What is Microsoft Defender for Storage

Microsoft Defender for Cloud provides an Azure-native layer of security intelligence that identifies potential threats to your storage accounts with the Defender for Storage plan.

Defender for Storage prevents malicious file uploads, sensitive data exfiltration, and data corruption, ensuring the security and integrity of your data and workloads.

Defender for Storage provides comprehensive security by analyzing the data plane and control plane telemetry generated by Azure Blob Storage, Azure Files, and Azure Data Lake Storage services. It uses advanced threat detection capabilities powered by Microsoft Threat Intelligence, Microsoft Defender Antivirus, and sensitive data discovery to help you identify and mitigate potential threats.

Animated diagram showing how Defender for Storage protects against common threats to data.

Defender for Storage features

Defender for Storage includes the following features:

  • Activity monitoring - Detect unusual and potentially harmful activities involving your storage accounts by analyzing access patterns and behaviors. This is valuable for identifying unauthorized access, data exfiltration attempts, and other security threats.

  • Activity monitoring - Detect unusual and potentially harmful activities involving storage accounts by analyzing access patterns and behaviors. This is valuable for identifying unauthorized access, data exfiltration attempts, and other security threats.

  • Sensitive data threat detection - Identify and protect sensitive data within storage accounts by detecting suspicious activities that might indicate a potential security threat. Defender for Storage enhances the security of sensitive information stored in Azure by monitoring actions such as unusual data access patterns or potential data exfiltration.

  • Malware scanning - Scan storage accounts for malware by analyzing files for known threats and suspicious content. This helps identify and mitigate potential security risks from malicious files that might be stored or uploaded to Azure storage accounts. As a result, it enhances the overall security posture of data storage.

You can enable Defender for Storage agentlessly at the subscription level, resource level, or at scale.

When you enable Defender for Storage at the subscription level, all existing and newly created storage accounts under that subscription are automatically included and protected. You can exclude specific storage accounts from protected subscriptions.

Note

If you have Defender for Storage (classic) enabled and want access to the current security features and pricing, you'll need to migrate to the new pricing plan.

Benefits

Diagram showing the benefits of using Defender for Storage to protect your data.

Defender for Storage provides the following features:

  • Better protection against malware: Malware scanning detects in near real-time all file types, including archives of every uploaded blob. It provides fast and reliable results, preventing your storage accounts from acting as an entry and distribution point for threats. Learn more about Malware scanning.

  • Improved threat detection and protection of sensitive data: Sensitive data threat detection helps security professionals prioritize and examine security alerts efficiently. It considers the sensitivity of the data at risk, improving detection and protection against potential threats. This capability reduces the chance of data breaches by identifying and addressing the most significant risks. It improves sensitive data protection by detecting exposure events and suspicious activities on resources containing sensitive data. Learn more about sensitive data threat detection.

  • Detection of entities without identities: Defender for Storage detects suspicious activities from entities without identities that access your data using misconfigured and overly permissive Shared Access Signatures (SAS). These SAS might be leaked or compromised. You can improve security and reduce the risk of unauthorized access. This capability expands the Activity Monitoring security alerts suite.

  • Coverage of the top cloud storage threats: Defender for Storage is powered by Microsoft Threat Intelligence, behavioral models, and machine learning models to detect unusual and suspicious activities. Defender for Storage security alerts cover the top cloud storage threats, such as sensitive data exfiltration, data corruption, and malicious file uploads.

  • Comprehensive security without enabling logs: When you enable Microsoft Defender for Storage, it continuously analyzes the data and control telemetry stream from Azure Blob Storage, Azure Files, and Azure Data Lake Storage services. You don't need to enable diagnostic logs for analysis.

  • Frictionless enablement at scale: Microsoft Defender for Storage is an agentless solution, easy to deploy, and enables security protection at scale using a native Azure solution.

How does Defender for Storage work?

Activity monitoring

Defender for Storage continuously analyzes data and control plane logs from protected storage accounts. You don't need to turn on resource logs for security benefits. Microsoft Threat Intelligence identifies suspicious signatures such as malicious IP addresses, Tor exit nodes, and potentially dangerous apps. It builds data models and uses statistical and machine-learning methods to spot baseline activity anomalies, which might indicate malicious behavior. You receive security alerts for suspicious activities, but Defender for Storage ensures you don't receive too many similar alerts. Activity monitoring doesn't affect performance, ingestion capacity, or data access.

Diagram showing how activity monitoring identifies threats to your data.

Malware scanning (powered by Microsoft Defender Antivirus)

Malware scanning in Defender for Storage protects storage accounts from malicious content by performing a full malware scan on uploaded content in near real time, applying Microsoft Defender Antivirus capabilities. It fulfills security and compliance requirements to handle untrusted content. Every file type is scanned, and results are returned for every file. Malware scanning is an agentless SaaS solution that allows simple setup at scale, with zero maintenance, and supports automating response at scale. Malware scanning is a configurable feature in the new Defender for Storage plan that is priced per GB scanned. Learn more about Malware scanning.

Sensitive data threat detection (powered by Sensitive Data Discovery)

Sensitive data threat detection helps security teams prioritize and examine security alerts efficiently. It considers the sensitivity of the data at risk, improving detection and preventing data breaches. Sensitive data threat detection is powered by Sensitive Data Discovery, an agentless engine that uses a smart sampling method to find resources with sensitive data. Sensitive Data Discovery integrates with Microsoft Purview's sensitive information types (SITs) and classification labels, allowing seamless inheritance of your organization's sensitivity settings.

Sensitive data threat detection is a configurable feature in the new Defender for Storage plan. You can enable or disable it at no additional cost. For more details, visit Sensitive data threat detection.

Pricing and cost controls

Per storage account pricing

The new Microsoft Defender for Storage plan has predictable pricing based on the number of storage accounts you protect. With the option to enable at the subscription or resource level and exclude specific storage accounts from protected subscriptions, you have increased flexibility to manage your security coverage. The pricing plan simplifies the cost calculation process, letting you scale easily as your needs change. Other charges might apply to storage accounts with high-volume transactions.

Defender for Storage also processes internal transactions, including Azure Blob Storage lifecycle management transactions. Defender for Storage might charge for transactions generated by a lifecycle policy.

Malware scanning - billing per GB, monthly capping, and configuration

Malware scanning is charged on a per-gigabyte basis for scanned data. To ensure cost predictability, a monthly cap can be established for each storage account's scanned data volume. This cap can be set subscription-wide, affecting all storage accounts within the subscription, or applied to individual storage accounts. Under protected subscriptions, you can set specific storage accounts with different limits.

By default, the limit is set to 5,000 GB per month per storage account. Once this threshold is exceeded, scanning ceases for the remaining blobs, with a 20-GB confidence interval. For configuration details, see configure Defender for Storage.

By default, the limit is set to 5,000 GB per month per storage account. Once this threshold is exceeded, scanning ceases for the remaining blobs, with a 20-GB confidence interval. For configuration details, see configure Defender for Storage.

Important

Malware scanning in Defender for Storage isn't included for free in the first 30-day trial and is charged from the first day in accordance with the pricing scheme available on the Defender for Cloud pricing page. Malware scanning incurs additional charges for other Azure services: Azure Storage read operations, Azure Storage blob indexing, and Azure Event Grid notifications.

Enablement at scale with granular controls

Microsoft Defender for Storage secures your data at scale with granular controls. You can apply consistent security policies across all your storage accounts within a subscription or customize them for specific accounts to suit your business needs. You can control your costs by choosing the level of protection you need for each resource. See enable Defender for Storage.

Monitor your malware scanning cap

To ensure uninterrupted protection while effectively managing costs, there are two security alerts related to malware scanning cap usage. The first alert, Malware scanning will stop soon: 75% of monthly gigabytes scan cap reached (Preview), is triggered as your usage approaches 75% of the set monthly cap, offering a heads-up to adjust your cap if needed. The second alert, Malware scanning stopped: monthly gigabytes scan cap reached (Preview), notifies you when the cap is reached and scanning is paused for the month, potentially leaving new uploads unscanned. Both alerts include details on affected storage accounts to prompt and inform action, ensuring you maintain your desired level of security without unexpected expenses.

Understand the differences between malware scanning and hash reputation analysis

Defender for Storage detects malicious content uploaded to storage accounts using Malware scanning and hash reputation analysis.

Malware scanning

Malware scanning uses Microsoft Defender Antivirus (MDAV) to scan blobs uploaded to Blob storage, providing comprehensive analysis that includes deep file scans and hash reputation analysis. This feature enhances detection against potential threats.

Malware scanning is a paid feature available only on the new plan.

Hash reputation analysis

Hash reputation analysis detects malware in Blob storage and Azure Files by comparing the hash values of newly uploaded blobs and files with those of known malware from Microsoft Threat Intelligence. Not all file protocols and operation types are supported with this capability, leading to some operations not being monitored for malware uploads. Unsupported use cases include SMB file shares and when a blob is created using Put Block and Put Block List. Hash reputation analysis is available in all plans.

In summary, malware scanning, available exclusively on the new plan for Blob storage, provides a comprehensive approach to malware detection. It achieves this by analyzing the full content of files and incorporating hash reputation analysis into its methodology.