What is Microsoft Defender for Storage?
Microsoft Defender for Cloud gives you an Azure-native layer of security intelligence that finds potential threats to your storage accounts with the Defender for Storage plan.
Defender for Storage helps prevent malicious file uploads, sensitive data exfiltration, and data corruption, ensuring the security and integrity of your data and workloads.
Defender for Storage provides comprehensive security by analyzing the data plane and control plane telemetry generated by Azure Blob Storage, Azure Files, and Azure Data Lake Storage services. It uses advanced threat detection capabilities powered by Microsoft Threat Intelligence, Microsoft Defender Antivirus, and Sensitive Data Discovery to help you discover and mitigate potential threats.
Defender for Storage includes:
Activity monitoring - Detect unusual and potentially harmful activities involving your storage accounts by analyzing access patterns and behaviors. This can be valuable for identifying unauthorized access, data exfiltration attempts, and other security threats.
Sensitive data threat detection - Identify and protect sensitive data within your storage accounts by detecting suspicious activities that might indicate a potential security threat. Defender for Storage enhances the security of your sensitive information stored in Azure by monitoring for actions such as unusual data access patterns or potential data exfiltration.
Malware scanning - Scan your storage accounts for malware by analyzing files for known threats and suspicious content. This helps in identifying and mitigating potential security risks from malicious files that might be stored or uploaded to your Azure storage accounts. As a result, it enhances the overall security posture of your data storage.
Get started
You can enable Defender for Storage agentlessly at the subscription level, resource levels, or at scale.
When you enable Defender for Storage at the subscription level, all existing and newly created storage accounts under that subscription are automatically included and protected. You can also exclude specific storage accounts from protected subscriptions.
Note
If you have the Defender for Storage (classic) enabled and want access to the current security features and pricing, you'll need to migrate to the new pricing plan.
Benefits
Defender for Storage provides the following features:
Better protection against malware: Malware scanning scans and detects in near real-time all file types, including archives of every uploaded blob. It provides fast and reliable results, helping you prevent your storage accounts from acting as an entry and distribution point for threats. Learn more about Malware scanning.
Improved threat detection and protection of sensitive data: The sensitive data threat detection capability helps security professionals prioritize and examine security alerts efficiently. It considers the sensitivity of the data at risk, leading to better detection and protection against potential threats. This capability reduces the chance of data breaches by quickly identifying and addressing the most significant risks. It also improves sensitive data protection by detecting exposure events and suspicious activities on resources containing sensitive data. Learn more about sensitive data threat detection.
Detection of entities without identities: Defender for Storage detects suspicious activities from entities without identities that access your data using misconfigured and overly permissive Shared Access Signatures (SAS tokens). These tokens might be leaked or compromised. You can then improve security and reduce the risk of unauthorized access. This capability is an expansion of the Activity Monitoring security alerts suite.
Coverage of the top cloud storage threats: Defender for Storage is powered by Microsoft Threat Intelligence, behavioral models, and machine learning models to detect unusual and suspicious activities. The Defender for Storage security alerts covers the top cloud storage threats, such as sensitive data exfiltration, data corruption, and malicious file uploads.
Comprehensive security without enabling logs: When you enable Microsoft Defender for Storage, it continuously analyzes both the data and control telemetry stream from Azure Blob Storage, Azure Files, and Azure Data Lake Storage services. You don't need to enable diagnostic logs for this analysis.
Frictionless enablement at scale: Microsoft Defender for Storage is an agentless solution, easy to deploy, and enables security protection at scale using a native Azure solution.
How does Defender for Storage work?
Activity monitoring
Defender for Storage continuously analyzes data and control plane logs from protected storage accounts when enabled. There's no need to turn on resource logs for security benefits. Use Microsoft Threat Intelligence to identify suspicious signatures such as malicious IP addresses, Tor exit nodes, and potentially dangerous apps. It also builds data models and uses statistical and machine-learning methods to spot baseline activity anomalies, which might indicate malicious behavior. You receive security alerts for suspicious activities, but Defender for Storage ensures you don't get too many similar alerts. Activity monitoring doesn't affect performance, ingestion capacity, or access to your data.
Malware scanning (powered by Microsoft Defender Antivirus)
Malware scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time, applying Microsoft Defender Antivirus capabilities. It's designed to help fulfill security and compliance requirements to handle untrusted content. Every file type is scanned, and scan results are returned for every file. The Malware scanning capability is an agentless SaaS solution that allows simple setup at scale, with zero maintenance, and supports automating response at scale. This is a configurable feature in the new Defender for Storage plan that is priced per GB scanned. Learn more about Malware scanning.
Sensitive data threat detection (powered by Sensitive Data Discovery)
The sensitive data threat detection feature helps security teams prioritize and examine security alerts efficiently. It considers the sensitivity of the data at risk, which leads to better detection and helps prevent data breaches. Sensitive data threat detection is powered by the Sensitive Data Discovery engine, an agentless engine that uses a smart sampling method to find resources with sensitive data. The service is integrated with Microsoft Purview's sensitive information types (SITs) and classification labels, allowing seamless inheritance of your organization's sensitivity settings.
This is a configurable feature in the new Defender for Storage plan. You can choose to enable or disable it with no other cost. For more details, visit Sensitive data threat detection.
Pricing and cost controls
Per storage account pricing
The new Microsoft Defender for Storage plan has predictable pricing based on the number of storage accounts you protect. With the option to enable at the subscription or resource level and exclude specific storage accounts from protected subscriptions, you have increased flexibility to manage your security coverage. The pricing plan simplifies the cost calculation process, allowing you to scale easily as your needs change. Other charges might apply to storage accounts with high-volume transactions.
Malware scanning - billing per GB, monthly capping, and configuration
Malware scanning is charged on a per-gigabyte basis for scanned data. To ensure cost predictability, a monthly cap can be established for each storage account's scanned data volume, per-month basis. This cap can be set subscription-wide, affecting all storage accounts within the subscription, or applied to individual storage accounts. Under protected subscriptions, you can configure specific storage accounts with different limits.
By default, the limit is set to 5,000 GB per month per storage account. Once this threshold is exceeded, scanning ceases for the remaining blobs, with a 20-GB confidence interval. For configuration details, refer to configure Defender for Storage.
Important
Malware scanning in Defender for Storage is not included for free in the first 30 day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud pricing page. Malware scanning will also incur additional charges for other Azure services - Azure Storage read operations, Azure Storage blob indexing and Azure Event Grid notifications.
Enablement at scale with granular controls
Microsoft Defender for Storage enables you to secure your data at scale with granular controls. You can apply consistent security policies across all your storage accounts within a subscription or customize them for specific accounts to suit your business needs. You can also control your costs by choosing the level of protection you need for each resource. To get started, visit enable Defender for Storage.
Monitor your malware scanning cap
To ensure uninterrupted protection while effectively managing costs, there are two informational security alerts related to malware scanning cap usage. The first alert, Malware scanning will stop soon: 75% of monthly gigabytes scan cap reached (Preview)
, is triggered as your usage approaches 75% of the set monthly cap, offering a heads-up to adjust your cap if needed. The second alert, Malware scanning stopped: monthly gigabytes scan cap reached (Preview)
, notifies you when the cap is reached and scanning is paused for the month, potentially leaving new uploads unscanned. Both alerts come with details on affected storage accounts to facilitate prompt and informed action, ensuring you can maintain your desired level of security without unexpected expenses.
Understand the differences between malware scanning and hash reputation analysis
Defender for Storage offers two capabilities to detect malicious content uploaded to storage accounts: Malware scanning and hash reputation analysis.
Malware scanning
Malware scanning uses Microsoft Defender Antivirus (MDAV) to scan blobs uploaded to Blob storage, providing a comprehensive analysis that includes deep file scans and hash reputation analysis. This feature provides an enhanced level of detection against potential threats.
Malware scanning is a paid add-on feature available only on the new plan.
Hash reputation analysis
Hash reputation analysis detects potential malware in Blob storage and Azure Files by comparing the hash values of newly uploaded blobs and files with those of known malware from Microsoft Threat Intelligence. Not all file protocols and operation types are supported with this capability, leading to some operations not being monitored for potential malware uploads. Unsupported use cases include SMB file shares and when a blob is created using Put Block and Put blocklist. Hash reputation analysis is available in all plans.
In summary, malware scanning, available exclusively on the new plan for Blob storage, provides a more comprehensive approach to malware detection. It achieves this by analyzing the full content of files and incorporating hash reputation analysis into its scanning methodology.
Related content
- Enable Defender for Storage
- Check out common questions about Defender for Storage.