Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1068131%22%20slang%3D%22en-US%22%3EValidating%20ATP%20for%20Azure%20Storage%20Detections%20in%20Azure%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068131%22%20slang%3D%22en-US%22%3E%3CP%3EAdvanced%20threat%20protection%20(ATP)%20for%20Azure%20Storage%20provides%20an%20additional%20layer%20of%20security%20intelligence%20that%20can%20be%20used%20to%20detect%20unusual%20and%20potentially%20harmful%20attempts%20to%20access%20or%20exploit%20storage%20accounts.%20This%20feature%20can%20be%20enabled%20via%20Azure%20Security%20Center%20or%20on%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-advanced-threat-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eeach%20individual%20Azure%20Storage%20account%3C%2FA%3E.%20The%20main%20difference%20is%20that%20if%20you%20enable%20on%20Azure%20Security%20Center%2C%20it%20will%20apply%20to%20all%20storage%20accounts%20in%20the%20subscription%20that%20Azure%20Security%20Center%20is%20enabled.%3C%2FP%3E%0A%3CP%3EThe%20goal%20of%20this%20post%20is%20to%20explain%20how%20to%20validate%20the%20ATP%20for%20Azure%20Storage%20account%20detection%2C%20by%20uploading%20a%20testing%20malware%20file%20(%3CA%20href%3D%22http%3A%2F%2Fwww.eicar.org%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEICAR%3C%2FA%3E)%20to%20the%20storage%20account%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvs-azure-tools-storage-manage-with-storage-explorer%3Ftabs%3Dwindows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EStorage%20Explorer%3C%2FA%3E.%20To%20follow%20the%20steps%20in%20this%20lab%2C%20make%20sure%20to%20enable%20the%20ATP%20for%20Azure%20Storage%20under%20%3CEM%3ESettings%20%E2%80%93%20Pricing%20Tier%3C%2FEM%3E%20blade%20in%20Azure%20Security%20Center%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161970i083E3C8821024880%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22pricing.JPG%22%20title%3D%22pricing.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20enabling%20ATP%20for%20Azure%20Storage%20in%20Azure%20Security%20Center%2C%2C%20follow%20the%20steps%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Create%20a%20new%20Storage%20Account%3C%2FP%3E%0A%3CP%3E2.%20Open%20the%20Storage%20Account%20that%20you%20created%2C%20and%20under%20%3CSTRONG%3EBlob%20Service%3C%2FSTRONG%3E%2C%20click%20%3CSTRONG%3EContainers%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20753px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161971i81B94E8D1F698917%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22newstorage.JPG%22%20title%3D%22newstorage.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E3.%20Click%20the%20%3CSTRONG%3E%2B%20Container%3C%2FSTRONG%3E%20button%20to%20create%20a%20new%20container%3C%2FP%3E%0A%3CP%3E4.%20Under%20name%2C%20type%20%3CEM%3Estorageatpvalidation%3C%2FEM%3E%20and%20leave%20the%20public%20access%20to%20private.%3C%2FP%3E%0A%3CP%3E5.%20Click%20%3CSTRONG%3EOK%3C%2FSTRONG%3E%20to%20create.%3C%2FP%3E%0A%3CP%3E6.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Ffeatures%2Fstorage-explorer%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDownload%20Storage%20Explorer%3C%2FA%3E%20on%20the%20computer%20that%20you%20will%20use%20to%20upload%20the%20test%20file%20(EICAR).%3C%2FP%3E%0A%3CP%3E7.%20On%20this%20computer%2C%20create%20a%20text%20file%20using%20Notepad%20and%20copy%20the%20following%20string%20into%20it%3A%3C%2FP%3E%0A%3CP%3E%3CEM%3EX5O!P%25%40AP%5B4%5CPZX54(P%5E)7CC)7%7D%24EICAR-STANDARD-ANTIVIRUS-TEST-FILE!%24H%2BH*%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E8.%20Save%20the%20text%20file%20as%20%E2%80%9CEICAR.com%E2%80%9D%20(or%20any%20other%20name%20if%20you%20want)%3C%2FP%3E%0A%3CP%3E9.%20Open%20Storage%20Explorer%20and%20add%20your%20Azure%20account%20to%20it.%3C%2FP%3E%0A%3CP%3E10.%20Open%20the%20storage%20account%20that%20you%20just%20created%20and%20under%20%3CSTRONG%3EBlob%20Containers%3C%2FSTRONG%3E%2C%20click%20on%20the%20container%20that%20you%20created%20as%20shown%20below%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20638px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161972i1027D2A1C00D800D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Container.JPG%22%20title%3D%22Container.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E11.%20Click%20%3CSTRONG%3EUpload%3C%2FSTRONG%3E%20button%20on%20the%20right%20pane%20and%20select%20%3CSTRONG%3EUpload%20files%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E12.%20Under%20%3CSTRONG%3ESelected%20files%3C%2FSTRONG%3E%2C%20click%20the%20three%20dots%20to%20open%20the%20dialog%20window%20and%20select%20the%20EICAR%20file.%3C%2FP%3E%0A%3CP%3E13.%20Click%20upload%20and%20wait%20until%20you%20see%20that%20the%20file%20was%20uploaded.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20this%20point%20you%20just%20need%20to%20wait%20until%20the%20detection%20takes%20place%20(which%20can%20take%20a%20little%20while).%20Once%20the%20detection%20takes%20place%2C%20a%20new%20alert%20will%20be%20generated%20in%20Azure%20Security%20Center%2C%20similar%20to%20the%20one%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161973i5B7F8A6C6D71A5C5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22alert_part1.JPG%22%20title%3D%22alert_part1.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20alert%20also%20contains%20some%20useful%20information%20about%20potential%20cause%2C%20and%20threat%20report%20towards%20the%20end%20of%20the%20blade%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161974i980D85F526F9B6E4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22alert_part2.JPG%22%20title%3D%22alert_part2.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EYou%20will%20also%20receive%20an%20email%20similar%20to%20the%20one%20below%20(%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Security-Center%2FEmail-Notification-for-alerts-triggered-by-ATP-for-Azure-Storage%2Fba-p%2F616261%22%20target%3D%22_self%22%3Eread%20this%20blog%3C%2FA%3E%20post%20for%20more%20info%20about%20email%20notification)%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20482px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161975iEFDB028D9535CACF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22alertemail.JPG%22%20title%3D%22alertemail.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20email%20contains%20the%20entire%20information%20available%20in%20the%20alert%2C%20but%20for%20the%20purpose%20of%20this%20blog%2C%20only%20partial%20part%20of%20the%20email%20content%20was%20used.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CSTRONG%3EGet%20started%20today%3C%2FSTRONG%3E%3CBR%20%2F%3EIt%20is%20incredibly%20easy%20to%20enable%20Advanced%20Threat%20Protection%20for%20your%20storage%20accounts%20using%20Azure%20Portal%2C%20Azure%20Policy%20%2C%20Rest%20API%20or%20PowerShell%20%3CBR%20%2F%3EWe%20encourage%20you%20to%20try%20it%20out%20for%20Free%20for%20the%20first%2030%20days%20.%20You%20can%20learn%20more%20about%20Advanced%20Threat%20Protection%20for%20Azure%20Storage%20alerts%20and%20how%20to%20enable%20it%20on%20the%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-advanced-threat-protection%3Ftabs%3Dazure-portal%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Egetting%20started%20page%3C%2FA%3E.%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ESpecial%20thanks%20to%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EHasan%20Abo-Shally%2C%26nbsp%3BGuy%20Waldman%2C%26nbsp%3B%3CI%3EYoav%20Frandzel%3C%2FI%3E%20and%20Ron%20Matchoro%20for%20contributing%20and%20reviewing%20this%20post.%3C%2FFONT%3E%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1068131%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EATP%20for%20Azure%20Storage%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Security%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1069568%22%20slang%3D%22en-US%22%3ERe%3A%20Validating%20ATP%20for%20Azure%20Storage%20Detections%20in%20Azure%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1069568%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20update.%20We%20don't%20have%20granular%20control%20on%20Azure%20key%20vault%2C%20so%20is%20there%20any%20alternative.%20Just%20wondering.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070021%22%20slang%3D%22en-US%22%3ERe%3A%20Validating%20ATP%20for%20Azure%20Storage%20Detections%20in%20Azure%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070021%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F491114%22%20target%3D%22_blank%22%3E%40Vatan_Joshi%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20grant%20most%20of%20the%20access%20permissions%20by%20using%20the%20Azure%20portal.%20To%20grant%20granular%20permissions%2C%20you%20can%20use%20Azure%20PowerShell%20or%20the%20Azure%20CLI.%20Please%20see%20here%20for%20more%20info%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fkey-vault-secure-your-key-vault%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fkey-vault-secure-your-key-vault%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Advanced threat protection (ATP) for Azure Storage provides an additional layer of security intelligence that can be used to detect unusual and potentially harmful attempts to access or exploit storage accounts. This feature can be enabled via Azure Security Center or on each individual Azure Storage account. The main difference is that if you enable on Azure Security Center, it will apply to all storage accounts in the subscription that Azure Security Center is enabled.

The goal of this post is to explain how to validate the ATP for Azure Storage account detection, by uploading a testing malware file (EICAR) to the storage account using Storage Explorer. To follow the steps in this lab, make sure to enable the ATP for Azure Storage under Settings – Pricing Tier blade in Azure Security Center:

 

pricing.JPG

 

 

After enabling ATP for Azure Storage in Azure Security Center,, follow the steps below:

 

1. Create a new Storage Account

2. Open the Storage Account that you created, and under Blob Service, click Containers:

 

newstorage.JPG

 

3. Click the + Container button to create a new container

4. Under name, type storageatpvalidation and leave the public access to private.

5. Click OK to create.

6. Download Storage Explorer on the computer that you will use to upload the test file (EICAR).

7. On this computer, create a text file using Notepad and copy the following string into it:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

 

8. Save the text file as “EICAR.com” (or any other name if you want)

9. Open Storage Explorer and add your Azure account to it.

10. Open the storage account that you just created and under Blob Containers, click on the container that you created as shown below:

Container.JPG

 

11. Click Upload button on the right pane and select Upload files.

12. Under Selected files, click the three dots to open the dialog window and select the EICAR file.

13. Click upload and wait until you see that the file was uploaded.

 

At this point you just need to wait until the detection takes place (which can take a little while). Once the detection takes place, a new alert will be generated in Azure Security Center, similar to the one below:

 

alert_part1.JPG

 

This alert also contains some useful information about potential cause, and threat report towards the end of the blade:

 

alert_part2.JPG

You will also receive an email similar to the one below (read this blog post for more info about email notification):

 

alertemail.JPG

 

The email contains the entire information available in the alert, but for the purpose of this blog, only partial part of the email content was used.

 

Get started today
It is incredibly easy to enable Advanced Threat Protection for your storage accounts using Azure Portal, Azure Policy , Rest API or PowerShell
We encourage you to try it out for Free for the first 30 days . You can learn more about Advanced Threat Protection for Azure Storage alerts and how to enable it on the  getting started page.

 

Special thanks to:

Hasan Abo-Shally, Guy Waldman, Yoav Frandzel and Ron Matchoro for contributing and reviewing this post.

2 Comments
Regular Visitor

Thanks for the update. We don't have granular control on Azure key vault, so is there any alternative. Just wondering.

Microsoft

@Vatan_Joshi 

You can grant most of the access permissions by using the Azure portal. To grant granular permissions, you can use Azure PowerShell or the Azure CLI. Please see here for more info: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault