Advanced threat protection (ATP) for Azure Storage provides an additional layer of security intelligence that can be used to detect unusual and potentially harmful attempts to access or exploit storage accounts. This feature can be enabled via Azure Security Center or on each individual Azure Storage account. The main difference is that if you enable on Azure Security Center, it will apply to all storage accounts in the subscription that Azure Security Center is enabled.
The goal of this post is to explain how to validate the ATP for Azure Storage account detection, by uploading a testing malware file (EICAR) to the storage account using Storage Explorer. To follow the steps in this lab, make sure to enable the ATP for Azure Storage under Settings – Pricing Tier blade in Azure Security Center:
After enabling ATP for Azure Storage in Azure Security Center,, follow the steps below:
1. Create a new Storage Account
2. Open the Storage Account that you created, and under Blob Service, click Containers:
3. Click the + Container button to create a new container
4. Under name, type storageatpvalidation and leave the public access to private.
8. Save the text file as “EICAR.com” (or any other name if you want)
9. Open Storage Explorer and add your Azure account to it.
10. Open the storage account that you just created and under Blob Containers, click on the container that you created as shown below:
11. Click Upload button on the right pane and select Upload files.
12. Under Selected files, click the three dots to open the dialog window and select the EICAR file.
13. Click upload and wait until you see that the file was uploaded.
At this point you just need to wait until the detection takes place (which can take a little while). Once the detection takes place, a new alert will be generated in Azure Security Center, similar to the one below:
This alert also contains some useful information about potential cause, and threat report towards the end of the blade:
You will also receive an email similar to the one below (read this blog post for more info about email notification):
The email contains the entire information available in the alert, but for the purpose of this blog, only partial part of the email content was used.
Get started today It is incredibly easy to enable Advanced Threat Protection for your storage accounts using Azure Portal, Azure Policy , Rest API or PowerShell We encourage you to try it out for Free for the first 30 days . You can learn more about Advanced Threat Protection for Azure Storage alerts and how to enable it on the getting started page.
Special thanks to:
Hasan Abo-Shally, Guy Waldman, Yoav Frandzel and Ron Matchoro for contributing and reviewing this post.