Advanced threat protection for Azure Storage
Advanced threat protection for Azure Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to address threats without being a security expert or managing security monitoring systems.
Security alerts are triggered when anomalies in activity occur. These security alerts are integrated with Azure Security Center, and are also sent via email to subscription administrators, with details of suspicious activity and recommendations on how to investigate and remediate threats.
Advanced threat protection for Azure Storage is currently available only for Blob storage. It is not available in Azure government and sovereign cloud regions. For pricing details, including a free 30 day trial, see the Azure Security Center pricing page.
Advanced threat protection for Azure Storage ingests diagnostic logs of read, write, and delete requests to Blob storage for threat detection. To investigate the alerts from advanced threat protection, you can view related storage activity using Storage Analytics Logging. For more information, see Configure logging in Monitor a storage account in the Azure portal.
Set up advanced threat protection
Advanced threat protection is enabled for your storage account by default. You can configure advanced threat protection in any of several ways, described in the following sections.
Launch the Azure portal.
Navigate to your Azure Storage account. Under Settings, select Advanced security.
Select the Settings link on the advanced security configuration page.
Set Advanced security to ON.
Click Save to save the new or updated policy.
Explore security anomalies
When storage activity anomalies occur, you receive an email notification with information about the suspicious security event. Details of the event include:
- The nature of the anomaly
- The storage account name
- The event time
- The storage type
- The potential causes
- The investigation steps
- The remediation steps
The email also includes details on possible causes and recommended actions to investigate and mitigate the potential threat.
You can review and manage your current security alerts from Azure Security Center’s Security alerts tile. Clicking on a specific alert provides details and actions for investigating the current threat and addressing future threats.
Alerts are generated by unusual and potentially harmful attempts to access or exploit storage accounts. For a list of alerts for Azure Storage, see the Storage section in Threat detection for data services in Azure Security Center alerts