Merge pull request #186810 from ElazarK/cosmo-db

cosmos db

Author: PMEds28

articles/defender-for-cloud/TOC.yml

@@ -193,24 +193,38 @@
       href: harden-docker-hosts.md
   - name: Protect your databases
     items:
-    - name: Overview of Defender for SQL
-      displayName: database
-      href: defender-for-sql-introduction.md
-    - name: Enable Defender for SQL servers on machines
-      href: defender-for-sql-usage.md
-      displayName: hybrid, arc, Azure Defender
-    - name: Overview of Defender for open-source relational databases
-      displayName: PG, PostgreSQL, MySQL, MariaDB, Azure Defender, OS RDBs, OSRDB
-      href: defender-for-databases-introduction.md
-    - name: Enable Defender for OSS RDBs and respond to alerts
-      displayName: PG, PostgreSQL, MySQL, MariaDB, open-source relational databases, Azure Defender, OS RDBs, OSRDB
-      href: defender-for-databases-usage.md
-    - name: Scan your SQL resources for vulnerabilities
-      href: defender-for-sql-on-machines-vulnerability-assessment.md
-      displayName: hybrid, arc, Azure Defender, VA, registry, vulnerabilities
-    - name: Customize SQL information protection policy
-      displayName: sql, database, data discovery
-      href: sql-information-protection-policy.md
+    - name: Enable protection on all of your databases
+      href: quickstart-enable-database-protections.md
+    - name: Defender for Azure SQL database
+      items: 
+      - name: Overview of Defender for SQL
+        displayName: database
+        href: defender-for-sql-introduction.md
+      - name: Scan your SQL resources for vulnerabilities
+        href: defender-for-sql-on-machines-vulnerability-assessment.md
+        displayName: hybrid, arc, Azure Defender, VA, registry, vulnerabilities
+      - name: Customize SQL information protection policy
+        displayName: sql, database, data discovery
+        href: sql-information-protection-policy.md
+    - name: Defender for SQL servers on machines
+      items:
+      - name: Enable Defender for SQL servers on machines
+        href: defender-for-sql-usage.md
+        displayName: hybrid, arc, Azure Defender
+    - name: Defender for open-source relational databases
+      items: 
+      - name: Overview of Defender for open-source relational databases
+        displayName: PG, PostgreSQL, MySQL, MariaDB, Azure Defender, OS RDBs, OSRDB
+        href: defender-for-databases-introduction.md
+      - name: Enable Defender for OSS RDBs and respond to alerts
+        displayName: PG, PostgreSQL, MySQL, MariaDB, open-source relational databases, Azure Defender, OS RDBs, OSRDB
+        href: defender-for-databases-usage.md
+    - name: Microsoft Defender for Azure Cosmos DB (Preview)
+      items: 
+      - name: Overview of Microsoft Defender for Azure Cosmos DB
+        href: concept-defender-for-cosmos.md
+      - name: Enable Microsoft Defender for Azure Cosmos DB
+        href: quickstart-enable-defender-for-cosmos.md
   - name: Protect your containerized environments
     items:
     - name: Overview of Defender for Containers

articles/defender-for-cloud/alerts-reference.md

@@ -2,7 +2,7 @@
 title: Reference table for all security alerts in Microsoft Defender for Cloud
 description: This article lists the security alerts visible in Microsoft Defender for Cloud
 ms.topic: reference
-ms.date: 02/10/2022
+ms.date: 02/28/2022
 ---
 # Security alerts - a reference guide
 
@@ -511,17 +511,17 @@ Microsoft Defender for Containers provides security alerts on the cluster level
 
 ## <a name="alerts-azurecosmos"></a>Alerts for Azure Cosmos DB (Preview)
 
-[Further details and notes](other-threat-protections.md#cosmos-db)
+[Further details and notes](concept-defender-for-cosmos.md)
 
 | Alert | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity |
 |--|--|:-:|--|
-| **PREVIEW - Access from a Tor exit node** | This Cosmos DB account was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity. | Initial Access | High/Medium |
-| **PREVIEW - Access from a suspicious IP** | This Cosmos DB account was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence. | Initial Access  | Medium |
-| **PREVIEW - Access from an unusual location** | This Cosmos DB account was accessed from a location considered unfamiliar, based on the usual access pattern. <br><br> Either a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location | Initial Access | Low |
-| **PREVIEW - Unusual volume of data extracted** | An unusually large volume of data has been extracted from this Cosmos DB account. This might indicate that a threat actor exfiltrated data. | Exfiltration | Medium |
-| **PREVIEW - Extraction of Cosmos DB accounts keys via a potentially malicious script** | A PowerShell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Cosmos DB accounts in your subscription. Threat actors use automated scripts, like Microburst, to list keys and find Cosmos DB accounts they can access. <br><br> This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Cosmos DB accounts in your environment for malicious intentions. <br><br> Alternatively, a malicious insider could be trying to access sensitive data and perform lateral movement. | Collection | High |
-| **PREVIEW - SQL injection: potential data exfiltration** | A suspicious SQL statement was used to query a container in this Cosmos DB account. <br><br> The injected statement might have succeeded in exfiltrating data that the threat actor isn’t authorized to access. <br><br> Due to the structure and capabilities of Cosmos DB queries, many known SQL injection attacks on Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data. | Exfiltration  | Medium |
-| **PREVIEW - SQL injection: fuzzing attempt** | A suspicious SQL statement was used to query a container in this Cosmos DB account. <br><br> Like other well-known SQL injection attacks, this attack won’t succeed in compromising the Cosmos DB account. <br><br> Nevertheless, it’s an indication that a threat actor is trying to attack the resources in this account, and your application may be compromised. <br><br> Some SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Cosmos DB account and exfiltrate data. <br><br> You can prevent this threat by using parameterized queries. | Pre-attack  | Low |
+| **PREVIEW - Access from a Tor exit node** | This Azure Cosmos DB account was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity. | Initial Access | High/Medium |
+| **PREVIEW - Access from a suspicious IP** | This Azure Cosmos DB account was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence. | Initial Access  | Medium |
+| **PREVIEW - Access from an unusual location** | This Azure Cosmos DB account was accessed from a location considered unfamiliar, based on the usual access pattern. <br><br> Either a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location | Initial Access | Low |
+| **PREVIEW - Unusual volume of data extracted** | An unusually large volume of data has been extracted from this Azure Cosmos DB account. This might indicate that a threat actor exfiltrated data. | Exfiltration | Medium |
+| **PREVIEW - Extraction of Azure Cosmos DB accounts keys via a potentially malicious script** | A PowerShell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Azure Cosmos DB accounts in your subscription. Threat actors use automated scripts, like Microburst, to list keys and find Azure Cosmos DB accounts they can access. <br><br> This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Azure Cosmos DB accounts in your environment for malicious intentions. <br><br> Alternatively, a malicious insider could be trying to access sensitive data and perform lateral movement. | Collection | High |
+| **PREVIEW - SQL injection: potential data exfiltration** | A suspicious SQL statement was used to query a container in this Azure Cosmos DB account. <br><br> The injected statement might have succeeded in exfiltrating data that the threat actor isn’t authorized to access. <br><br> Due to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data. | Exfiltration  | Medium |
+| **PREVIEW - SQL injection: fuzzing attempt** | A suspicious SQL statement was used to query a container in this Azure Cosmos DB account. <br><br> Like other well-known SQL injection attacks, this attack won’t succeed in compromising the Azure Cosmos DB account. <br><br> Nevertheless, it’s an indication that a threat actor is trying to attack the resources in this account, and your application may be compromised. <br><br> Some SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Azure Cosmos DB account and exfiltrate data. <br><br> You can prevent this threat by using parameterized queries. | Pre-attack  | Low |
 |  |  |  |  |
 
 

articles/defender-for-cloud/concept-defender-for-cosmos.md

@@ -0,0 +1,61 @@
+---
+title: Overview of Defender for Azure Cosmos DB
+description: Learn about the benefits and features of Microsoft Defender for Azure Cosmos DB.
+titleSuffix: Microsoft Defender for Azure Cosmos DB
+ms.topic: conceptual
+ms.date: 02/28/2022
+---
+
+# Introduction to Microsoft Defender for Azure Cosmos DB
+
+APPLIES TO: :::image type="icon" source="media/icons/yes-icon.png" border="false"::: SQL/Core API
+
+Microsoft Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitation of your database through compromised identities, or malicious insiders.
+
+Microsoft Defender for Azure Cosmos DB uses advanced threat detection capabilities, and [Microsoft Threat Intelligence](https://www.microsoft.com/insidetrack/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats) data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks. 
+
+You can [enable protection for all your databases](quickstart-enable-database-protections.md) (recommended), or [enable Microsoft Defender for Azure Cosmos DB](quickstart-enable-defender-for-cosmos.md) at either the subscription level, or the resource level. 
+
+Microsoft Defender for Azure Cosmos DB continually analyzes the telemetry stream generated by the Azure Cosmos DB services. When potentially malicious activities are detected, security alerts are generated. These alerts are displayed in Microsoft Defender for Cloud together with the details of the suspicious activity along with the relevant investigation steps, remediation actions, and security recommendations. 
+
+Microsoft Defender for Azure Cosmos DB doesn't access the Azure Cosmos DB account data, and doesn't have any effect on its performance. 
+
+## Availability
+
+|Aspect|Details|
+|----|:----|
+|Release state:|Preview.<br>[!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]|
+|Protected Azure Cosmos DB API | :::image type="icon" source="./media/icons/yes-icon.png"::: SQL/Core API <br> :::image type="icon" source="./media/icons/no-icon.png"::: Cassandra API <br> :::image type="icon" source="./media/icons/no-icon.png"::: MongoDB API <br> :::image type="icon" source="./media/icons/no-icon.png"::: Table API <br> :::image type="icon" source="./media/icons/no-icon.png"::: Gremlin API |
+|Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government <br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure China 21Vianet |
+
+## What are the benefits of Microsoft Defender for Azure Cosmos DB
+
+Microsoft Defender for Azure Cosmos DB uses advanced threat detection capabilities and Microsoft Threat Intelligence data. Microsoft Defender for Azure Cosmos DB continuously monitors your Azure Cosmos DB accounts for threats such as SQL injection, compromised identities and data exfiltration. 
+
+This service provides action-oriented security alerts in Microsoft Defender for Cloud with details of the suspicious activity and guidance on how to mitigate the threats. 
+You can use this information to quickly remediate security issues and improve the security of your Azure Cosmos DB accounts. 
+
+Alerts include details of the incident that triggered them, and recommendations on how to investigate and remediate threats. Alerts can be exported to Microsoft Sentinel or any other third-party SIEM or any other external tool. To learn how to stream alerts, see [Stream alerts to a SIEM, SOAR, or IT classic deployment model solution](export-to-siem.md). 
+
+> [!TIP]
+> For a comprehensive list of all Defender for Storage alerts, see the [alerts reference page](alerts-reference.md#alerts-azurecosmos). This is useful for workload owners who want to know what threats can be detected and help SOC teams gain familiarity with detections before investigating them. Learn more about what's in a Defender for Cloud security alert, and how to manage your alerts in [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.md).
+
+## Alert types
+
+Threat intelligence security alerts are triggered for: 
+
+- **Potential SQL injection attacks**: <br>
+    Due to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks can’t work in Azure Cosmos DB. However, there are some variations of SQL injections that can succeed and may result in exfiltrating data from your Azure Cosmos DB accounts. Microsoft Defender for Azure Cosmos DB detects both successful and failed attempts, and helps you harden your environment to prevent these threats. 
+ 
+- **Anomalous database access patterns**: <br>
+    For example, access from a TOR exit node, known suspicious IP addresses, unusual applications, and unusual locations. 
+ 
+- **Suspicious database activity**: <br>
+    For example, suspicious key-listing patterns that resemble known malicious lateral movement techniques and suspicious data extraction patterns. 
+
+## Next steps
+
+In this article, you learned about Microsoft Defender for Azure Cosmos DB. 
+
+> [!div class="nextstepaction"]
+> [Enable Microsoft Defender for Azure Cosmos DB](quickstart-enable-defender-for-cosmos.md)

articles/defender-for-cloud/features-paas.md

@@ -2,7 +2,7 @@
 title: Microsoft Defender for Cloud features for supported Azure PaaS resources.
 description: This page shows the availability of Microsoft Defender for Cloud features for the supported Azure PaaS resources.
 ms.topic: overview
-ms.date: 11/09/2021
+ms.date: 02/27/2022
 ---
 # Feature coverage for Azure PaaS services <a name="paas-services"></a>