In this article, I will show you how to protect Azure File Shares with Advanced Threat Protection (ATP), and finally, I will show you how to validate ATP for Azure Files detection in Azure Security Center.
Azure Security Center (ASC) gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center has two mains value proposition:
- Cloud Security Posture Management (CSPM) – Helps you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
- Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises or other clouds such as Amazon AWS or Google GCP, in additional to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.
Advanced Threat Protection (ATP) for Azure Storage is one of many features that is included in Azure Security Center that falls under the Cloud Workload Protection Platform (CWPP) which is something you must consider for Azure storage accounts which provides an additional layer of security intelligence.
Last year, Microsoft announced the GA release of Advanced Threat Protection for Azure storage accounts in Azure Security Center that protect Blob Containers’ service. Advanced Threat Protection (ATP) for Azure Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to protect and address concerns about potential threats to your storage accounts as they occur, without needing to be an expert in security.
The good news is, Microsoft just announced that you can also use Advanced Threat Protection for Azure Files, Azure File Shares, and Azure Data Lake Storage Gen2 in addition to blob containers service. And guess what, this also protects your Azure File Sync deployment on-premises against malware. You can read more about the recent announcement here.
To follow this article, you need to have the following:
- Microsoft Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
- Azure Security Center – Standard Tier enabled per subscription under the Pricing & Settings page for storage accounts as shown below.
- Azure storage account – To create a general-purpose storage account, follow the instructions described here.
Adaptive Threat Protection (ATP) for storage accounts is part of the Azure Security Center standard tier. Please note that you can use the standard tier free for 30 days. After that, the price is $0.02/10K Transactions. Now, what if you don’t want to enable ATP for all storage accounts in the scope of the subscription.
What you can do is the following: You can disable the standard tier plan for storage accounts on the subscription level under the Pricing & Settings page as shown below.
And then enable Advanced Threat Protection for the desired storage account individually under Settings | Advanced security as shown below, because when you enable the option on the storage account level rather on the subscription level, Security Center will enable Advanced Threat Protection (ATP) for that storage account.
Protect Azure Files with ATP
After creating an Azure storage account and enabling ATP for Storage accounts in Azure Security Center, please follow the steps below:
- Open the Storage account that you created, and under File service | File shares.
- Click + File Share, and create a new file share by giving it an appropriate name and quota in GiB.
- In this example, I am using an Azure File Sync (AFS) deployment to sync to Azure file share. You can follow this step-by-step guide to getting started with AFS and extend on-premises file servers to the cloud.
Validate ATP for files detection
After creating an Azure file share as described in the previous and you enabled ATP for Storage accounts in Azure Security Center, please take the following the steps:
- On the computer where Azure File sync agent is deployed, create a text file using Notepad and copy the following string into it: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
- Save the text file with any name you want such as (EICAR) and make sure to change the file extension to “.com” instead of “.txt” as shown below.
- As a side note, the European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.
- Next, you want to copy the file to the sync folder on your file server. Please note that if you have Windows Defender enabled on your server, then the virus & threat protection engine will detect that file and quarantine it before is getting synced to the Azure file share as shown below. So you might want to exclude that folder for testing purposes only.
- If you are not using Azure file sync deployment, you can upload the file directly to the Azure file share using the Azure Portal as shown below.
At this point, you just need to wait for the advanced threat detection engine to kick in (which can take a little while, in my example, it took around ~30 minutes, I hope that Microsoft will improve the detection time). Once the detection takes place, a new alert with ‘Medium Severity‘ will be generated in Security Center | Security alerts dashboard, similar to the one below:
This alert also contains very useful information about the potential cause, related entities, and threat report summary which you can find on the right-hand side of the blade as shown below:
The alert will be also visible at the storage account level under Settings | Advanced security as shown below.
If you’ve already integrated Azure Security Center with Azure Monitor, then you will also receive a notification based on the action group that you specified. In my example, I am using email notification. You can find more details on how to integrate Azure Security Center with Azure Monitor here.
And if you are leveraging Workflow automation feature in Azure Security Center with LogicApp to post a message on Microsoft Teams for example, then you will receive an alert in your team channel, similar to the one below:
That’s it there you have it!
How it works…
At the time of this writing, the malware detection service for Advanced Threat Detection (ATP) for Azure Storage looks for known malware hashes. It does not, however, scan each individual file to detect malware. I hope this service will improve to scan each individual file.
I hope also that ATP will improve to not only detect malware but also include a ‘clean‘ mechanism. I would like to see that a file is detected and was scanned and see that Azure file share is free of malware too.
What would you like to see next and how are you going to use advanced threat protection with ASC in your environment? You are welcome to share your thoughts in the comment section below.
Starting October 1, 2020, Microsoft will expand the resource protection of ATP for Storage beyond Azure Blob to include Azure Files and Azure Data Lake Storage (ADLS) Gen2. The charging rate will be $0.02 per 10,000 transactions.
For a single Azure Storage account, ATP for Storage can either be enabled or disabled. When enabled, ATP for Storage covers all available storage transactions within an account. So, for example, ATP for Storage can’t be enabled for blobs and disabled for file-shares in the same account.
To estimate your up-to-date ATP for Storage cost, you can verify the amount of transactions/day that were analyzed, is by using the Storage account blade, under Advanced Security, as shown below:
This information can help you to estimate the overall cost of this solution per storage account. For detailed information regarding the price of ATP for Storage, please see the official new pricing page.
In this article, you learned how to enable advanced threat protection (ATP) for storage accounts in Azure Security Center to protect your file shares in Azure, as well as for Azure File Sync (AFS) deployment whether is deployed as IaaS VM on Azure or on-premises for hybrid scenarios.
Advanced Threat Protection (ATP) for Azure Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts for blob containers. Besides the latest built-in security of Azure file shares and data lakes, advanced threat protection (ATP) for Azure Storage provides you with:
- World-class algorithms that learn, profile, and detect unusual or suspicious activity in your file shares not only for malware detection, such as:
- Access from an unusual location to a storage file share.
- Unusual amount of data extracted from a storage file share.
- Integration with Azure Sentinel for efficient threat investigation.
- Azure-native support for Azure Files with one click from the Azure portal and with no need to modify your application code.
Additional resources I highly encourage you to check:
- Learn more about how to integrate Azure Security Center with Azure Monitor Alerts.
- Learn how to enable file integrity monitoring for Windows and Linux Machines in Azure Security Center.
- Learn more about Adaptive application controls, check the official documentation from Microsoft.
- Learn how to export Azure Security Center Alerts and Recommendations.
- Workflow automation in Azure Security Center to automate your security response operations.
- Learn more about Azure Security Center, check the official documentation from Microsoft.
- Learn how to protect Azure file shares against accidental deletion and malicious actor.
Thank you for reading my blog.