Firewall Rules: Define and configure Azure Cosmos DB firewall rules to specify the IP addresses or IP ranges allowed to access the database service. Regularly review and update firewall rules based on changes in organizational requirements. Virtual Network Service Endpoints: Leverage Azure Virtual Network service endpoints to extend the private address space of a virtual network to Azure Cosmos DB, ensuring that only resources within the designated network can access the database service. Implement network security groups (NSGs) to control inbound and outbound traffic to and from Cosmos DB. Role-Based Access Control (RBAC): Utilize RBAC to control access at the Azure AD level, defining roles and permissions for users or applications interacting with Cosmos DB. Regularly review and audit RBAC configurations to align with the principle of least privilege. Mitre Tactic: TA0005 Mitre Technique : T1058

Azure User Viewed CosmosDB Connection String

Triggers when a user views a CosmoDB connection string via the Azure API. Impact An attcker can access or modify the CosmoDB database. Mitigation Ensure the user is authorized to view the connection string for CosmoDB database. If unauthorized, investigate the issue. Mitre Tactic: TA0007 Mitre Technique : T1058

Azure User Viewed CosmosDB Access Keys

Triggers when a user views a CosmoDB access key through the Azure API. Impact An attacker with proper privileges can access and manage the CosmoDB database Mitigation Confirm if user is authorized to view the CosmoDB access keys. Automate to prevent viewing the CosmoDB access keys. Mitre Tactic: TA0007 Mitre Technique: T1058


Learn more about Coralogix's out-of-the-box integration with Azure CosmoDB in our documentation.

Read More
Schedule Demo