Configure Azure Defender for Storage

Azure Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to address threats without being a security expert or managing security monitoring systems.

Security alerts are triggered when anomalies in activity occur. These security alerts are integrated with Azure Security Center, and are also sent via email to subscription administrators, with details of suspicious activity and recommendations on how to investigate and remediate threats.

The service ingests resource logs of read, write, and delete requests to Blob storage and to Azure Files for threat detection. To investigate alerts from Azure Defender, you can view related storage activity using Storage Analytics Logging. For more information, see Configure logging in Monitor a storage account in the Azure portal.

Availability

Azure Defender for Storage is currently available for Blob storage, Azure Files, and Azure Data Lake Storage Gen2. Account types that support Azure Defender include general-purpose v2, block blob, and Blob storage accounts. Azure Defender for Storage is available in all public clouds and US government clouds, but not in other sovereign or Azure Government cloud regions.

Accounts with hierarchical namespaces enabled for Data Lake Storage support transactions using both the Azure Blob storage APIs and the Data Lake Storage APIs. Azure file shares support transactions over SMB.

For pricing details, including a free 30 day trial, see the Azure Security Center pricing page.

The following list summarizes the availability of Azure Defender for Storage:

  • Release state:
    • Blob Storage (general availability)
    • Azure Files (general availability)
    • Azure Data Lake Storage Gen2 (general availability)
  • Clouds:
    ✔ Commercial clouds
    ✔ US Gov
    ✘ China Gov, Other Gov

Set up Azure Defender

You can configure Azure Defender for Storage in any of several ways, described in the following sections.

When you subscribe to the Standard tier in Azure Security Center, Azure Defender is automatically set up on all of your storage accounts. You can enable or disable Azure Defender for your storage accounts under a specific subscription as follows:

  1. Launch Azure Security Center in the Azure portal.

  2. From the main menu, under Management, select Pricing & settings.

  3. Select the subscription for which you want to enable or disable Azure Defender.

  4. Select Azure Defender on to enable Azure Defender for the subscription.

  5. Under Select Azure Defender plan by resource type, locate the Storage row, and select Enabled in the Plan column.

  6. Save your changes.

    Screenshot showing how to enable Azure Defender for Storage in Security Center

Azure Defender is now enabled for all storage accounts in this subscription.

Explore security anomalies

When storage activity anomalies occur, you receive an email notification with information about the suspicious security event. Details of the event include:

  • The nature of the anomaly
  • The storage account name
  • The event time
  • The storage type
  • The potential causes
  • The investigation steps
  • The remediation steps

The email also includes details on possible causes and recommended actions to investigate and mitigate the potential threat.

Azure Defender for Storage alert email

You can review and manage your current security alerts from Azure Security Center's Security alerts tile. Clicking on a specific alert provides details and actions for investigating the current threat and addressing future threats.

Azure Defender for Storage alert

Security alerts

Alerts are generated by unusual and potentially harmful attempts to access or exploit storage accounts. For a list of alerts for Azure Storage, see Alerts for Azure Storage.

Next steps