Configure Microsoft Defender for Storage to the Standard tier#

Security · Microsoft Defender for Cloud · Rule · 2023_06 · Critical

Enable Microsoft Defender for Storage.

Description#

Microsoft Defender for Storage provides additional security for storage accounts.

Protection is provided by the following which allows Microsoft Defender for Cloud to discover and mitigate potential threats:

Continuously analyzing data and control plane logs from protected storage accounts.
Malware scanning on uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities.
Sensitive data threat detection by a smart sampling method to find resources with sensitive data.

Security findings for on-boarded storage accounts shows up in Defender for Cloud with details of the security threats with contextual information.

Defender for Storage can be enabled at the subscription level. This ensures all storage accounts in the subscription will be protected, including future ones.

Recommendation#

Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts.

Examples#

Configure with Azure template#

To enable Defender for Storage:

Set the properties.pricingTier property to Standard.
Set the properties.subPlan property to DefenderForStorageV2.

For example:

Azure Template snippet

{
  "type": "Microsoft.Security/pricings",
  "apiVersion": "2024-01-01",
  "name": "StorageAccounts",
  "properties": {
    "pricingTier": "Standard",
    "subPlan": "DefenderForStorageV2",
    "extensions": [
      {
        "name": "OnUploadMalwareScanning",
        "isEnabled": "True",
        "additionalExtensionProperties": {
          "CapGBPerMonthPerStorageAccount": "5000"
        }
      },
      {
        "name": "SensitiveDataDiscovery",
        "isEnabled": "True"
      }
    ]
  }
}

Configure with Bicep#

To enable Defender for Storage:

Set the properties.pricingTier property to Standard.
Set the properties.subPlan property to DefenderForStorageV2.

For example:

Azure Bicep snippet

resource defenderForStorage 'Microsoft.Security/pricings@2024-01-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'DefenderForStorageV2'
    extensions: [
      {
        name: 'OnUploadMalwareScanning'
        isEnabled: 'True'
        additionalExtensionProperties: {
          CapGBPerMonthPerStorageAccount: '5000'
        }
      }
      {
        name: 'SensitiveDataDiscovery'
        isEnabled: 'True'
      }
    ]
  }
}

Configure with Azure PowerShell#

Azure PowerShell snippet

Set-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard' -SubPlan 'DefenderForStorageV2'

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Microsoft Defender for Storage should be enabled /providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4
Configure Microsoft Defender for Storage to be enabled /providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390

Notes#

The DefenderForStorageV2 sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan. The new plan includes more advanced capabilities that can help improve the security of the data and help prevent malicious file uploads, sensitive data exfiltration, and data corruption.

Currently only the Blob Storage, Azure Files and Azure Data Lake Storage Gen2 service is supported by Defender for Storage.