Sensitive data threat detection#
Security · Microsoft Defender for Cloud · Rule · Preview · 2023_06 · Critical
Enable sensitive data threat detection in Microsoft Defender for Storage.
Description#
Sensitive data threat detection is an additional security feature for Microsoft Defender for Storage. When enabled Defender for Storage provides alerts when sensitive data is discovered.
The sensitive data threat detection capability helps teams:
- Identity where sensitive data is stored.
- Detect possible security incidents resulting is data exposure.
When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. It is possible to customize the Data Sensitivity Discovery for a organization, by creating custom sensitive information types (SITs).
Sensitive data threat detection in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.
Recommendation#
Consider using sensitive data threat detection in Microsoft Defender for Storage for all storage accounts in the subscription.
Examples#
Configure with Azure template#
To enable sensitive data threat detection in Microsoft Defender for Storage:
- Set the
properties.pricingTierproperty toStandard. - Set the
properties.subPlanproperty toDefenderForStorageV2. - Configure settings for the
SensitiveDataDiscoveryextension.
For example:
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2024-01-01",
"name": "StorageAccounts",
"properties": {
"pricingTier": "Standard",
"subPlan": "DefenderForStorageV2",
"extensions": [
{
"name": "OnUploadMalwareScanning",
"isEnabled": "True",
"additionalExtensionProperties": {
"CapGBPerMonthPerStorageAccount": "5000"
}
},
{
"name": "SensitiveDataDiscovery",
"isEnabled": "True"
}
]
}
}
Configure with Bicep#
To enable sensitive data threat detection in Microsoft Defender for Storage:
- Set the
properties.pricingTierproperty toStandard. - Set the
properties.subPlanproperty toDefenderForStorageV2. - Configure settings for the
SensitiveDataDiscoveryextension.
For example:
resource defenderForStorage 'Microsoft.Security/pricings@2024-01-01' = {
name: 'StorageAccounts'
properties: {
pricingTier: 'Standard'
subPlan: 'DefenderForStorageV2'
extensions: [
{
name: 'OnUploadMalwareScanning'
isEnabled: 'True'
additionalExtensionProperties: {
CapGBPerMonthPerStorageAccount: '5000'
}
}
{
name: 'SensitiveDataDiscovery'
isEnabled: 'True'
}
]
}
}
Configure with Azure Policy#
To address this issue at runtime use the following policies:
- Microsoft Defender for Storage should be enabled
/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4 - Configure Microsoft Defender for Storage to be enabled
/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390
Notes#
This feature is currently in preview.
Sensitive data threat detection is only available in the DefenderForStorageV2 sub plan for Defender for Storage,
which offers new features that aren't included in the classic plan.
Not all services and blob types within storage accounts are currently supported. See limitations for more information.
Links#
- SE:10 Monitoring and threat detection
- What is Microsoft Defender for Cloud?
- Sensitive data threat detection in Defender for Storage
- Support and prerequisites for data-aware security posture
- Overview of Microsoft Defender for Storage
- Enable and configure Microsoft Defender for Storage
- Quickstart: Enable enhanced security features
- Azure security baseline for Storage
- DP-2: Monitor anomalies and threats targeting sensitive data
- LT-1: Enable threat detection capabilities
- Azure Policy built-in policy definitions
- Azure deployment reference