Configure advanced threat protection for Azure Storage
Advanced threat protection for Azure Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to address threats without being a security expert or managing security monitoring systems.
Security alerts are triggered when anomalies in activity occur. These security alerts are integrated with Azure Security Center, and are also sent via email to subscription administrators, with details of suspicious activity and recommendations on how to investigate and remediate threats.
The service ingests resource logs of read, write, and delete requests to Blob storage and to Azure Files (preview) for threat detection. To investigate the alerts from advanced threat protection, you can view related storage activity using Storage Analytics Logging. For more information, see Configure logging in Monitor a storage account in the Azure portal.
Advanced threat protection for Azure Storage is currently available for Blob storage, Azure Files (preview), and Azure Data Lake Storage Gen2 (preview). Account types that support advanced threat protection include general-purpose v2, block blob, and Blob storage accounts. Advanced threat protection is available in all public clouds and US government clouds, but not in other sovereign or Azure Government cloud regions.
Accounts with hierarchical namespaces enabled for Data Lake Storage support transactions using both the Azure Blob storage APIs and the Data Lake Storage APIs. Azure file shares support transactions over SMB.
For pricing details, including a free 30 day trial, see the Azure Security Center pricing page.
The following list summarizes the availability of advanced threat protection for Azure Storage:
- Release state:
✔ Commercial clouds
✔ US Gov
✘ China Gov, Other Gov
Set up advanced threat protection
You can configure advanced threat protection in any of several ways, described in the following sections.
When you subscribe to the Standard tier in Azure Security Center, advanced threat protection is automatically set up on all of your storage accounts. You can enable or disable advanced threat protection for your storage accounts under a specific subscription as follows:
Launch Azure Security Center in the Azure portal.
From the main menu, click Pricing & settings.
Click the subscription that you want to enable or disable threat protection for its storage accounts.
Click Pricing tier.
In the Select pricing tier by resource type section, in the Storage accounts row, click Enabled or Disabled.
Explore security anomalies
When storage activity anomalies occur, you receive an email notification with information about the suspicious security event. Details of the event include:
- The nature of the anomaly
- The storage account name
- The event time
- The storage type
- The potential causes
- The investigation steps
- The remediation steps
The email also includes details on possible causes and recommended actions to investigate and mitigate the potential threat.
You can review and manage your current security alerts from Azure Security Center's Security alerts tile. Clicking on a specific alert provides details and actions for investigating the current threat and addressing future threats.
Alerts are generated by unusual and potentially harmful attempts to access or exploit storage accounts. For a list of alerts for Azure Storage, see the Storage section in Threat protection for data services in Azure Security Center.