Configuring Microsoft Defender for Storage for Data Threat Detection

Configuring Microsoft Defender for Storage for Data Threat Detection

01/08/2025

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in configuring and optimizing Microsoft Defender for Storage. In a scenario where data storage in the cloud is essential for operations, protecting this data against cyber threats is paramount. Defender for Storage provides an Azure-native security layer, detecting unusual activity and potential malware in storage accounts, ensuring data integrity and confidentiality [1].

Introduction

Azure storage accounts (Blob Storage, File Storage, Data Lake Storage, etc.) are essential repositories for a wide range of data, from backups and log files to application data and sensitive information. Protecting these assets is crucial as a breach can lead to financial losses, reputational damage and compliance issues. Common attacks on storage accounts include malware upload, unauthorized access, data exfiltration, and data manipulation [2].

Microsoft Defender for Storage, part of Microsoft Defender for Cloud, is a cloud-based security solution that provides intelligent, contextualized threat detection for Azure storage accounts. It continuously monitors activity across storage accounts to identify suspicious behavior such as access from unusual locations, data exfiltration attempts, malware uploads, and cryptomining activities. Additionally, it offers advanced features such as real-time malware scanning for blobs and threat detection for sensitive data [3].

This how-to guide will cover enabling Defender for Storage at the subscription and storage account level, configuring security alerts, enabling malware scanning, and detecting threats to sensitive data. Step-by-step instructions, practical examples, and concise explanations will be provided so that the reader can implement, test, and validate these features. Additionally, security tips, compliance checks, and best practices will be discussed to ensure your storage accounts are protected against the latest threats in an autonomous, professional, and reliable manner.

Why is Microsoft Defender for Storage crucial?

  • Comprehensive Threat Detection: Identifies a wide range of threats, including malware, suspicious access, data exfiltration, and cryptomining activities.
  • Real-Time Malware Scanning: Scans uploaded blobs in real-time, using Microsoft threat intelligence, to detect and block malicious files before they can cause damage.
  • Sensitive Data Threat Detection: Uses data classification mechanisms to identify suspicious activities around stored sensitive data, such as unauthorized access or unusual movement.
  • Actionable Security Alerts: Generates detailed security alerts in Microsoft Defender for Cloud, providing context and remediation recommendations.
  • Native Integration with Azure: Seamlessly integrates with the Azure ecosystem, leveraging Azure Monitor and Log Analytics for monitoring and analysis.
  • Compliance: Helps meet regulatory compliance requirements that require protection and monitoring of stored data.

Prerequisites

To configure Microsoft Defender for Storage, you will need the following items:

  1. Active Azure Subscription: An Azure subscription to create and manage resources.
  2. Administrative Access: An account with the role of Owner, Contributor or Security Administrator on the subscription or resource group where the storage accounts are located.
  3. Existing Azure Storage Accounts: Storage accounts (Blob, File, Data Lake Gen2) that you want to protect.

Step by Step: Configuring Microsoft Defender for Storage

Let's enable Defender for Storage and configure its features.

1. Enabling Defender for Storage at Subscription Level

The best practice is to enable Defender for Storage at the subscription level to automatically protect all existing and future storage accounts.

  1. Open your browser and navigate to the Azure portal: https://portal.azure.com.
  2. Log in with athe account that has the necessary permissions.
  3. In the top search field, type Microsoft Defender for Cloud and select it from the results.
  4. In the Defender for Cloud left navigation pane, select Environment Settings.
  5. Select the subscription where you want to enable Defender for Storage.

  6. On the Defender plans page, find Storage and toggle the status to Enabled.

  7. Click Settings for the Storage plan to review advanced options.

    • On-upload malware scanning: Make sure this option is On. This enables near real-time malware scanning for uploaded blobs.
    • Threat detection of sensitive data: Make sure this option is On. This enables the detection of suspicious activity around sensitive data.
    • Security events for Azure Storage: Make sure this option is On. This allows monitoring of access and network activities.

  8. Click Save.

    • Explanation: Enabling Defender for Storage at the subscription level ensures that all storage accounts within that subscription (existing and new) are protected. Default settings include scanning for malware in uploads and detecting threats to sensitive data.

2. Checking Defender for Storage Status on a Specific Account

Although enabled in the subscription, it is good to check the status on individual accounts.

  1. In the Azure portal, navigate to one of your storage accounts.
  2. In the storage account's left navigation pane, under Security + Network, select Microsoft Defender for Cloud.
  3. You should see that the status of Microsoft Defender for Storage is Enabled.

3. Configuring Security Alerts and Notifications

Alerts are essential for notifying security teams about detected threats.

  1. In the Defender for Cloud left navigation pane, select Security Alerts.

  2. Here you can view all alerts generated by Defender for Storage and other Defender for Cloud solutions.

  3. To configure email notifications for alerts, in the Defender for Cloud left navigation pane, select Environment Settings.

  4. Select subscription.
  5. In the left navigation pane, select Email Notifications.
  6. Add the email addresses of the security administrators who should receive the alerts.
  7. Set the severity level of the alerts you want to receive notifications for (e.g. High, Medium).
  8. Click Save.

4. Configuring Malware Scanning (On-upload Malware Scanning) and Sensitive Data Threat Detection

These features are enabled by default when enabling Defender for Storage in the subscription, but can be adjusted per storage account if necessary.

  1. Navigate to a specific storage account in the Azure portal.
  2. In the left navigation pane, under Security + Network, select Microsoft Defender for Cloud.
  3. Click on Settings.
  4. You can see options for Scan for malware in uploads and Detect sensitive data threats.
  5. Make sure both options are 'Enabled' for this storage account if you require a different subscription level configuration.
  6. Click Save.

Validation and Testing

It is crucial to test the effectiveness of Defender for Storage to ensure it is detecting and warning about expected threats.

1. Testing Malware Detection (On-upload Scan)

  1. Scenario: Upload a harmless malware test file (such as the EICAR file, which is an antivirus test pattern) to a blob container in the protected storage account.
    • You can get the EICAR file from https://www.eicar.org/download-and-test/.
    • Create a text file with the following content and save it as eicar.com.txt: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
  2. Expected Action: Defender for Storage should detect the EICAR file as malware and generate a security alert.
  3. Verification:
    • In the Azure portal, navigate to Microsoft Defender for Cloud > Security Alerts.
    • Look for an alert with the title `Malware detected in a containerstorage system or similar. The alert must provide details about the file, container, and storage account.

2. Testing Suspicious Activity Detection (Data Exfiltration)

Simulating data exfiltration is more complex and must be done in an isolated test environment. However, we can simulate an unusual access that could generate an alert.

  1. Scenario: Access the storage account from an IP address or geographic location that is not typically used by your organization. For example, use a VPN to simulate access from a different country.
  2. Expected Action: Defender for Storage may generate an alert about Unusual access to a storage account or Suspicious access activity.
  3. Verification:
    • In the Azure portal, navigate to Microsoft Defender for Cloud > Security Alerts.
    • Look for alerts related to anomalous access activity.

3. Testing Sensitive Data Threat Detection

To test detection of sensitive data, you would need data classified as sensitive within your storage account and perform an activity that Defender for Storage would consider suspicious for that data. For example, a large number of document downloads with credit card information.

  1. Scenario: Upload some text files to a blob container that contain sensitive data patterns (e.g. fictitious credit card numbers, fictitious social security numbers). Then simulate a bulk access or download of these files.
  2. Expected Action: Defender for Storage may generate alerts such as Unusual access to sensitive data or Potential exfiltration of sensitive data.
  3. Verification:
    • In the Azure portal, navigate to Microsoft Defender for Cloud > Security Alerts.
    • Look for alerts related to sensitive data.

Security Tips and Best Practices

  • Enable at Subscription Level: Whenever possible, enable Defender for Storage at a subscription level to ensure full, automatic coverage for all storage accounts.
  • Review and Adjust Alerts: Monitor alerts generated by Defender for Storage. Adjust notification settings and investigate false positives to refine detection.
  • SIEM/SOAR Integration: Integrate Defender for Cloud alerts (including Defender for Storage alerts) with your SIEM (e.g., Microsoft Sentinel) and SOAR for a centralized view of security and incident response automation.
  • Principle of Least Privilege: Ensure that only the necessary entities (users, applications) have access to storage accounts and with the least privilege possible.
  • Encryption at Rest and in Transit: While Defender for Storage protects against threats, make sure your data is always encrypted at rest (by default in Azure Storage) and in transit (using HTTPS).
  • Network Access Control: Use storage firewalls, Service Endpoints, or Private Endpoints to restrict network access to your storage accounts.
  • User Education: Make users aware of the risks of uploading malicious files and the importance of reporting suspicious activity.

Common Troubleshooting

  • Defender for Storage is not enabled:
    • Verify that the Storage plan is Enabled in Microsoft Defender for Cloud, both at the subscription level and at the storage account level if configured individually.
    • Confirm that the subscription has the appropriate licensing (often included with Security Center Standard).
  • Alerts are not being generated:
    • Verify that email notification settings are correct in Security Center.
    • Confirm that diagnostic logs for the storage account are being sent to Log Analytics (if using). Although Defender for Storage doesn't directly rely on diagnostic logs to generate alerts, they are useful for investigation.
    • Make sure the activity you are testing actually triggers a Defender for Storage detection rule. Some activities may be considered normal depending on the context.
  • False Positives (Alerts for legitimate activity):
    • Investigate the alert on the portalDefender for Cloud to understand the reason for the alert.
    • If it is legitimate activity, you can suppress the alert (with caution) or adjust your storage account/application settings to prevent the activity from being flagged as suspicious.
    • Provide feedback to Microsoft about false positives to help improve threat intelligence.
  • Malware scan not working:
    • Ensure that 'Upload malware scanning' is 'Enabled' in Defender for Storage settings for the relevant account.
    • Confirm that the file you are uploading is a supported file type for scanning for malware (particularly blobs).
    • There may be a slight delay in alert generation after file upload.

Conclusion

Microsoft Defender for Storage is a must-have solution for protecting data stored in Azure against the ever-evolving threat landscape. By properly enabling and configuring their malware detection, activity monitoring, and sensitive data threat detection capabilities, organizations can significantly strengthen their cloud security posture. The ability to identify and alert on suspicious activity in real time enables rapid incident response, minimizing the impact of potential breaches. With this practical guide, security professionals and IT administrators will be well-equipped to configure, validate, and manage Microsoft Defender for Storage, ensuring their most valuable data assets remain secure and compliant.

References:

[1] Microsoft Learn. What is Microsoft Defender for Storage?. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/defender-for-storage-introduction [2] Microsoft Learn. Defender for Storage security threats and alerts. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/defender-for-storage-threats-alerts [3] Microsoft Learn. Deploy Microsoft Defender for Storage. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/tutorial-enable-storage-plan [4] Microsoft Learn. Microsoft Defender for Storage upload malware scan. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/on-upload-malware-scanning [5] Microsoft Learn. Configure malware scanning in Microsoft Defender for Storage. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/defender-for-storage-configure-malware-scan [6] Microsoft Learn. Enable Microsoft Defender for Storage using the Azure portal. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/defender-for-storage-azure-portal-enablement