Unexpected Azure API calls indicating CosmosDB connection strings viewed
Description
AlphaSOC detected viewing of Azure CosmosDB connection strings via the
Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action operation.
Connection strings contain credentials and endpoint information needed to
connect to CosmosDB databases.
Viewing connection strings may indicate legitimate application configuration or potential credential harvesting by attackers. Compromised connection strings provide persistent database access that can be used from external systems.
Impact
Exposed connection strings allow attackers to connect to CosmosDB from any location, read or modify data, and maintain persistent access even after initial compromise vectors are closed. Unlike Azure AD authentication, connection string access may not be easily monitored or revoked without regenerating keys.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs to identify the principal who viewed connection strings and assess whether this aligns with expected activities. Check for patterns of credential harvesting across multiple database accounts.
If unauthorized, regenerate the CosmosDB keys to invalidate the connection strings. Audit database access logs for unauthorized operations. Implement network restrictions to limit database access to trusted networks and consider migrating to Azure AD authentication.
Known False Positives
- Application configuration during deployments
- Developer access for troubleshooting
- Migration or backup tool configuration