Enable Microsoft Defender#

Security · Storage Account · Rule · 2023_06 · Critical

Enable Microsoft Defender for Storage for storage accounts.

Description#

Microsoft Defender for Storage analyzes data and control plane logs from protected Storage Accounts. Which allows Microsoft Defender for Cloud to surface findings with details of the security threats and contextual information.

Additionally, Microsoft Defender for Storage provides security extensions to analyze data stored within Storage Accounts:

Anti-malware scanning of uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities.
Sensitive data threat detection to find resources with sensitive data.

Microsoft Defender for Storage can be enabled on a per subscription or per resource basis. Enabling at the subscription level is recommended because it protects current and future Storage Accounts. However, enabling at the resource level may be preferred for specific Storage Account to apply custom settings.

Recommendation#

Consider using Microsoft Defender for Storage to protect your data hosted in storage accounts. Additionally, consider using Microsoft Defender for Storage to protect all storage accounts within a subscription.

Examples#

Configure with Azure template#

To deploy storage accounts that pass this rule:

Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
Set the properties.isEnabled property to true.

For example:

Azure Template snippet

{
  "type": "Microsoft.Security/defenderForStorageSettings",
  "apiVersion": "2022-12-01-preview",
  "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]",
  "name": "current",
  "properties": {
    "isEnabled": true,
    "malwareScanning": {
      "onUpload": {
        "isEnabled": true,
        "capGBPerMonth": 5000
      }
    },
    "sensitiveDataDiscovery": {
      "isEnabled": true
    },
    "overrideSubscriptionLevelSettings": false
  },
  "dependsOn": [
    "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]"
  ]
}

Configure with Bicep#

To deploy storage accounts that pass this rule:

Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
Set the properties.isEnabled property to true.

For example:

Azure Bicep snippet

resource defenderForStorageSettings 'Microsoft.Security/defenderForStorageSettings@2022-12-01-preview' = {
  name: 'current'
  scope: storageAccount
  properties: {
    isEnabled: true
    malwareScanning: {
      onUpload: {
        isEnabled: true
        capGBPerMonth: 5000
      }
    }
    sensitiveDataDiscovery: {
      isEnabled: true
    }
    overrideSubscriptionLevelSettings: false
  }
}

Notes#

The following limitations currently apply for Microsoft Defender for Storage:

Sensitive data discovery are preview features.
Storage types supported are Blob Storage, Azure Files and Azure Data Lake Storage Gen2. Other storage types are not supported.
When Microsoft Defender is enabled at subscription and resource level, the subscription configuration will take priority. To override settings on a Storage Account, set the properties.overrideSubscriptionLevelSettings property to true.
If there is no plan at the subscription level, Microsoft Defender for Storage can be configured without an override.

Rule configuration#

AZURE_STORAGE_DEFENDER_PER_ACCOUNT

This rule is not processed by default because configuration at the subscription level is recommended. To enable this rule, set the AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration value to true.