Configure Microsoft Defender for Storage

Microsoft Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to address threats without being a security expert or managing security monitoring systems.

Security alerts are triggered when anomalies in activity occur. These security alerts are integrated with Microsoft Defender for Cloud, and are also sent via email to subscription administrators, with details of suspicious activity and recommendations on how to investigate and remediate threats.

The service ingests resource logs of read, write, and delete requests to Blob storage and to Azure Files for threat detection. To investigate alerts from Microsoft Defender for Cloud, you can view related storage activity using Storage Analytics Logging. For more information, see Configure logging in Monitor a storage account in the Azure portal.

Availability

Microsoft Defender for Storage is currently available for Blob storage, Azure Files, and Azure Data Lake Storage Gen2. Account types that support Microsoft Defender for Storage include general-purpose v2, block blob, and Blob storage accounts. Microsoft Defender for Storage is available in all public clouds and US government clouds, but not in other sovereign or Azure Government cloud regions.

Accounts with hierarchical namespaces enabled for Data Lake Storage support transactions using both the Azure Blob storage APIs and the Data Lake Storage APIs. Azure file shares support transactions over SMB.

For pricing details, including a free 30 day trial, see the Microsoft Defender for Cloud pricing page.

The following list summarizes the availability of Microsoft Defender for Storage:

  • Release state:
    • Blob Storage (general availability)
    • Azure Files (general availability)
    • Azure Data Lake Storage Gen2 (general availability)
  • Clouds: ✔ Commercial clouds
    ✔ Azure Government
    ✘ Azure China 21Vianet

Set up Microsoft Defender for Cloud

You can configure Microsoft Defender for Storage in any of several ways, described in the following sections.

Microsoft Defender for Storage is built into Microsoft Defender for Cloud. When you enable Microsoft Defender for Cloud's enhanced security features on your subscription, Microsoft Defender for Storage is automatically enabled for all of your storage accounts. To enable or disable Defender for Storage for individual storage accounts under a specific subscription:

  1. Launch Microsoft Defender for Cloud in the Azure portal.

  2. From Defender for Cloud's main menu, select Environment settings.

  3. Select the subscription for which you want to enable or disable Microsoft Defender for Cloud.

  4. Select Enable all Microsoft Defender plans to enable Microsoft Defender for Cloud in the subscription.

  5. Under Select Microsoft Defender plans by resource type, locate the Storage row, and select Enabled in the Plan column.

  6. Save your changes.

    Screenshot showing how to enable Microsoft Defender for Storage.

Microsoft Defender for Storage is now enabled for all storage accounts in this subscription.

Explore security anomalies

When storage activity anomalies occur, you receive an email notification with information about the suspicious security event. Details of the event include:

  • The nature of the anomaly
  • The storage account name
  • The event time
  • The storage type
  • The potential causes
  • The investigation steps
  • The remediation steps

The email also includes details on possible causes and recommended actions to investigate and mitigate the potential threat.

Microsoft Defender for Storage alert email

You can review and manage your current security alerts from Microsoft Defender for Cloud's Security alerts tile. Select an alert for details and actions for investigating the current threat and addressing future threats.

Microsoft Defender for Storage alert

Security alerts

Alerts are generated by unusual and potentially harmful attempts to access or exploit storage accounts. For a list of alerts for Azure Storage, see Alerts for Azure Storage.

Next steps