Azure Defender PoC Series – Azure Defender for Storage

Published Jul 22 2021 02:00 PM 4,369 Views


This Azure Defender PoC Series provides guidelines on how to perform a proof of concept for a specific Azure Defender plan. For a more holistic approach where you need to validate Azure Security Center and Azure Defender, please read How to Effectively Perform an Azure Security Center PoC article. 


With the hybrid work model, more people and devices are now accessing corporate data via home networks, raising the risks of cyberattacks and elevating the importance of proper data protection. Data storage is one of the resources most targeted by attackers since they often hold critical business data and sensitive information.   

With the help of Azure Defender for Storage, you can benefit from advanced capabilities of Security AI and Microsoft threat intelligence, to detect and hunt for attacks. To learn more about Microsoft’s Threat Intelligence capabilities, be sure to read this article  



As part of your Azure Defender for Storage PoC you need to identify the use case scenarios that you want to validate. A common scenario is for the customers to identify if their Storage account has any access from suspicious IP address, or suspicious access patterns or even if there’s a malicious content upload or even to get alerted if a phishing content hosted on Storage accounts. In Azure Defender for Storage malware alert is based on hash reputation analysis. If you are interested to deep dive on how Azure Defender alerts customers upon the detection of malicious activities make sure you read this blog carefully. You can use the Alerts identified by Azure Defender for Storage as your starting point to plan which actions you want to execute.  


As of this writing, Azure Defender for Storage protects three storage types. Blob StorageAzure Files and Azure Data Lake Storage Gen2. You can enable Azure Defender for Storage at either the subscription level or resource level. However, It’s a best practice to configure on the subscription level, but you may also configure it on individual storage accounts 




You need at least Security Admin role to enable Azure Defender for Storage. For more information about roles and privileges, visit this article. If you are conducting this PoC in partnership with the SOC Team, make sure they are familiar with the alerts that may appear once you enable this plan. Review all alerts available at our Alerts Reference Guide.

You may need price estimation to share with your team to make sure it fits the team budget, and we have your back with number of super cool options. You may use Azure Pricing Calculator to figure out the pricing estimate. Furthermore, if you need to figure out how many transactions you are doing in your Storage Accounts in order to have a more accurate estimation, please use this workbook which would make it even easier to accomplish this task as the workbook provides you with Estimated price for 7days based on the number of transactions performed within that period and estimated monthly price takes those 7 days as sample and calculates it for a month. Make sure to read more about it in our blog


From the readiness perspective, make sure to review the following resources to better understand Azure Defender for Storage

Implementation and validation      

To test the Security alerts from Azure Defender for Storage follow the steps from here to trigger a test alert. Also, review this article that will go over the steps to simulate an upload of a test malware (EICAR) to an Azure Storage account that has ATP for Azure Storage enabled.


Whether an alert is generated by Azure Defender for Storage or received by Azure Defender from a different Microsoft security solution (MDE for example), you can also export it. To export your alerts to Azure Sentinel, any third-party SIEM, or any other external tool, follow the instructions in Exporting alerts to a SIEM. To investigate Azure Defender alerts using Azure Sentinel, make sure to check out this blog to understand how they operate in a better together scenario.


To understand how to remediate security alerts using Azure Defender, make sure you check out this chapter from SC-200 certification exam learning guide. You can also create an automatic response to a specific security alert using an ARM template, read more about it in our documentation.


Make sure to check out our Azure Security Center Github repository which gives you access to numerous sample security playbooks that will help you automate in remediating a recommendation.



By the end of this PoC you should be able to determine the value proposition of Azure Defender for Storage and the importance to have this level of threat detection to your workloads.


Stay tuned for more Azure Defender PoC Series!


P.S. Subscribe to our Azure Security Center and Azure Defender Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Azure Security Center news, announcements and get your questions answered by Azure Security experts.



Thank you to @Yuri Diogenes, Principal Program Manager in the CxE ASC Team for reviewing this article.

Frequent Visitor

Great article! Thank you so much.


Great article!

Version history
Last update:
‎Sep 23 2021 11:30 AM
Updated by: