- Article
Data security becomes a top priority as organizations shift data to cloud storage solutions like Azure Storage. This document outlines common security threats and risks associated with misconfigured settings and the security alerts Microsoft Defender for Storage provides to detect and respond to potential security threats.
Security threats in cloud-based storage services
Azure Storage is a widely used cloud storage solution, and like any cloud-based service, it is susceptible to various security threats. Common security threats in Azure Storage include:
- Access token abuse and leakage
- Lateral movement from compromised workloads
- Compromised third-party partners with privileged permissions
- Credentials theft
- Reconnaissance with search engines
- Data collection by blob hunting
- Insider threats with existing permissions
These threats can result in malware uploads, data corruption, and sensitive data exfiltration, posing significant risks.
In addition to security threats, configuration errors might inadvertently expose sensitive resources. Some common misconfiguration issues include:
- Inadequate access controls and networking rules, leading to unintended data exposure on the internet
- Insufficient authentication mechanisms
- Lack of data encryption protocols for both data in transit and at rest
To minimize the risk of security breaches and configuration errors, security teams employ a combination of posture management tools and workload protection tools. These tools ensure that Azure Storage remains secure by providing visibility into early signs of breaches, helping prevent attacks, and maintaining secure configurations.
Microsoft security researchers have analyzed the attack surface of storage services. The potential security risks are described in the threat matrix for cloud-based storage services, which are based on the MITRE ATT&CK® framework, a knowledge base for the tactics and techniques employed in cyber-attacks.
What kind of security alerts does Microsoft Defender for Storage provide?
Tip
For a comprehensive list of all Defender for Storage alerts, see the alerts reference guide page. This is useful for workload owners who want to know what threats can be detected and help SOC teams gain familiarity with detections before investigating them. Learn more about Defender for Cloud security alerts and how to respond to them.
Security alerts are triggered in the following scenarios:
| Scenario | Description |
|---|---|
| Malicious content upload | Malware Scanning scans every blob uploaded to your storage accounts. It detects ransomware, viruses, spyware, and other malware uploaded to the storage account, helping you prevent it from entering the organization and spreading. The classic malware hash analysis alert operates differently from Malware Scanning. It compares the uploaded blob/file hash with a list of known malicious hash signatures rather than analyzing the file contents for malware. |
| Sensitive data exposure event | Detection of access level change allowing unauthenticated public access to blob containers with sensitive data from the internet |
| Suspicious activities on resources with sensitive data | Detection of suspicious activities occurring on blob containers containing sensitive data |
| Compromised, misconfigured and unusual authentication tokens | Detection of compromised SAS tokens used for data plane authentication and operations, and detection of unusual SAS tokens that can be generated by a malicious actor |
| Data and permissions inspection | Detection of unusual exploration of the data and inspection of access permissions |
| Data exfiltration | Detection of unusual extraction of data from storage accounts |
| Data deletion | Detection of unusual deletions in storage accounts |
| Blob-hunting attempts | Detection of collection attempts by scanning and enumerating resources for publicly exposed storage resources. Read more on how to detect, investigate and prevent blob-hunting. |
| Unusual access patterns | Detection of unusual access to storage accounts from unusual locations, applications, and with unusual authentication |
| Suspicious access signatures | Detection of known suspicious IP addresses by Microsoft Threat Intelligence, known Tor exit nodes, and known suspicious applications |
| Phishing campaigns | Detection of phishing content hosted on storage accounts and identified as part of a phishing attack impacting Microsoft 365 users |
Security alerts include details of the suspicious activity, relevant investigation steps, remediation actions, and security recommendations. Alerts can be exported to Microsoft Sentinel or any other third-party SIEM/XDR tool. Learn more about how to stream alerts to a SIEM, SOAR, or IT Service Management solution.
Understanding the differences between Malware Scanning and hash reputation analysis
Defender for Storage offers two capabilities to detect malicious content uploaded to storage accounts: Malware Scanning (paid add-on feature available only on the new plan) and hash reputation analysis (available in all plans).
Malware Scanning (paid add-on feature available only on the new plan)
Malware Scanning leverages Microsoft Defender Antivirus (MDAV) to scan blobs uploaded to Blob storage, providing a comprehensive analysis that includes deep file scans and hash reputation analysis. This feature provides an enhanced level of detection against potential threats.
Hash reputation analysis (available in all plans)
Hash reputation analysis detects potential malware in Blob storage and Azure Files by comparing the hash values of newly uploaded blobs/files against those of known malware by Microsoft Threat Intelligence. Not all file protocols and operation types are supported with this capability, leading to some operations not being monitored for potential malware uploads. Unsupported use cases include SMB file shares and when a blob is created using Put Block and Put Block List.
In summary, Malware Scanning, which is only available on the new plan for Blob storage, offers a more comprehensive approach to malware detection by analyzing the full content of files and incorporating hash reputation analysis in its scanning methodology.
Next steps
In this article, you learned about Microsoft Defender for Storage.
Enable Defender for Storage
