Microsoft Defender for Storage は、ストレージアカウントに対する脅威を検出するサービスです。 Defender for Storage は、Microsoft Defender for Cloud(旧 Azure Security Center)のうち、リソースに対する脅威を検出するカテゴリーに分類されます。 Storage 以外にも、次のようなリソース向けのサービスが提供されています。 Defender for Storage で検知できる脅威には、ストレージへの異常なアクセスやマルウェアファイルがアップロードなどがあります。 検知できるアラートの一覧については、公式ドキュメントを参照してください。 Defender for Cloud の environment settings から、基本的にはサブスクリプション単位で有効化することが推奨されています。 Defender で保護できるリソース一覧が表示されるので、Storage を有効化します。 Storage の Security でも、Defender が有効化されたことを確認できます。 実際にテスト用のアラートを発生させて、Defender for Storage を検証してみます。 今回は、EICAR テストファイル(アンチウイルスソフトウェアのテスト用ファイル)を Blob Storage にアップロードすることで発生させるアラートを試してみます。 しばらく待っていると、Storage の Security にセキュリティのアラートが表示されます。 Defender for Cloud の Secirity Alert にも、アラートの詳細が表示されます。 検知されたマルウェアが含まれている疑いがあるファイルは、Logic Apps を利用して削除するワークフローを組むこともできます。 Defender for Storage を有効化して、テスト用のアラートを発生させてみました。 Defender for App Service を試してみた記事は、こちらを参照してください。 Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Overview of Microsoft Defender for Storage
In this articleMicrosoft Defender for Storage is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage accounts. It uses advanced threat detection capabilities and Microsoft Threat Intelligence data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks. You can enable Microsoft Defender for Storage at either the subscription level (recommended) or the resource level. Defender for Storage continually analyzes the telemetry stream generated by the Azure Blob Storage and Azure Files services. When potentially malicious activities are detected, security alerts are generated. These alerts are displayed in Microsoft Defender for Cloud, together with the details of the suspicious activity along with the relevant investigation steps, remediation actions, and security recommendations. Analyzed telemetry of Azure Blob Storage includes operation types such as Defender for Storage doesn't access the Storage account data and has no impact on its performance. You can learn more by watching this video from the Defender for Cloud in the Field video series:
Availability
What are the benefits of Microsoft Defender for Storage?Defender for Storage provides:
Security threats in cloud-based storage servicesMicrosoft security researchers have analyzed the attack surface of storage services. Storage accounts can be subject to data corruption, exposure of sensitive content, malicious content distribution, data exfiltration, unauthorized access, and more. The potential security risks are described in the threat matrix for cloud-based storage services and are based on the MITRE ATT&CK® framework, a knowledge base for the tactics and techniques employed in cyber attacks.
What kind of alerts does Microsoft Defender for Storage provide?Security alerts are triggered for the following scenarios (typically from 1-2 hours after the event):
You can check out the full list of Microsoft Defender for Storage alerts. Alerts include details of the incident that triggered them, and recommendations on how to investigate and remediate threats. Alerts can be exported to Microsoft Sentinel or any other third-party SIEM or any other external tool. Learn more in Stream alerts to a SIEM, SOAR, or IT Service Management solution. Explore security anomaliesWhen storage activity anomalies occur, you receive an email notification with information about the suspicious security event. Details of the event include:
The email also includes details on possible causes and recommended actions to investigate and mitigate the potential threat.
You can review and manage your current security alerts from Microsoft Defender for Cloud's Security alerts tile. Select an alert for details and actions for investigating the current threat and addressing future threats.
Limitations of hash reputation analysis
FAQ - Microsoft Defender for Storage
How do I estimate charges at the account level?To optimize costs, you might want to exclude specific Storage accounts associated with high traffic from Defender for Storage protections. To get an estimate of Defender for Storage costs, use the Price Estimation Workbook in the Azure portal. Can I exclude a specific Azure Storage account from a protected subscription?To exclude a specific Storage account when Defender for Storage is enabled on a subscription, follow the instructions in Exclude a storage account from Microsoft Defender for Storage protections. How do I configure automatic responses for security alerts?Use workflow automation to trigger automatic responses to Defender for Cloud security alerts. For example, you can set up automation to open tasks or tickets for specific personnel or teams in an external task management system. Use automation for automatic response - to define your own or use ready-made automation from the community (such as removing malicious files upon detection). For more solutions, visit the Microsoft community on GitHub. Next stepsIn this article, you learned about Microsoft Defender for Storage. FeedbackSubmit and view feedback for |