Azure API calls indicating CosmosDB keys viewed
Description
AlphaSOC detected viewing of Azure CosmosDB access keys via the
Microsoft.DocumentDB/databaseAccounts/listKeys/action operation. Access keys
provide full administrative access to CosmosDB accounts, allowing read and write
operations on all data.
While legitimate administrators may need to view keys for application configuration, this activity may also indicate credential harvesting by attackers who have gained access to the Azure environment. Compromised keys enable persistent access to database resources independent of Azure AD authentication.
Impact
Exposed CosmosDB keys allow attackers to access, modify, or exfiltrate all data in the database account without triggering Azure AD authentication events. Keys can be used from any network location if firewall rules permit, enabling data theft even after the initial compromise vector is remediated.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs to identify who viewed the keys and from where. Determine if this was a legitimate administrative action or potential credential harvesting. Check for subsequent database activity using the keys.
If unauthorized, immediately regenerate the CosmosDB keys to invalidate any captured credentials. Review database access logs for suspicious queries or data access. Consider disabling key-based authentication and enforcing Azure AD authentication only where supported.
Known False Positives
- Application deployments requiring connection string configuration
- DevOps pipelines configuring database connections