Skip to content

Sensitive data threat detection#

Security · Microsoft Defender for Cloud · Rule · 2023_06

Enable sensitive data threat detection in Microsoft Defender for Storage.

Description#

Sensitive data threat detection is an additional security feature for Microsoft Defender for Storage. When enabled Defender for Storage provides alerts when sensitive data is discovered.

The sensitive data threat detection capability helps teams:

  • Identity where sensitive data is stored.
  • Detect possible security incidents resulting is data exposure.

When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. It is possible to customize the Data Sensitivity Discovery for a organization, by creating custom sensitive information types (SITs).

Sensitive data threat detection in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.

Recommendation#

Consider using sensitive data threat detection in Microsoft Defender for Storage.

Examples#

Configure with Azure template#

To enable sensitive data threat detection in Microsoft Defender for Storage:

  • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.
  • Configure an SensitiveDataDiscovery extension.

For example:

Azure Template snippet
{
  "type": "Microsoft.Security/pricings",
  "apiVersion": "2023-01-01",
  "name": "StorageAccounts",
  "properties": {
    "pricingTier": "Standard",
    "subPlan": "DefenderForStorageV2",
    "extensions": [
      {
        "name": "OnUploadMalwareScanning",
        "isEnabled": "True",
        "additionalExtensionProperties": {
          "CapGBPerMonthPerStorageAccount": "5000"
        }
      },
      {
        "name": "SensitiveDataDiscovery",
        "isEnabled": "True"
      }
    ]
  }
}

Configure with Bicep#

To enable sensitive data threat detection in Microsoft Defender for Storage:

  • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.
  • Configure an SensitiveDataDiscovery extension.

For example:

Azure Bicep snippet
resource defenderForStorage 'Microsoft.Security/pricings@2023-01-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'DefenderForStorageV2'
    extensions: [
      {
        name: 'OnUploadMalwareScanning'
        isEnabled: 'True'
        additionalExtensionProperties: {
          CapGBPerMonthPerStorageAccount: '5000'
        }
      }
      {
        name: 'SensitiveDataDiscovery'
        isEnabled: 'True'
      }
    ]
  }
}

Notes#

This feature is currently in preview.

The DefenderForStorageV2 sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan, such as sensitive data threat detection.

Sensitive data threat detection is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported.

Comments