Advanced threat protection for Azure Storage
Advanced threat protection for Azure Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to address threats without being a security expert or managing security monitoring systems.
Security alerts are triggered when anomalies in activity occur. These security alerts are integrated with Azure Security Center, and are also sent via email to subscription administrators, with details of suspicious activity and recommendations on how to investigate and remediate threats.
Advanced threat protection for Azure Storage is currently available only for Blob storage. It is not available in Azure government and sovereign cloud regions. For pricing details, including a free 30 day trial, see the Azure Security Center pricing page.
Advanced threat protection for Azure Storage ingests diagnostic logs of read, write, and delete requests to Blob storage for threat detection. To investigate the alerts from advanced threat protection, you can view related storage activity using Storage Analytics Logging. For more information, see Configure logging in Monitor a storage account in the Azure portal.
Set up advanced threat protection
Advanced threat protection is enabled for your storage account by default. You can configure advanced threat protection in any of several ways, described in the following sections.
Use the Azure portal
Launch the Azure portal.
Navigate to your Azure Storage account. Under Settings, select Advanced security.
Select the Settings link on the advanced security configuration page.
Set Advanced security to ON.
Click Save to save the new or updated policy.
Using Azure Security Center
When you subscribe to the Standard tier in Azure Security Center, advanced threat protection is automatically set up on all of your storage accounts. You can enable or disable advanced threat protection for your storage accounts under a specific subscription as follows:
Launch Azure Security Center in the Azure portal.
From the main menu, click Pricing & settings.
Click the subscription that you want to enable or disable threat protection for its storage accounts.
Click Pricing tier.
In the Select pricing tier by resource type section, in the Storage accounts row, click Enabled or Disabled.
Using Azure Resource Manager templates
Use an Azure Resource Manager template to deploy an Azure Storage account with advanced threat protection enabled. For more information, see Storage account with advanced threat protection.
Using an Azure Policy
Use an Azure Policy to enable advanced threat protection across storage accounts under a specific subscription or resource group.
Launch the Azure Policy - Definitions page.
Search for the Deploy Advanced Threat Protection on Storage Accounts policy.
Select an Azure subscription or resource group.
Assign the policy.
Using the REST API
Use Rest API commands to create, update, or get the advanced threat protection setting for a specific storage account.
Using Azure PowerShell
Use the following PowerShell cmdlets:
Explore security anomalies
When storage activity anomalies occur, you receive an email notification with information about the suspicious security event. Details of the event include:
- The nature of the anomaly
- The storage account name
- The event time
- The storage type
- The potential causes
- The investigation steps
- The remediation steps
The email also includes details on possible causes and recommended actions to investigate and mitigate the potential threat.
You can review and manage your current security alerts from Azure Security Center’s Security alerts tile. Clicking on a specific alert provides details and actions for investigating the current threat and addressing future threats.
Alerts are generated by unusual and potentially harmful attempts to access or exploit storage accounts. For a list of alerts for Azure Storage, see the Storage section in Threat detection for data services in Azure Security Center alerts