Azure Defender for Storage
Microsoft is a security company… No doubt about that.
Its security proposition is very comprehensive: from Identity and access management to Threat protection, from Information protection to Cloud Security, all the major security pillars are covered by the Microsoft strategy, products, and services.
Inside the “Threat protection” pillar, we can find several services like a Cloud native SIEM called Azure Sentinel and the Extended detection and response suite (XDR) that is responsible to protect user identities, emails, endpoints, cloud app as well as specific workloads like SQL, Containers, IoT and more.
Lot of technology… Lot of protection…
Today I would like to test the module of Azure Defender that is responsible for the protection of Azure storage accounts.
Azure Defender for Storage - the benefits and features | Microsoft Docs
We need to start from Azure Security Center that is our Security Posture Management system inside Azure.
You can reach it from the Azure Portal -> Security Center
From the Security Center console, you can retrieve lot of information regarding the security posture of your subscription, what is your degree of compliance, take actions and much more.
But you can also enable the protection of specific resources like SQL databases, IoT devices, DNS, Key Vaults, Container Registries… And Storage Account.
From the getting start page I’m able to select my subscription that is containing the Azure storage accounts that I want to protect (an Azure File Share containing FSLogix profiles that I use in my Windows Virtual Desktop lab).
I can switch “On” the Storage protection and click “Save” in the upper left corner.
Now all my Azure Storage accounts are protected.
NOTE: Currently if you are switching to “On”, the result is that all the storage accounts are protected. It’s in roadmap to allow the exclusion of selected storage accounts.
What kind of alerts does Azure Defender for Storage provide?
Security alerts are triggered when there's:
- Suspicious access patterns - such as successful access from a Tor exit node or from an IP considered suspicious by Microsoft Threat Intelligence
- Suspicious activities - such as anomalous data extraction or unusual change of access permissions
- Upload of malicious content - such as potential malware files (based on hash reputation analysis) or hosting of phishing content
Ok so my storage accounts are monitored and protected so how can I test it?
It’s simple, let’s simulate a suspicious activity!
I installed a Tor browser on my Windows device.
From this browser, I accessed the Azure Portal and I used the Storage Explorer to download the vhdx that is containing the profile of a Windows Virtual Desktop User.
In few minutes, I received an email about a “suspicious activity” with a link to the security center. This happened because I accessed the storage from a Tor Exit node and this is marked as a suspicious activity.
And from the Azure Security Center page I can see an Alert about the event
If I click on “View full details” I can drill down and read advices about how to mitigate this event.
I can also directly trigger an automatic response using Azure Logic Apps.
I can collect my alert in Azure Sentinel thanks to the native connector and correlate the Azure Security Center signals with the others collected from other sources. (By the way, it's also possible the integration with third party SIEM systems)
Simple and effective…
No matter if your Azure Storage account is directly exposed to the internet or not, Azure Defender for Storage it’s able to protect it from suspicious access/activities.
Form more information about how to enable and test it you can read this article Azure Defender for Storage - the benefits and features | Microsoft Docs
Principal Technical Account Manager @ Nerdio | Microsoft MVP | Content Creator | Author | DaaS | Azure Virtual Desktop | Windows 365 | Intune | Azure | AI | Co-author of Mastering Azure Virtual Desktop 2nd Edition
3 年This looks great! Thanks for sharing Marco