Advanced threat protection for Azure Storage

Advanced threat protection for Azure Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to address threats without being a security expert or managing security monitoring systems.

Security alerts are triggered when anomalies in activity occur. These security alerts are integrated with Azure Security Center, and are also sent via email to subscription administrators, with details of suspicious activity and recommendations on how to investigate and remediate threats.

Note

Advanced threat protection for Azure Storage is currently available only for Blob storage. It is not available in Azure government and sovereign cloud regions. For pricing details, including a free 30 day trial, see the Azure Security Center pricing page.

Advanced threat protection for Azure Storage ingests diagnostic logs of read, write, and delete requests to Blob storage for threat detection. To investigate the alerts from advanced threat protection, you can view related storage activity using Storage Analytics Logging. For more information, see Configure logging in Monitor a storage account in the Azure portal.

Set up advanced threat protection

Advanced threat protection is enabled for your storage account by default. You can configure advanced threat protection in any of several ways, described in the following sections.

Use the Azure portal

  1. Launch the Azure portal.

  2. Navigate to your Azure Storage account. Under Settings, select Advanced security.

  3. Select the Settings link on the advanced security configuration page.

  4. Set Advanced security to ON.

  5. Click Save to save the new or updated policy.

    Turn on Azure Storage advanced threat protection

Using Azure Security Center

When you subscribe to the Standard tier in Azure Security Center, advanced threat protection is automatically set up on all of your storage accounts. You can enable or disable advanced threat protection for your storage accounts under a specific subscription as follows:

  1. Launch Azure Security Center in the Azure portal.

  2. From the main menu, click Pricing & settings.

  3. Click the subscription that you want to enable or disable threat protection for its storage accounts.

    Select subscription

  4. Click Pricing tier.

  5. In the Select pricing tier by resource type section, in the Storage accounts row, click Enabled or Disabled.

    Enable ATP in Security Center

  6. Click Save.

Using Azure Resource Manager templates

Use an Azure Resource Manager template to deploy an Azure Storage account with advanced threat protection enabled. For more information, see Storage account with advanced threat protection.

Using an Azure Policy

Use an Azure Policy to enable advanced threat protection across storage accounts under a specific subscription or resource group.

  1. Launch the Azure Policy - Definitions page.

  2. Search for the Deploy Advanced Threat Protection on Storage Accounts policy.

    Search Policy

  3. Select an Azure subscription or resource group.

    Select Subscription Or Group

  4. Assign the policy.

    Policy Definitions Page

Using the REST API

Use Rest API commands to create, update, or get the advanced threat protection setting for a specific storage account.

Using Azure PowerShell

Use the following PowerShell cmdlets:

Explore security anomalies

When storage activity anomalies occur, you receive an email notification with information about the suspicious security event. Details of the event include:

  • The nature of the anomaly
  • The storage account name
  • The event time
  • The storage type
  • The potential causes
  • The investigation steps
  • The remediation steps

The email also includes details on possible causes and recommended actions to investigate and mitigate the potential threat.

Azure Storage advanced threat protection alert email

You can review and manage your current security alerts from Azure Security Center’s Security alerts tile. Clicking on a specific alert provides details and actions for investigating the current threat and addressing future threats.

Azure Storage advanced threat protection alert email

Protection alerts

Alerts are generated by unusual and potentially harmful attempts to access or exploit storage accounts. For a list of alerts for Azure Storage, see the Storage section in Threat detection for data services in Azure Security Center alerts

Next steps