{"id":1119,"date":"2019-07-23T00:00:00","date_gmt":"2019-07-23T00:00:00","guid":{"rendered":"https:\/\/azure.microsoft.com\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one"},"modified":"2025-06-25T03:01:00","modified_gmt":"2025-06-25T10:01:00","slug":"always-on-real-time-threat-protection-with-azure-cosmos-db-part-one","status":"publish","type":"post","link":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/","title":{"rendered":"Always-on, real-time threat protection with Azure Cosmos DB &#8211; part one"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><em>This two-part blog post is a part of a series about how organizations are using Azure Cosmos DB to meet real world needs, and the difference it\u2019s making to them. In part one, we explore the challenges that led the Microsoft Azure Advanced Threat Protection team to adopt Azure Cosmos DB and how they\u2019re using it. In <a href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-two\/\" target=\"_blank\" rel=\"noopener\">part two<\/a>, we\u2019ll examine the outcomes resulting from the team\u2019s efforts.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"transformation-of-a-real-time-security-solution-to-cloud-scale\">Transformation of a real-time security solution to cloud scale<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft Azure Advanced Threat Protection is a cloud-based security service that uses customers\u2019 on-premises Azure Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions. Launched in 2018, it represents the evolution of Microsoft Advanced Threat Analytics, an on-premises solution, into Azure. Both offerings are composed of two main components:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">An agent, or sensor, which is installed on each of an organization\u2019s domain controllers. The sensor inspects traffic sent from users to the domain controller along with Event Tracing for Windows (ETW) events generated by the domain controller, sending that information to a centralized back-end.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">A centralized back-end, or center, which aggregates the information from all the sensors, learns the behavior of the organization\u2019s users and computers, and looks for anomalies that may indicate malicious activity.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Advanced Threat Analytics\u2019 center used an on-premises instance of MongoDB as its main database\u2014and still does today for on-premises installations. However, in developing the Azure Advanced Threat Protection center, a managed service in the cloud, Microsoft needed something more performant and scalable. \u201cThe back-end of Azure Advanced Threat Protection needs to massively scale, be upgraded on a weekly basis, and run continuously-evolving, advanced detection algorithms\u2014essentially taking full advantage of all the power and intelligence that Azure offers,\u201d explains Yaron Hagai, Principal Group Engineering Manager for Advanced Threat Analytics at Microsoft.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In searching for the best database for Azure Advanced Threat Protection to store its entities and profiles\u2014the data learned in real time from all the sensors about each organization\u2019s users and computers\u2014Hagai\u2019s team mapped out the following key requirements:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Elastic, per-customer scalability:<\/strong> Each organization that adopts Azure Advanced Threat Protection can install hundreds of sensors, generating potentially tens of thousands of events per second. To learn each organization\u2019s baseline and apply its anomaly detection algorithms in real-time, Azure Advanced Threat Protection needed a database that could efficiently and cost-effectively scale.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Ease of migration:<\/strong> The Azure Advanced Threat Protection data model is constantly evolving to support changes in detection logic. Hagai\u2019s team didn\u2019t want to worry about constantly maintaining backwards compatibility between the service\u2019s code and its ever-changing data model, which meant they needed a database that could support quick and easy data migration with almost every new update to Azure Advanced Threat Protection they deployed.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Geo-replication:<\/strong> Like all Azure services, Advanced Threat Protection must support customers\u2019 critical disaster recovery and business continuity needs, including in the highly unlikely event of a datacenter failure. Through the use of geo-replication, customers\u2019 data can be replicated from a primary datacenter to a backup datacenter, and the Azure Advanced Threat Protection workload can be switched to the backup datacenter in the event of a primary datacenter failure.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"a-managed-scalable-schema-less-database-in-the-cloud\">A managed, scalable, schema-less database in the cloud<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The team chose Azure Cosmos DB as the back-end database for Azure Advanced Threat Protection. \u201cAs the only managed, scalable, schema-less database in Azure, Azure Cosmos DB was the obvious choice,\u201d says Hagai. \u201cIt offered the scalability needed to support our growing customer base and the load that growth would put on our back-end service. It also provided the flexibility needed in terms of the data we store on each organization and its computers and users. And it offered the flexibility needed to continually add new detections and modify existing ones, which in turn requires the ability to constantly change the data stored in our Azure Cosmos DB containers.\u201d<\/p>\n\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/07\/26f5efba-060f-47c9-9308-2f436924f276.webp\" alt=\"Azure Advanced Threat Protection diagram\" style=\"border-radius:0px\" title=\"Azure Advanced Threat Protection diagram\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"containers-and-partitioning\">Containers and partitioning<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Of the many APIs that <a href=\"https:\/\/www.azurecosmosdb.com\/\" target=\"_blank\" rel=\"noopener\">Azure Cosmos DB<\/a> supports, the development team considered both the SQL API and the Azure Cosmos DB API for MongoDB for Azure Advanced Threat Protection. Eventually, they chose the SQL API because it gave them access to a rich, Microsoft-authored client SDK with support for multi-homing across global regions, and direct connectivity mode for low latency. Developers chose to allocate one Azure Cosmos DB database per tenant, or customer. Each database has five containers, which each start with a single partition. \u201cThis allows us to easily delete the data for a customer if they stop using Azure Advanced Threat Protection,\u201d explains Hagai. \u201cMore importantly, however, it lets us scale each customer\u2019s containers independently based on the throughput generated by their on-premises sensors.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Of the set of containers per customer, two usually grow to more than one partition:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><em>UniqueEntity<\/em>, which contains all the metadata about the computers and users in the organization, as synchronized from Active Directory.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>UniqueEntityProfile<\/em>, which contains the behavioral baseline for each entity in the UniqueEntity container and is used by detection logic to identify behavioral anomalies that imply a compromised user or computer, or a malicious insider.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cBoth containers have very high read\/write throughput with large <a href=\"https:\/\/docs.microsoft.com\/en-ca\/azure\/cosmos-db\/request-units\" target=\"_blank\" rel=\"noopener\">Request Units per second (RU\/s)<\/a> consumption,\u201d explains Hagai. \u201cAzure Cosmos DB seamlessly scales out storage of containers as they grow, and some of large customers have scaled up to terabytes in size per container, which would have not been possible with MongoDB on VMs.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The other three containers for each customer typically contain less than 1,000 documents and do not grow past a single partition. They include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><em>SystemProfile<\/em>, which contains data learned for the tenant and applied to behavioral based detections.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>SystemEntity<\/em>, which contains configuration information and data about tenants.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>Alert<\/em>, which contains alerts that are generated and updated by Azure Advanced Threat Protection.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"migration\">Migration<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">As the Azure Advanced Threat Protection detection logic constantly evolves and improves, so does the behavioral data stored in each customer\u2019s UniqueEntityProfile container. To avoid the need for backwards compatibility with outdated schemas, Azure Advanced Threat Protection maintains two migration mechanisms, which run with each upgrade to the service that includes changes to its data models:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>On-the-fly:<\/strong> As Azure Advanced Threat Protection reads documents from Azure Cosmos DB, it checks their version field. If the version is outdated, Azure Advanced Threat Protection migrates the document to the current version using explicit transformation logic written by Hagai\u2019s team of developers.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Batch:<\/strong> After a successful upgrade, Azure Advanced Threat Protection spins up a scheduled task to migrate all documents for all customers to the newest version, excluding those that have already been migrated by the on-the-fly mechanism.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Together, these two migration mechanisms ensure that after the service was upgraded and the data access layer code was changed, no errors will occur due to parsing outdated documents. No backwards compatibility code is needed besides the explicit migration code, which is always removed in the subsequent version.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"elastic-scaling-and-automatic-backups\">Elastic scaling and automatic backups<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Containers with very high read\/write throughput often are rate-limited as they reach their <a href=\"https:\/\/docs.microsoft.com\/en-ca\/azure\/cosmos-db\/set-throughput\" target=\"_blank\" rel=\"noopener\">provisioned RU\/s limits for a c<\/a>ontainer. When one of the service\u2019s nodes, each node is a virtual machine, tries to perform an operation against a container and gets a <a href=\"https:\/\/docs.microsoft.com\/en-us\/rest\/api\/cosmos-db\/http-status-codes-for-cosmosdb\" target=\"_blank\" rel=\"noopener\">\u201c429 Too Many Requests\u201d rate limiting exception<\/a>, it uses Azure Service Fabric remoting to send a request through a centralized elastic scaling service for increased throughput. The centralized service aggregates such requests from multiple nodes to avoid increasing throughput more than once within a short window of time, as this may be caused by a single burst of throughput that affects multiple nodes. To minimize overall RU\/s costs, a similar, periodic scale-down process reduces provisioned throughput when appropriate, such as during each customer\u2019s non-working hours.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Azure Advanced Threat Protection takes advantage of the <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/cosmos-db\/online-backup-and-restore\" target=\"_blank\" rel=\"noopener\">auto-backup feature of Azure Cosmos DB<\/a> to help protect each of the containers. The backups reside in Azure Blob storage and are replicated to another region through the use of geo-redundant storage (GRS). Azure Advanced Threat Protection also replicates customer configuration data to another region, which allows for quick recovery in the case of a disaster. \u201cWe do this primarily to safeguard the sensor configuration data\u2014preventing the need for an IT admin to reconfigure hundreds of sensors if the original database is lost,\u201d explains Hagai.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Azure Advanced Threat Protection recently began onboarding full geo-replication. \u201cWe\u2019ve started to enable geo-replication and multi-region writes for seamless and effortless replication of our production data to another region,\u201d says Hagai. \u201cThis will allow us to further improve and guarantee service availability and will simplify service delivery versus having to maintain our own high-availability mechanisms.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Continue on to <a href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-two\/\" target=\"_blank\" rel=\"noopener\">part two<\/a>, which covers the outcomes resulting from the Azure Advanced Threat Protection team\u2019s implementation of Azure Cosmos DB.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Azure Advanced Threat Protection is a cloud-based security service that uses customers\u2019 on-premises Azure Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","_alt_title":"","footnotes":"","msx_community_cta_settings":[]},"categories":[1473,1485],"tags":[],"audience":[3053,3056],"content-type":[1511],"product":[1538],"tech-community":[],"topic":[],"coauthors":[177],"class_list":["post-1119","post","type-post","status-publish","format-standard","hentry","category-databases","category-internet-of-things","audience-it-decision-makers","audience-it-implementors","content-type-best-practices","product-azure-cosmos-db","review-flag-1680286581-295","review-flag-1-1680286581-825","review-flag-alway-1680286580-106","review-flag-new-1680286579-546"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Always-on, real-time threat protection with Azure Cosmos DB - part one | Microsoft Azure Blog<\/title>\n<meta name=\"description\" content=\"Microsoft Azure Advanced Threat Protection is a cloud-based security service that uses customers\u2019 on-premises Azure Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Always-on, real-time threat protection with Azure Cosmos DB - part one | Microsoft Azure Blog\" \/>\n<meta property=\"og:description\" content=\"Microsoft Azure Advanced Threat Protection is a cloud-based security service that uses customers\u2019 on-premises Azure Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Azure Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/microsoftazure\" \/>\n<meta property=\"article:published_time\" content=\"2019-07-23T00:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-25T10:01:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/07\/26f5efba-060f-47c9-9308-2f436924f276.webp\" \/>\n<meta name=\"author\" content=\"Parul Matah\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@azure\" \/>\n<meta name=\"twitter:site\" content=\"@azure\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Parul Matah\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/\"},\"author\":[{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/parul-matah\/\",\"@type\":\"Person\",\"@name\":\"Parul Matah\"}],\"headline\":\"Always-on, real-time threat protection with Azure Cosmos DB &#8211; part one\",\"datePublished\":\"2019-07-23T00:00:00+00:00\",\"dateModified\":\"2025-06-25T10:01:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/\"},\"wordCount\":1473,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/07\/26f5efba-060f-47c9-9308-2f436924f276.webp\",\"articleSection\":[\"Databases\",\"Internet of things\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/\",\"name\":\"Always-on, real-time threat protection with Azure Cosmos DB - part one | Microsoft Azure Blog\",\"isPartOf\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/07\/26f5efba-060f-47c9-9308-2f436924f276.webp\",\"datePublished\":\"2019-07-23T00:00:00+00:00\",\"dateModified\":\"2025-06-25T10:01:00+00:00\",\"description\":\"Microsoft Azure Advanced Threat Protection is a cloud-based security service that uses customers\u2019 on-premises Azure Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.\",\"breadcrumb\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#primaryimage\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/07\/26f5efba-060f-47c9-9308-2f436924f276.webp\",\"contentUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/07\/26f5efba-060f-47c9-9308-2f436924f276.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog home\",\"item\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Databases\",\"item\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/category\/databases\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Always-on, real-time threat protection with Azure Cosmos DB &#8211; part one\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#website\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\",\"name\":\"Microsoft Azure Blog\",\"description\":\"Get the latest Azure news, updates, and announcements from the Azure blog. From product updates to hot topics, hear from the Azure experts.\",\"publisher\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\",\"name\":\"Microsoft Azure Blog\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp\",\"contentUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Azure Blog\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/microsoftazure\",\"https:\/\/x.com\/azure\",\"https:\/\/www.instagram.com\/microsoftdeveloper\/\",\"https:\/\/www.linkedin.com\/company\/16188386\",\"https:\/\/www.youtube.com\/user\/windowsazure\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/person\/c702e5edd662b328b49b7e1180cab117\",\"name\":\"shakir\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g7664e653ea371ce16eaf75e9fa8952c4\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g\",\"caption\":\"shakir\"},\"sameAs\":[\"https:\/\/azure.microsoft.com\"],\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/shakir\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Always-on, real-time threat protection with Azure Cosmos DB - part one | Microsoft Azure Blog","description":"Microsoft Azure Advanced Threat Protection is a cloud-based security service that uses customers\u2019 on-premises Azure Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/","og_locale":"en_US","og_type":"article","og_title":"Always-on, real-time threat protection with Azure Cosmos DB - part one | Microsoft Azure Blog","og_description":"Microsoft Azure Advanced Threat Protection is a cloud-based security service that uses customers\u2019 on-premises Azure Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.","og_url":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/","og_site_name":"Microsoft Azure Blog","article_publisher":"https:\/\/www.facebook.com\/microsoftazure","article_published_time":"2019-07-23T00:00:00+00:00","article_modified_time":"2025-06-25T10:01:00+00:00","og_image":[{"url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/07\/26f5efba-060f-47c9-9308-2f436924f276.webp","type":"","width":"","height":""}],"author":"Parul Matah","twitter_card":"summary_large_image","twitter_creator":"@azure","twitter_site":"@azure","twitter_misc":{"Written by":"Parul Matah","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#article","isPartOf":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/"},"author":[{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/parul-matah\/","@type":"Person","@name":"Parul Matah"}],"headline":"Always-on, real-time threat protection with Azure Cosmos DB &#8211; part one","datePublished":"2019-07-23T00:00:00+00:00","dateModified":"2025-06-25T10:01:00+00:00","mainEntityOfPage":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/"},"wordCount":1473,"commentCount":0,"publisher":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#primaryimage"},"thumbnailUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/07\/26f5efba-060f-47c9-9308-2f436924f276.webp","articleSection":["Databases","Internet of things"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/","name":"Always-on, real-time threat protection with Azure Cosmos DB - part one | Microsoft Azure Blog","isPartOf":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#primaryimage"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#primaryimage"},"thumbnailUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/07\/26f5efba-060f-47c9-9308-2f436924f276.webp","datePublished":"2019-07-23T00:00:00+00:00","dateModified":"2025-06-25T10:01:00+00:00","description":"Microsoft Azure Advanced Threat Protection is a cloud-based security service that uses customers\u2019 on-premises Azure Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.","breadcrumb":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#primaryimage","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/07\/26f5efba-060f-47c9-9308-2f436924f276.webp","contentUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/07\/26f5efba-060f-47c9-9308-2f436924f276.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/always-on-real-time-threat-protection-with-azure-cosmos-db-part-one\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog home","item":"https:\/\/azure.microsoft.com\/en-us\/blog\/"},{"@type":"ListItem","position":2,"name":"Databases","item":"https:\/\/azure.microsoft.com\/en-us\/blog\/category\/databases\/"},{"@type":"ListItem","position":3,"name":"Always-on, real-time threat protection with Azure Cosmos DB &#8211; part one"}]},{"@type":"WebSite","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#website","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/","name":"Microsoft Azure Blog","description":"Get the latest Azure news, updates, and announcements from the Azure blog. From product updates to hot topics, hear from the Azure experts.","publisher":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/azure.microsoft.com\/en-us\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization","name":"Microsoft Azure Blog","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp","contentUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp","width":512,"height":512,"caption":"Microsoft Azure Blog"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/microsoftazure","https:\/\/x.com\/azure","https:\/\/www.instagram.com\/microsoftdeveloper\/","https:\/\/www.linkedin.com\/company\/16188386","https:\/\/www.youtube.com\/user\/windowsazure"]},{"@type":"Person","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/person\/c702e5edd662b328b49b7e1180cab117","name":"shakir","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g7664e653ea371ce16eaf75e9fa8952c4","url":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g","caption":"shakir"},"sameAs":["https:\/\/azure.microsoft.com"],"url":"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/shakir\/"}]}},"msxcm_display_generated_audio":false,"msxcm_animated_featured_image":null,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Azure Blog","distributor_original_site_url":"https:\/\/azure.microsoft.com\/en-us\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/1119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/comments?post=1119"}],"version-history":[{"count":1,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/1119\/revisions"}],"predecessor-version":[{"id":43199,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/1119\/revisions\/43199"}],"wp:attachment":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/media?parent=1119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/categories?post=1119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/tags?post=1119"},{"taxonomy":"audience","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/audience?post=1119"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/content-type?post=1119"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/product?post=1119"},{"taxonomy":"tech-community","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/tech-community?post=1119"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/topic?post=1119"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/coauthors?post=1119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}