During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.
This article will show you how to protect Azure File Shares with Microsoft Defender for Storage, and how to validate Microsoft Defender for Azure Files detection in Azure Security Center.
Table of Contents
Azure Security Center (ASC) gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center has two main value propositions:
1) Cloud Security Posture Management (CSPM) – Helps you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
2) Azure Defender / Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or other clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.
Azure Defender is an evolution of the threat-protection technologies in Azure Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:
- Azure Defender for servers
- Azure Defender for App Service
- Azure Defender for Storage
- Azure Defender for SQL
- Azure Defender for Kubernetes
- Azure Defender for container registries
- Azure Defender for Key Vault
- Azure Defender for Azure DNS
- Azure Defender for Resource Manager
Microsoft Defender (Advanced Threat Protection) for Azure Storage is one of the advanced protection that is included in Microsoft Defender for Cloud that falls under the Cloud Workload Protection Platform (CWPP) which is something you must consider for Azure storage accounts that provide an additional layer of security intelligence.
Last year, Microsoft announced the GA release of Advanced Threat Protection for Azure storage accounts in Azure Security Center that protect Blob Containers’ service. Advanced Threat Protection (ATP) for Azure Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This layer of protection allows you to protect and address concerns about potential threats to your storage accounts as they occur, without needing to be a security expert.
The good news is, Microsoft just announced that you can also use Advanced Threat Protection for Azure Files, Azure File Shares, and Azure Data Lake Storage Gen2 in addition to blob containers service. And guess what, this also protects your Azure File Sync deployment on-premises against malware. You can read more about the recent announcement here.
To follow this article, you need to have the following:
1) Microsoft Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
2) Azure Security Center – Azure Defender enabled per subscription under the Pricing & Settings page for storage accounts as shown below.
3) Azure storage account – To create a general-purpose storage account, follow the instructions described here.
Adaptive Threat Protection (ATP) for storage accounts is part of Microsoft Defender for Cloud. Please note that you can use Microsoft Defender for Storage free for 30 days. After that, the price is $0.02/10K Transactions.
Now, what if you don’t want to enable Azure Defender for all storage accounts in the scope of the subscription?
What you can do is the following: You can disable Azure Defender for storage accounts on the subscription level under the Pricing & Settings page as shown below.
And then enable Advanced Threat Protection (Azure Defender for Storage) for the desired storage account individually under Settings | Security as shown below, because when you enable the option on the storage account level rather than on the subscription level, Security Center will enable Azure Defender for Storage for that storage account only.
Protect Azure Files with Azure Defender
After creating an Azure storage account and enabling ATP for Storage accounts in Azure Security Center, please follow the steps below:
1) Open the Storage account that you created, and under File service | File shares.
2) Click + File Share, and create a new file share by giving it an appropriate name and quota in GiB.
3) In this example, we are using an Azure File Sync (AFS) deployment to sync to Azure file share. You can follow this step-by-step guide to getting started with AFS and extending on-premises file servers to the cloud.
Validate Azure Defender for files detection
After creating an Azure file share as described in the previous section and enabling Microsoft Defender for Storage accounts in Microsoft Defender for Cloud, please take the following steps:
1) On the computer where the Azure File sync agent is deployed, create a text file using Notepad and copy the following string into it:
2) Save the text file with any name you want such as (EICAR) and make sure to change the file extension to “.com” instead of “.txt” as shown below.
3) As a side note, the European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.
4) Next, you want to copy the file to the sync folder on your file server. Please note that if you have Windows Defender enabled on your server, then the virus & threat protection engine will detect that file and quarantine it before it gets synced to the Azure file share as shown below. So you might want to exclude that folder for testing purposes only.
5) If you are not using Azure file sync deployment, you can upload the file directly to the Azure file share using the Azure Portal as shown below.
6) At this point, you just need to wait for the advanced threat detection engine to kick in (which can take a little while, in my example, it took around ~30 minutes, I hope that Microsoft will improve the detection time). Once the detection takes place, a new alert with ‘Medium Severity‘ will be generated in Security Center | Security alerts dashboard, similar to the one below:
This alert also contains very useful information about the potential cause, related entities, and threat report summary which you can find on the right-hand side of the blade as shown below:
The alert will be also visible at the storage account level under Settings | Advanced security as shown below.
If you’ve already integrated Azure Security Center with Azure Monitor, then you will also receive a notification based on the action group that you specified. In this example, we are using email notifications. You can find more details on how to integrate Azure Security Center with Azure Monitor here.
And if you are leveraging the Workflow automation feature in Azure Security Center with LogicApp to post a message on Microsoft Teams for example, then you will receive an alert in your team channel, similar to the one below:
That’s it there you have it!
How it works…
At the time of this writing, the malware detection service for Advanced Threat Detection (ATP) for Azure Storage looks for known malware hashes. It does not, however, scan each file to detect malware. We hope this service will improve to scan each file.
We hope also that ATP will improve to not only detect malware but also include a ‘clean‘ mechanism. We would like to see that a file is detected and was scanned and see that Azure file share is free of malware too.
What would you like to see next and how are you going to use advanced threat protection with Microsoft Defender for Storage in your environment? You are welcome to share your thoughts in the comment section below.
Starting October 1, 2020, Microsoft will expand the resource protection of ATP for Storage beyond Azure Blob to include Azure Files and Azure Data Lake Storage (ADLS) Gen2. The charging rate will be $0.02 per 10,000 transactions.
For a single Azure Storage account, ATP for Storage can either be enabled or disabled. When enabled, ATP for Storage covers all available storage transactions within an account. So, for example, ATP for Storage can’t be enabled for blobs and disabled for file shares in the same account.
To estimate your up-to-date ATP for Storage cost, you can verify the amount of transactions/day that were analyzed, is by using the Storage account blade, under Advanced Security, as shown in the figure below.
This information can help you to estimate the overall cost of this solution per storage account. For detailed information regarding the price of ATP for Storage, please see the official new pricing page.
In this article, you learned how to enable advanced threat protection (ATP) for storage accounts in Azure Security Center to protect your file shares in Azure, as well as for Azure File Sync (AFS) deployment whether is deployed as IaaS VM on Azure or on-premises for hybrid scenarios.
Advanced Threat Protection (ATP) for Azure Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts for blob containers. Besides the latest built-in security of Azure file shares and data lakes, advanced threat protection (ATP) for Azure Storage provides you with:
- World-class algorithms that learn, profile, and detect unusual or suspicious activity in your file shares not only for malware detection, such as:
- Access from an unusual location to a storage file share.
- Unusual amount of data extracted from a storage file share.
- Integration with Azure Sentinel for efficient threat investigation.
- Azure-native support for Azure Files with one click from the Azure portal and with no need to modify your application code.
Additional resources I highly encourage you to check:
- Learn more about how to integrate Azure Security Center with Azure Monitor Alerts.
- Learn how to enable file integrity monitoring for Windows and Linux Machines in Azure Security Center.
- Learn more about Adaptive application controls, check the official documentation from Microsoft.
- Learn how to export Azure Security Center Alerts and Recommendations.
- Workflow automation in Azure Security Center to automate your security response operations.
- Learn more about Azure Security Center, check the official documentation from Microsoft.
- Learn how to protect Azure file shares against accidental deletion and malicious actors.
Thank you for reading my blog.