Enable Microsoft Defender for Azure Cosmos DB

Microsoft Defender for Azure Cosmos DB protection is available at both the Subscription level, and resource level. You can enable Microsoft Defender for Cloud on your subscription to protect all database types on your subscription including Microsoft Defender for Azure Cosmos DB (recommended). You can also choose to enable Microsoft Defender for Azure Cosmos DB at the Resource level to protect a specific Azure Cosmos DB account.

Prerequisites

• An Azure account. If you don't already have an Azure account, you can create your Azure free account today.

Enable database protection at the subscription level

The subscription level enablement enables Microsoft Defender for Cloud protection for all database types in your subscription (recommended).

You can enable Microsoft Defender for Cloud protection on your subscription in order to protect all database types, for example, Azure Cosmos DB, Azure SQL Database, Azure SQL servers on machines, and OSS RDBs. You can also select specific resource types to protect when you configure your plan.

When you enable Microsoft Defender for Cloud's enhanced security features on your subscription, Microsoft Defender for Azure Cosmos DB is automatically enabled for all of your Azure Cosmos DB accounts.

To enable database protection at the subscription level:

1. Sign in to the Azure portal.

2. Navigate to Microsoft Defender for Cloud > Environment settings.

3. Select the relevant subscription.

4. Locate Databases and toggle the switch to On.

   

5. Select Save.

To select specific resource types to protect when you configure your plan:

1. Follow steps 1 - 4 above.

2. Select Select types

   

3. Toggle the desired resource type switches to On.

   

4. Select Confirm.

Enable Microsoft Defender for Azure Cosmos DB at the resource level

You can enable Microsoft Defender for Cloud on a specific Azure Cosmos DB account through the Azure portal, PowerShell, Azure CLI, ARM template, or Azure Policy.

To enable Microsoft Defender for Cloud for a specific Azure Cosmos DB account:

Azure portal

1. Sign in to the Azure portal.

2. Navigate to your Azure Cosmos DB account > Settings.

3. Select Microsoft Defender for Cloud.

4. Select Enable Microsoft Defender for Azure Cosmos DB.

   

PowerShell

1. Install the Az.Security module.

2. Call the Enable-AzSecurityAdvancedThreatProtection command.

   Enable-AzSecurityAdvancedThreatProtection -ResourceId "/subscriptions/<Your subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.DocumentDb/databaseAccounts/myCosmosDBAccount/" 
   

3. Verify the Microsoft Defender for Azure Cosmos DB setting for your storage account through the PowerShell call Get-AzSecurityAdvancedThreatProtection command.

   Get-AzSecurityAdvancedThreatProtection -ResourceId "/subscriptions/<Your subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.DocumentDb/databaseAccounts/myCosmosDBAccount/" 
   

ARM template

Use an Azure Resource Manager template to deploy an Azure Cosmos DB account with Microsoft Defender for Azure Cosmos DB enabled. For more information, see Create an Azure Cosmos DB account with Microsoft Defender for Azure Cosmos DB enabled.

Azure CLI

To enable Microsoft Defender for Azure Cosmos DB on a single account via Azure CLI, call the az security atp cosmosdb update command. Remember to replace values in angle brackets with your own values:

az security atp cosmosdb update \
    --resource-group <resource-group> \
    --cosmosdb-account <cosmosdb-account> \
    --is-enabled true

To check the Microsoft Defender for Azure Cosmos DB setting for a single account via Azure CLI, call the az security atp cosmosdb show command. Remember to replace values in angle brackets with your own values:

az security atp cosmosdb show \
    --resource-group <resource-group> \
    --cosmosdb-account <cosmosdb-account>

Azure Policy

Use an Azure Policy to enable Microsoft Defender for Cloud across storage accounts under a specific subscription or resource group.

1. Launch the Azure Policy > Definitions page.

2. Search for the Configure Microsoft Defender for Azure Cosmos DB to be enabled policy, then select the policy to view the policy definition page.

   

3. Select the Assign button for the built-in policy.

   

4. Specify an Azure subscription.

   

5. Select Review + create to review the policy assignment and complete it.

Simulate security alerts from Microsoft Defender for Azure Cosmos DB

A full list of supported alerts is available in the reference table of all Defender for Cloud security alerts.

You can use sample Microsoft Defender for Azure Cosmos DB alerts to evaluate their value, and capabilities. Sample alerts will also validate any configurations you've made for your security alerts (such as SIEM integrations, workflow automation, and email notifications).

To create sample alerts from Microsoft Defender for Azure Cosmos DB:

1. Sign in to the Azure portal as a Subscription Contributor user.

2. Navigate to the security alerts page.

3. Select Sample alerts.

4. Select the subscription.

5. Select the relevant Microsoft Defender plan(s).

6. Select Create sample alerts.

   

After a few minutes, the alerts will appear in the security alerts page. Alerts will also appear anywhere that you've configured to receive your Microsoft Defender for Cloud security alerts. For example, connected SIEMs, and email notifications.

Next steps

In this article, you learned how to enable Microsoft Defender for Azure Cosmos DB, and how to simulate security alerts.

Automate responses to Microsoft Defender for Cloud triggers.