[Post updated on 06/28/2024] by Fernanda Vela
Introduction
This Microsoft Defender for Cloud PoC Series provides guidelines on how to perform a proof of concept for a specific Microsoft Defender plan. For a more holistic approach where you need to validate Microsoft Defender for Cloud and Microsoft Defender plans, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article.
With the hybrid work model, more people and devices are now accessing corporate data via home networks, raising the risks of cyberattacks and elevating the importance of proper data protection. Data storage is one of the resources most targeted by attackers since they often hold critical business data and sensitive information.
With the help of Microsoft Defender for Storage, you can benefit from advanced capabilities of Security AI and Microsoft threat intelligence, to detect and hunt for attacks. To learn more about Microsoft’s Threat Intelligence capabilities, be sure to read this article
Planning
As part of your Microsoft Defender for Storage PoC, you need to identify the use case scenarios that you want to validate. A common scenario is for customers to identify if their Storage account has any access from suspicious IP addresses, suspicious access patterns, or even if there’s a malicious content upload. Additionally, you may want to see if there’s leakage and abuse of access tokens, or if there's lateral movement because of compromised workloads. If you are interested in a deep dive on how Microsoft Defender alerts customers upon the detection of malicious activities, make sure you read this blog carefully. You can use the alerts identified by Microsoft Defender for Storage as your starting point to plan which actions you want to execute.
As of this writing, Microsoft Defender for Storage supports Blob Storage (Standard/Premium StorageV2, including Data Lake Gen2) with the features Activity monitoring, Malware Scanning, Sensitive Data Discovery; it also supports Azure Files (over REST API and SMB) with the feature Activity monitoring. You can enable Microsoft Defender for Storage and its add-ons (Sensitive Data Threat Detection and Malware Scanning) at either the subscription level or resource level. However, it’s a best practice to configure on the subscription level.
Preparation
Depending on the scenario, you need different levels of permissions to enable Defender for Storage and its features. You can enable and configure Defender for Storage at the subscription level or at the storage account level. You can also use built-in Azure policies to enable Defender for Storage and enforce its enablement on a desired scope.
The following table summarizes the permissions you need for each scenario. The permissions are either built-in Azure roles or action sets that you can assign to custom roles.
|
Capability |
Subscription Level |
Storage Account Level |
|
Activity Monitoring |
Security Admin or Pricings/read, Pricings/write |
Security Admin or Microsoft.Security/defenderforstoragesettings/read, Microsoft.Security/defenderforstoragesettings/write |
|
Malware Scanning |
Subscription Owner or action set 1 |
Storage Account Owner or action set 2 |
|
Sensitive Data Threat Detection |
Subscription Owner or action set 1 |
Storage Account Owner or action set 2 |
Action set 1: Subscription level enablement and configuration
- Microsoft.Security/pricings/write
- Microsoft.Security/pricings/read
- Microsoft.Security/pricings/SecurityOperators/read
- Microsoft.Security/pricings/SecurityOperators/write
- Microsoft.Authorization/roleAssignments/read
- Microsoft.Authorization/roleAssignments/write
- Microsoft.Authorization/roleAssignments/delete
Action set 2: Storage account level enablement and configuration
- Microsoft.Storage/storageAccounts/write
- Microsoft.Storage/storageAccounts/read
- Microsoft.Security/defenderforstoragesettings/read
- Microsoft.Security/defenderforstoragesettings/write
- Microsoft.EventGrid/eventSubscriptions/read
- Microsoft.EventGrid/eventSubscriptions/write
- Microsoft.EventGrid/eventSubscriptions/delete
- Microsoft.Authorization/roleAssignments/read
- Microsoft.Authorization/roleAssignments/write
- Microsoft.Authorization/roleAssignments/delete
For more information about roles and privileges, visit this article. If you are conducting this PoC in partnership with the SOC Team, make sure they are familiar with the alerts that may appear once you enable this plan. Review all alerts available at our Alerts Reference Guide.
If you want to calculate the cost of Defender for Storage in your environment, make sure to visit this blog post that explains how to use a Workbook for cost estimation and the Microsoft Defender for Cloud GitHub repository that has some PowerShell scripts to help you in the same way.
From the readiness perspective, make sure to review the following resources to better understand Microsoft Defender for Storage
- Webinar on Defender for Storage
- Microsoft Defender for Storage account Documentation
- Microsoft Defender for Storage Lab
Implementation and validation
To test the Security alerts from Microsoft Defender for Storage follow the steps from here to trigger a test alert.
Whether an alert is generated by Microsoft Defender for Storage or received by Microsoft Defender from a different Microsoft security solution (MDE for example), you can also export it. To export your alerts to Azure Sentinel, any third-party SIEM, or any other external tool, follow the instructions in Exporting alerts to a SIEM. To investigate Microsoft Defender alerts using Azure Sentinel, make sure to check out this blog to understand how they operate in a better together scenario.
To understand how to remediate security alerts using Microsoft Defender for Cloud Enhanced protection plans, make sure you check out this chapter from SC-200 certification exam learning guide. You can also create an automatic response to a specific security alert using an ARM template, read more about it in our documentation.
Make sure to check out our Microsoft Defender for Cloud Github repository which gives you access to numerous sample security playbooks that will help you automate in remediating a recommendation.
Conclusion
By the end of this PoC you should be able to determine the value proposition of Microsoft Defender for Storage and the importance to have this level of threat detection to your workloads.
P.S. Subscribe to our Microsoft Defender for Cloud and Microsoft Defender plans Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.
Reviewer
Thank you to @Yuri Diogenes, Principal PM Manager for reviewing this article.
Microsoft
