Validating ATP for Azure Storage Detections in Azure Security Center

Published Dec 16 2019 05:10 AM 16.3K Views

Advanced threat protection (ATP) for Azure Storage provides an additional layer of security intelligence that can be used to detect unusual and potentially harmful attempts to access or exploit storage accounts. This feature can be enabled via Azure Security Center or on each individual Azure Storage account. The main difference is that if you enable on Azure Security Center, it will apply to all storage accounts in the subscription that Azure Security Center is enabled.

The goal of this post is to explain how to validate the ATP for Azure Storage account detection, by uploading a testing malware file (EICAR) to the storage account using Storage Explorer. To follow the steps in this lab, make sure to enable the ATP for Azure Storage under Settings – Pricing Tier blade in Azure Security Center:





After enabling ATP for Azure Storage in Azure Security Center,, follow the steps below:


1. Create a new Storage Account

2. Open the Storage Account that you created, and under Blob Service, click Containers:




3. Click the + Container button to create a new container

4. Under name, type storageatpvalidation and leave the public access to private.

5. Click OK to create.

6. Download Storage Explorer on the computer that you will use to upload the test file (EICAR).

7. On this computer, create a text file using Notepad and copy the following string into it:



8. Save the text file as “” (or any other name if you want)

9. Open Storage Explorer and add your Azure account to it.

10. Open the storage account that you just created and under Blob Containers, click on the container that you created as shown below:



11. Click Upload button on the right pane and select Upload files.

12. Under Selected files, click the three dots to open the dialog window and select the EICAR file.

13. Click upload and wait until you see that the file was uploaded.


At this point you just need to wait until the detection takes place (which can take a little while). Once the detection takes place, a new alert will be generated in Azure Security Center, similar to the one below:




This alert also contains some useful information about potential cause, and threat report towards the end of the blade:



You will also receive an email similar to the one below (read this blog post for more info about email notification):




The email contains the entire information available in the alert, but for the purpose of this blog, only partial part of the email content was used.


Get started today
It is incredibly easy to enable Advanced Threat Protection for your storage accounts using Azure Portal, Azure Policy , Rest API or PowerShell
We encourage you to try it out for Free for the first 30 days . You can learn more about Advanced Threat Protection for Azure Storage alerts and how to enable it on the  getting started page.


Special thanks to:

Hasan Abo-Shally, Guy Waldman, Yoav Frandzel and Ron Matchoro for contributing and reviewing this post.

Senior Member

Thanks for the update. We don't have granular control on Azure key vault, so is there any alternative. Just wondering.



You can grant most of the access permissions by using the Azure portal. To grant granular permissions, you can use Azure PowerShell or the Azure CLI. Please see here for more info:

Regular Visitor

is it possible to reduce detection time? we have to wait 3+ hours before we get alert.


@IrynaH right now there is nothing that you can do on your side to improve this side. However, we are working in our backend to improve this time, 

Regular Visitor

@Yuri Diogenes , is it possible to know how often ATP scan is going (time interval)? so vi can get to know which blobs are malware-free or were scanned, based on creation time ? 

for example:  if blob is like 4 hours old, then we can be sure that it was scanned 



Hello @IrynaH - unfortunately we can't make this assumption due the way that this threat detection works. The current solution is based on Storage’s telemetry stream. The stream contains logs of operations that were performed on ATP enabled storage accounts. Some, but not all, of these operation logs contain hashes of the related blob or file, and we can then compare this to our threat intelligence data. However there are many cases where no such hash is present in the telemetry. As I mentioned, we have a working in progress to reduce this time to minutes. Thanks for checking! 

Regular Visitor

Many thanks for such detailed answer @Yuri Diogenes 

I'm looking for some more or less real-time anti-malware scan on azure storage. That is how i came to ATP. Can you suggest any other solution some can be used for such purpose? 


Unfortunately we don't have another solution for that, @IrynaH 

Is there an event fired when the security scan is complete with may be flags on the result of the event and a pointer to the blob that was scanned? Would be useful for automating. 


@Hari Praghash Kalyanasundaram Subramaniam no, there is no event, but you can use the sample below to create an automation based on the alert

Occasional Visitor



@Yuri Diogenes  An alert if malware is found is obviously useful, but what we also need is a signal that a file was scanned and that it was found to be clean. Just waiting 3 hours and hope the file has been scanned is not workable.





@dvijlbrief thanks for sharing your feedback. We are aware of this and we are working to improve the detection time. 

Occasional Visitor

Hi @Yuri Diogenes ,


Thanks, but please note I'm not actually talking about detection time. My main point is that not only malware detection should be there but also a 'clean' result should be there. I need to be able to see/detect a file was scanned and found to be free of malware.


Kind Regards,



@dvijlbrief I understand that too, and we got this feedback on our backlog. 

Occasional Visitor

@Yuri Diogenes Is there a way to follow the status of this?


@KimiJ any update on feature stats are announced in the Azure Updates page. You can use the RSS feed from the page below to get notifications of our monthly updates

Occasional Visitor

Storage Explorer isn't letting me upload the malware file. I tried various other approach to upload using Azure CLI and SAS urls but did not get any alerts in ASC(also the Defender Plan is ON for all my resources).

Any suggestions of how to generate alert?


@pruchita97 you can use the alert validation feature Alert validation in Azure Security Center | Microsoft Docs

Version history
Last update:
‎Dec 16 2019 10:02 AM
Updated by: