iCompaas Support

Description:

Microsoft Defender for Storage is a security solution designed to provide advanced threat protection for your Azure Storage accounts. It offers capabilities like anomaly detection, malware detection, and real-time alerts to protect data in your storage accounts from potential threats. Ensuring that Microsoft Defender for Storage is enabled adds an extra layer of security for your cloud storage resources, helping detect and mitigate risks related to unauthorized access, data breaches, and malicious activities.

Rationale:

Enabling Microsoft Defender for Storage helps protect sensitive data stored in Azure Storage accounts, including Blob Storage, File Shares, and Data Lake Storage Gen2. This provides automatic detection of potentially malicious activities, such as ransomware, unauthorized access attempts, and data exfiltration. With Microsoft Defender enabled, you gain visibility and real-time alerts that can trigger automated remediation actions, improving your security posture.

Impact:

Enabling Microsoft Defender for Storage ensures that your Azure Storage accounts are monitored for security threats. While the feature enhances security, it may increase costs due to the monitoring and alerting capabilities. It’s important to review and adjust alert thresholds to avoid excessive notifications, especially for high-volume storage environments.

Default Value:

By default, Microsoft Defender for Storage is not enabled for new Azure Storage accounts and must be manually configured.

Pre-requisites:

• Azure subscription with access to Azure Storage accounts.
  

• Microsoft Defender for Cloud should be enabled.
  

• User must have Owner, Contributor, or Security Admin roles in the Azure subscription to enable Microsoft Defender for Storage.
  

Audit:

1. Sign in to the Azure portal as an Owner, Contributor, or Security Admin.
   

2. Navigate to Microsoft Defender for Cloud.
   

3. Check the Security Center settings to ensure Microsoft Defender for Storage is enabled for your storage accounts.
   

Implementation Steps (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Security Admin permissions.
     

2. Navigate to Microsoft Defender for Cloud:
   

   • In the Azure portal, go to Microsoft Defender for Cloud.
     

3. Enable Defender for Storage:
   

   • In Microsoft Defender for Cloud, select Environment settings.
     

   • Under Defender plans, ensure that Microsoft Defender for Storage is turned on for all your Azure Storage accounts.
     

   • If it’s not enabled, select the Enable option for Defender for Storage.
     

4. Use Azure CLI for Automated Enabling: If you prefer to enable Microsoft Defender for Storage via command-line tools, you can use the Azure CLI to enable it for all your storage accounts:
   

   • First, ensure that Azure CLI is installed and that you're logged in with an account that has sufficient permissions.
     

Run the following command to enable Microsoft Defender for Storage:

az security pricing create --name StorageAccounts --tier Standard

To verify that Defender for Storage is enabled, use the following command:

az security pricing show --name StorageAccounts

5. Verify Defender for Storage Status:
   

   • After enabling Defender for Storage, go to the Azure Storage account.
     

   • In the Microsoft Defender for Cloud pane, check for alerts related to storage accounts and ensure that the Defender service is actively monitoring your storage resources.
     

   • Test the Defender for Storage alerts by triggering a security event, such as an unauthorized access attempt.
     

6. Monitor Alerts and Configure Notifications:
   

   • In Microsoft Defender for Cloud, configure alert rules to notify administrators of suspicious activity or potential threats to your storage accounts.
     

   • Set up automated remediation actions based on the alerts (e.g., block suspicious IP addresses, disable user accounts).
     

7. Review and Automate Regular Scans:
   

   • Enable automatic scanning of storage accounts for malware and anomalies.
     

   • Regularly review the Security Center to ensure that all storage accounts are consistently monitored.
     

Backout Plan (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Security Admin permissions.
     

2. Navigate to Microsoft Defender for Cloud:
   

   • Go to Microsoft Defender for Cloud in the Azure portal.
     

3. Disable Microsoft Defender for Storage:
   

   • In Microsoft Defender for Cloud, go to Environment settings and toggle off Microsoft Defender for Storage under Defender plans.
     

   • This will stop monitoring storage accounts for threats.
     

4. Use Azure CLI for Disabling:
   

To disable Microsoft Defender for Storage via the Azure CLI, run the following command:

az security pricing create --name StorageAccounts --tier None

5. Verify Defender for Storage is Disabled:
   

Use the Azure CLI to confirm that Defender for Storage is disabled by running the following:

az security pricing show --name StorageAccounts

6. Test the Configuration:
   

   • Verify that Defender for Storage is no longer monitoring storage accounts by checking the alerts and monitoring dashboards in Microsoft Defender for Cloud.
     

References:

• Microsoft Defender for Cloud - Overview
  

• Enable Microsoft Defender for Storage
  Azure CLI - Security Pricing