Skip to content

online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Defender.Storage/#

Configure Microsoft Defender for Storage to the Standard tier#

Enable Microsoft Defender for Storage.

Description#

Microsoft Defender for Storage provides additional security for storage accounts.

Protection is provided by:

  • Continuously analyzing data and control plane logs from protected storage accounts.
  • Malicious scanning by performing a full malware scan on uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities.
  • Sensitive data threat detection by a smart sampling method to find resources with sensitive data.

Which allows Microsoft Defender for Cloud to discover and mitigate potential threats.

Security findings for onboarded storage accounts shows up in Defender for Cloud with details of the security threats with contextual information.

Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.

Recommendation#

Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts.

Examples#

Configure with Azure template#

To enable Defender for Storage:

  • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.

For example:

Azure Template snippet
{
  "type": "Microsoft.Security/pricings",
  "apiVersion": "2023-01-01",
  "name": "StorageAccounts",
  "properties": {
    "pricingTier": "Standard",
    "subPlan": "DefenderForStorageV2",
    "extensions": [
      {
        "name": "OnUploadMalwareScanning",
        "isEnabled": "True",
        "additionalExtensionProperties": {
          "CapGBPerMonthPerStorageAccount": "5000"
        }
      },
      {
        "name": "SensitiveDataDiscovery",
        "isEnabled": "True"
      }
    ]
  }
}

Configure with Bicep#

To enable Defender for Storage:

  • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.

For example:

Azure Bicep snippet
resource defenderForStorage 'Microsoft.Security/pricings@2023-01-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'DefenderForStorageV2'
    extensions: [
      {
        name: 'OnUploadMalwareScanning'
        isEnabled: 'True'
        additionalExtensionProperties: {
          CapGBPerMonthPerStorageAccount: '5000'
        }
      }
      {
        name: 'SensitiveDataDiscovery'
        isEnabled: 'True'
      }
    ]
  }
}

Configure with Azure PowerShell#

Azure PowerShell snippet
Set-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard' -SubPlan 'DefenderForStorageV2'

Notes#

The DefenderForStorageV2 sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan. The new plan includes more advanced capabilities that can help improve the security of the data and help prevent malicious file uploads, sensitive data exfiltration, and data corruption. Some features within the new plan is still in preview, but these are configurable.

Currently only the Blob Storage, Azure Files and Azure Data Lake Storage Gen2 service is supported by Defender for Storage.


Last update: 2023-10-20

Comments