Azure user viewed CosmosDB connection string
Set up the azure integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a user successfully requests to view a CosmoDB connection string with the Azure API. An attacker with the appropriate privileges can view a connection string and use it to access or modify data in the CosmoDB database.
Strategy
Monitor Azure CosmoDB logs where @evt.name
is "MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION"
and @evt.outcome
is Success
.
Triage and response
- Verify that the user (
{{@usr.name}}
) should be viewing the connection string for the following CosmoDB database: ({{@resourceId}}
). - If the activity is not expected, investigate the activity around the CosmoDB (
{{@resourceId}}
).