Sensitive data threat detection#
Security · Microsoft Defender for Cloud · 2023_06
Enable sensitive data threat detection in Microsoft Defender for Storage.
Description#
Sensitive data threat detection is an additional security feature for Microsoft Defender for Storage. When enabled Defender for Storage provides alerts when sensitive data is discovered.
The sensitive data threat detection capability helps teams:
- Identity where sensitive data is stored.
- Detect possible security incidents resulting is data exposure.
When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. It is possible to customize the Data Sensitivity Discovery for a organization, by creating custom sensitive information types (SITs).
Sensitive data threat detection in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.
Recommendation#
Consider using sensitive data threat detection in Microsoft Defender for Storage.
Examples#
Configure with Azure template#
To enable sensitive data threat detection in Microsoft Defender for Storage:
- Set the
Standardpricing tier for Microsoft Defender for Storage and set theDefenderForStorageV2sub plan. - Configure an
SensitiveDataDiscoveryextension.
For example:
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2022-03-01",
"name": "StorageAccounts",
"properties": {
"pricingTier": "Standard",
"subPlan": "DefenderForStorageV2",
"extensions": [
{
"name": "SensitiveDataDiscovery",
"isEnabled": "True",
}
]
}
}
Configure with Bicep#
To enable sensitive data threat detection in Microsoft Defender for Storage:
- Set the
Standardpricing tier for Microsoft Defender for Storage and set theDefenderForStorageV2sub plan. - Configure an
SensitiveDataDiscoveryextension.
For example:
resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = {
name: 'StorageAccounts'
properties: {
pricingTier: 'Standard'
subPlan: 'DefenderForStorageV2'
extensions: [
{
name: 'SensitiveDataDiscovery'
isEnabled: 'True'
}
]
}
}
Notes#
This feature is currently in preview.
The DefenderForStorageV2 sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan, such as sensitive data threat detection.
Sensitive data threat detection is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported.
Links#
- Security operations in Azure
- What is Microsoft Defender for Cloud?
- Sensitive data threat detection in Defender for Storage
- Support and prerequisites for data-aware security posture
- Overview of Microsoft Defender for Storage
- Enable and configure Microsoft Defender for Storage
- Quickstart: Enable enhanced security features
- Azure security baseline for Storage
- DP-2: Monitor anomalies and threats targeting sensitive data
- LT-1: Enable threat detection capabilities
- Azure Policy built-in policy definitions
- Azure deployment reference