Enable Advanced Threat Protection

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: CosmosDB-001

Ensure that your Microsoft Azure Cosmos DB accounts are using the Advanced Threat Protection feature to detect unusual and potentially harmful attempts to access or exploit the Cosmos DB account resources. Advanced Threat Protection for Azure Cosmos DB represents an additional layer of protection that allows you to address cybersecurity threats, without being a security expert, and integrates them with central security monitoring systems like Azure Security Center in order to send email alerts when suspicious activity occurs, and provide recommendations on how to remediate these threats.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Enabling Advanced Threat Protection can help you safeguard your Azure Cosmos DB accounts against potentially harmful activities such as atypical client logins (e.g. access from unusual locations) and unusual data extraction.


Audit

To determine if Advanced Threat Protection is enabled for your Microsoft Azure Cosmos DB accounts, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Azure Cosmos DB account to show all Cosmos DB accounts available in the selected subscription.

05 Click on the name of the Cosmos DB account that you want to examine.

06 In the navigation panel, under Settings, select Advanced security to access the Advanced Threat Protection settings available for the selected account.

07 On the Advanced security page, check the Advanced Threat Protection configuration setting. If the setting is set to OFF, the Advanced Threat Protection feature is not enabled for the selected Microsoft Azure Cosmos DB account.

08 Repeat steps no. 5 – 7 for each Cosmos DB account available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run Get-AzCosmosDBAccount PowerShell cmdlet using custom query filters to list the IDs of the Azure Cosmos DB accounts available in the current Azure subscription:

Get-AzCosmosDBAccount
	-ResourceGroupName cloud-shell-storage-westeurope | Select-Object Id

02 The command output should return the requested Cosmos DB account identifiers:

Id
--
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmosdb-main-account"
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-db-account"

03 Run Get-AzSecurityAdvancedThreatProtection PowerShell command using the ID of the Cosmos DB account that you want to examine as identifier parameter and custom query filters to expose the Advanced Threat Protection configuration status for the selected account:

Get-AzSecurityAdvancedThreatProtection
	-ResourceId "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmosdb-main-account" | Select-Object IsEnabled

04 The command output should return the requested configuration setting status (True for enabled, False for disabled):

IsEnabled
---------
    False

If Get-AzSecurityAdvancedThreatProtection command output returns False, as shown in the output example above, the Advanced Threat Protection feature is not enabled for the selected Microsoft Azure Cosmos DB account.

05 Repeat step no. 3 and 4 for each Cosmos DB account created within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Advanced Threat Protection for your Microsoft Azure Cosmos DB accounts, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Azure Cosmos DB account to list all Cosmos DB accounts deployed in the selected subscription.

05 Click on the name of the Cosmos DB account that you want to reconfigure.

06 In the navigation panel, under Settings, select Advanced security to access the Advanced Threat Protection settings available for the selected account.

07 On the Advanced security page, select ON next to Advanced Threat Protection to enable the Advanced Threat Protection feature for the selected Microsoft Azure Cosmos DB account.

08 Repeat steps no. 5 – 7 to enable Advanced Threat Protection for other Cosmos DB accounts available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run Enable-AzSecurityAdvancedThreatProtection PowerShell cmdlet using the ID of the Cosmos DB account that you want to reconfigure as identifier parameters (see Audit section part II to identify the right Azure SQL resource) to enable the Advanced Threat Protection feature for the selected Microsoft Azure Cosmos DB account:

Enable-AzSecurityAdvancedThreatProtection
	-ResourceId "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmosdb-main-account"

02 The command output should return the new Advanced Threat Protection feature status:

IsEnabled Id
--------- --
     True  "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmosdb-main-account"

03 Repeat step no. 1 and 2 to enable Advanced Threat Protection for other Cosmos DB accounts available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Apr 7, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Advanced Threat Protection

Risk level: High