version: 1 ATT&CK version: 8.2 creation date: 04/07/2021 name: Alerts for Azure Cosmos DB contact: ctid@mitre-engenuity.org organization: Center for Threat Informed Defense (CTID) platform: Azure tags: - Azure Security Center - Database description: >- The Azure Cosmos DB alerts are generated by unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts. techniques: - id: T1078 name: Valid Accounts technique-scores: - category: Detect value: Minimal comments: >- This control's detection is specific to the Cosmos DB and therefore provides minimal overall detection coverage for Valid Accounts resulting in a Minimal score. A relevant alert is "Access from an unusual location to a Cosmos DB account". sub-techniques-scores: - sub-techniques: - id: T1078.004 name: Cloud Accounts scores: - category: Detect value: Minimal comments: >- This control triggers an alert when there is a change in the access pattern to an Azure Cosmos account based on access from an unusual geographical location. False positives are fairly likely and misuse from a typical location is not covered, so score is Minimal. Relevant alert is "Access from an unusual location to a Cosmos DB account" - id: T1213 name: Data from Information Repositories technique-scores: - category: Detect value: Minimal comments: >- This control triggers an alert when an unusually large amount of data is extracted from/by an account compared to recent activity. False positives are fairly likely and extraction in quantities below the control's threshold is not detected, so score is Minimal. Neither of the sub-techniques are relevant in this context, since they are repository-specific. Relevant alert is "Unusual amount of data extracted from a Cosmos DB account" comments: >- This control is still in preview, so its coverage will likely expand in the future. This mapping is based on its current (preview) state. references: - 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference' - 'https://docs.microsoft.com/en-us/azure/security-center/other-threat-protections' - 'https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection'