Microsoft Defender for Azure Cosmos DB


Microsoft Defender for Azure Cosmos DB is now generally available (GA) and supports SQL (core) API account types.

This new release to GA is a part of the Microsoft Defender for Cloud database protection suite, which includes different types of SQL databases, and MariaDB. Microsoft Defender for Azure Cosmos DB is an Azure native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts.


Alert (alert type)DescriptionMITRE tactics
(Learn more)
Access from a Tor exit node
This Azure Cosmos DB account was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.Initial AccessHigh/Medium
Access from a suspicious IP
This Azure Cosmos DB account was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence.Initial AccessMedium
Access from an unusual location
This Azure Cosmos DB account was accessed from a location considered unfamiliar, based on the usual access pattern.

Either a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location
Initial AccessLow
Unusual volume of data extracted
An unusually large volume of data has been extracted from this Azure Cosmos DB account. This might indicate that a threat actor exfiltrated data.ExfiltrationMedium
Extraction of Azure Cosmos DB accounts keys via a potentially malicious script
A PowerShell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Azure Cosmos DB accounts in your subscription. Threat actors use automated scripts, like Microburst, to list keys and find Azure Cosmos DB accounts they can access.

This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Azure Cosmos DB accounts in your environment for malicious intentions.

Alternatively, a malicious insider could be trying to access sensitive data and perform lateral movement.
Suspicious extraction of Azure Cosmos DB account keys (AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal)A suspicious source extracted Azure Cosmos DB account access keys from your subscription. If this source is not a legitimate source, this may be a high impact issue. The access key that was extracted provides full control over the associated databases and the data stored within. See the details of each specific alert to understand why the source was flagged as suspicious.Credential Accesshigh
SQL injection: potential data exfiltration
A suspicious SQL statement was used to query a container in this Azure Cosmos DB account.

The injected statement might have succeeded in exfiltrating data that the threat actor isn’t authorized to access.

Due to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data.
SQL injection: fuzzing attempt
A suspicious SQL statement was used to query a container in this Azure Cosmos DB account.

Like other well-known SQL injection attacks, this attack won’t succeed in compromising the Azure Cosmos DB account.

Nevertheless, it’s an indication that a threat actor is trying to attack the resources in this account, and your application may be compromised.

Some SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Azure Cosmos DB account and exfiltrate data.

You can prevent this threat by using parameterized queries.

AKS | Deprecated Labels


The following labels are planned for deprecation with the release of Kubernetes v1.24. Customers should change any label references to the recommended substitute.

LabelRecommended substituteMaintainer* Kubernetes Service* Kubernetes Service
Agentpool* Kubernetes Service
Storageprofile* Kubernetes Service
Storagetier* Kubernetes Service
Accelerator* Kubernetes Service


AKS | Release Tracker


In this article, I will share with you some information related to the Azure release tracker:

AKS releases weekly rounds of fixes and feature and component updates that affect all clusters and customers. However, these releases can take up to two weeks to roll out to all regions from the initial time of shipping due to Azure Safe Deployment Practices (SDP). It is important for customers to know when a particular AKS release is hitting their region, and the AKS release tracker provides these details in real time by versions and regions.

Use the AKS release tracker to: 

  • See AKS deployments real time, every week by region
  • See the flow of deployment (SDP) between one region to the next
  • Get links from the page to the current and past release notes 

To view the release tracker, visit the AKS release status webpage.