Microsoft Defender PoC Series – Microsoft Defender for Storage
Published Jul 22 2021 02:00 PM 8,095 Views


This Microsoft Defender for Cloud PoC Series provides guidelines on how to perform a proof of concept for a specific Microsoft Defender plans. For a more holistic approach where you need to validate Microsoft Defender for Cloud and Microsoft Defender plans, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article. 


With the hybrid work model, more people and devices are now accessing corporate data via home networks, raising the risks of cyberattacks and elevating the importance of proper data protection. Data storage is one of the resources most targeted by attackers since they often hold critical business data and sensitive information.   

With the help of Microsoft Defender for Storage, you can benefit from advanced capabilities of Security AI and Microsoft threat intelligence, to detect and hunt for attacks. To learn more about Microsoft’s Threat Intelligence capabilities, be sure to read this article  



As part of your Microsoft Defender for Storage PoC you need to identify the use case scenarios that you want to validate. A common scenario is for the customers to identify if their Storage account has any access from suspicious IP address, or suspicious access patterns or even if there’s a malicious content upload or even to get alerted if a phishing content hosted on Storage accounts. In Microsoft Defender for Storage malware alert is based on hash reputation analysis. If you are interested to deep dive on how Microsoft Defender alerts customers upon the detection of malicious activities make sure you read this blog carefully. You can use the Alerts identified by Microsoft Defender for Storage as your starting point to plan which actions you want to execute.  


As of this writing, Microsoft Defender for Storage protects three storage types. Blob StorageAzure Files and Azure Data Lake Storage Gen2. You can enable Microsoft Defender for Storage at either the subscription level or resource level. However, It’s a best practice to configure on the subscription level, but you may also configure it on individual storage accounts 


Screenshot 2021-10-31 125620.png


You need at least Security Admin role to enable Microsoft Defender for Storage. For more information about roles and privileges, visit this article. If you are conducting this PoC in partnership with the SOC Team, make sure they are familiar with the alerts that may appear once you enable this plan. Review all alerts available at our Alerts Reference Guide.

You may need price estimation to share with your team to make sure it fits the team budget, and we have your back with number of super cool options. You may use Azure Pricing Calculator to figure out the pricing estimate. Furthermore, if you need to figure out how many transactions you are doing in your Storage Accounts in order to have a more accurate estimation, please use this workbook which would make it even easier to accomplish this task as the workbook provides you with Estimated price for 7days based on the number of transactions performed within that period and estimated monthly price takes those 7 days as sample and calculates it for a month. Make sure to read more about it in our blog


From the readiness perspective, make sure to review the following resources to better understand Microsoft Defender for Storage

Implementation and validation      

To test the Security alerts from Microsoft Defender for Storage follow the steps from here to trigger a test alert. Also, review this article that will go over the steps to simulate an upload of a test malware (EICAR) to an Azure Storage account that has ATP for Azure Storage enabled.


Whether an alert is generated by Microsoft Defender for Storage or received by Microsoft Defender from a different Microsoft security solution (MDE for example), you can also export it. To export your alerts to Azure Sentinel, any third-party SIEM, or any other external tool, follow the instructions in Exporting alerts to a SIEM. To investigate Microsoft Defender alerts using Azure Sentinel, make sure to check out this blog to understand how they operate in a better together scenario.


To understand how to remediate security alerts using Microsoft Defender for Cloud Enhanced protection plans, make sure you check out this chapter from SC-200 certification exam learning guide. You can also create an automatic response to a specific security alert using an ARM template, read more about it in our documentation.


Make sure to check out our Microsoft Defender for Cloud Github repository which gives you access to numerous sample security playbooks that will help you automate in remediating a recommendation.



By the end of this PoC you should be able to determine the value proposition of Microsoft Defender for Storage and the importance to have this level of threat detection to your workloads.


Stay tuned for more Microsoft Defender PoC Series!


P.S. Subscribe to our Microsoft Defender for Cloud and Microsoft Defender plans Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.



Thank you to @Yuri Diogenes, Principal Program Manager in the CxE Team for reviewing this article.

Version history
Last update:
‎Oct 31 2021 01:18 PM