online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Defender.Storage/#
Configure Microsoft Defender for Storage to the Standard tier#
Enable Microsoft Defender for Storage.
Description#
Microsoft Defender for Storage provides additional security for storage accounts.
Protection is provided by:
- Continuously analyzing data and control plane logs from protected storage accounts.
- Malicious scanning by performing a full malware scan on uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities.
- Sensitive data threat detection by a smart sampling method to find resources with sensitive data.
Which allows Microsoft Defender for Cloud to discover and mitigate potential threats.
Security findings for onboarded storage accounts shows up in Defender for Cloud with details of the security threats with contextual information.
Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.
Recommendation#
Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts.
Examples#
Configure with Azure template#
To enable Defender for Storage:
- Set the
Standardpricing tier for Microsoft Defender for Storage and set theDefenderForStorageV2sub plan.
For example:
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2022-03-01",
"name": "StorageAccounts",
"properties": {
"pricingTier": "Standard",
"subPlan": "DefenderForStorageV2"
}
}
Configure with Bicep#
To enable Defender for Storage:
- Set the
Standardpricing tier for Microsoft Defender for Storage and set theDefenderForStorageV2sub plan.
For example:
resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = {
name: 'StorageAccounts'
properties: {
pricingTier: 'Standard'
subPlan: 'DefenderForStorageV2'
}
}
Configure with Azure PowerShell#
Set-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard' -SubPlan 'DefenderForStorageV2'
Notes#
The DefenderForStorageV2 sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan. The new plan includes more advanced capabilities that can help improve the security of the data and help prevent malicious file uploads, sensitive data exfiltration, and data corruption. Some features within the new plan is still in preview, but these are configurable.
Currently only the Blob Storage, Azure Files and Azure Data Lake Storage Gen2 service is supported by Defender for Storage.
Links#
- Storage security guide
- Security operations in Azure
- What is Microsoft Defender for Cloud?
- Overview of Microsoft Defender for Storage
- Migrate from Defender for Storage (classic) to the new plan
- Enable and configure Microsoft Defender for Storage
- Quickstart: Enable enhanced security features
- Azure security baseline for Storage
- DP-2: Monitor anomalies and threats targeting sensitive data
- LT-1: Enable threat detection capabilities
- Azure Policy built-in policy definitions
- Azure deployment reference