Microsoft Defender for Azure Cosmos DB - now generally available
Published Jun 21 2022 07:00 AM 5,357 Views

Databases are constantly evolving to handle new use cases, incorporate more intelligence and store more data, giving developers and organizations a wide range of database types to meet their varying needs. There are unique aspects to each database type, including authentication methods, configuration options, architecture, and capabilities. This means that the security threats are also unique – requiring custom security measures and protection capabilities to address the most common threats across databases.


Microsoft Defender for Cloud provides advanced protection for different types of databases including SQL databases, including Azure Database for PostgreSQL, Azure Database for MySQL, Azure Database for MariaDB and now Azure Cosmos DB.


We’re excited to announce that Microsoft Defender for Azure Cosmos DB is now generally available for SQL (Core) API accounts.


With Microsoft Defender for Azure Cosmos DB you can:

  1. Enable protection with a single click across cloud database estate
  2. Get a rich set of detections against the most critical threats in Azure Cosmos DB SQL (core) workloads including SQL injection, data exfiltration and suspicious access or queries.
  3. Act on security alerts and recommendations on the resource level or view your status across your cloud database estate.

The new cloud workload protection capabilities are designed as an Azure-native layer of security, that detect attempts to exploit databases in your Azure Cosmos DB accounts based on the most common attack techniques and known bad actors - enabling security teams to detect and respond to these threats more effectively, using the Microsoft Defender for Cloud toolset.

These threat detections are delivered based on Microsoft Threat Intelligence, the Microsoft Defender SQL query analysis engine, and Microsoft Defender behavioral models.


Detect the most critical threats targeting your Azure Cosmos DB workloads

Microsoft Defender for Azure Cosmos DB monitors your Azure Cosmos DB accounts and helps protect them from various attack vectors, such as attacks originating from the application layer, SQL injections, suspicious access patterns, compromised identities, malicious insiders, and direct attacks on the database. Below is an overview of the key threat techniques that affect Azure Cosmos DB and are detected by Microsoft Defender for Cloud.


  • SQL Injections – this popular technique can be executed against an Azure Cosmos DB database. Due to Azure Cosmos DB’s different syntax, only a subset of these attacks can succeed. Attackers can use SQL injection techniques to bypass the application’s access controls and extract sensitive data. 

    Defender for Azure Cosmos DB detects both failed and successful attempts and helps with recommendations and policies to harden your applications to help prevent these exploits in the first place.


Example of a detected SQL injection attack alert in Microsoft Defender for Cloud


  • Key extraction – this is an indicative pattern of an attacker who managed to get hold of a compromised identity and is trying to extract keys to your resources.
    If an attacker gets a hold of these keys, they then have full access to all the data in the Azure Cosmos DB accounts. Microsoft Defender for Azure Cosmos DB detects these suspicious key listings on the control plane, as well as data exfiltration and other suspicious actions on the data plane.
    We have also introduced new recommendations to help you move to using identities only, and to block access with keys. If you adopt this recommendation, even if attackers managed to get a hold of leaked keys or tokens – their access attempt will be blocked.

  • Known malicious indicators – Microsoft Defender for Cloud uses the extensive Threat Intelligence of Microsoft’s security platform, allowing security teams to detect and respond to malicious actors trying to access their databases more effectively.
    Every activity is inspected, so in case an attacker uses keys and does not authenticate using the control plane – they are detected by Defender for Azure Cosmos DB.

  • Suspicious behavior patterns – Using behavioral modeling over time, Microsoft Defender for Cloud learns your environment, and alerts on suspicious behaviors on your Azure Cosmos DB accounts that can indicate compromised identities, leaked keys, or malicious insiders.  

You can find a complete list of Microsoft Defender for Azure Cosmos DB alerts here: Microsoft Defender for Azure Cosmos DB alerts reference guide.


Enable protection for all your database types in Microsoft Defender for Cloud



Overview of the threat detection and response experience in Microsoft Defender for Cloud


To enable protection for the different databases in your cloud and hybrid environment, we created a central enablement experience for PostgreSQL, Azure Database for MySQL, Azure Database for MariaDB and now Azure Cosmos DB.

While each database type requires a tailored approach with custom security controls and uniquely optimized threat detection models, we have standardized the security experience in Microsoft Defender for Cloud across the different database types.


You can enable protection for Azure Cosmos DB at either the subscription level (recommended) or the resource level, or simply enable protection for all your database types with a single click. For detailed step-by-step instructions, check out our product documentation.


Comprehensive protection

With the addition of support for Azure Cosmos DB, Microsoft Defender for Cloud now provides one of the most comprehensive workload protection offerings for cloud-based databases, giving security teams and database owners a centralized experience to manage database security in their environments.


Microsoft Defender for Cloud is a solution for cloud security posture management (CSPM) and cloud workload protection (CWP) that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and can protect workloads across multi-cloud and hybrid environments from evolving threats.


More information:


Version history
Last update:
‎Jun 22 2022 06:33 AM
Updated by: