Enable Azure Defender for Azure Storage Accounts

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Ensure that the Azure Defender security feature is enabled for your Microsoft Azure Storage accounts. Azure Defender for Storage accounts is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your cloud storage accounts.

Security

By default, the security feature is disabled for your storage accounts. Enabling Azure Defender for Microsoft Azure Storage accounts allows for advanced security defense using threat detection capabilities provided by the Microsoft Security Response Center (MSRC). MSRC investigates all reports of security vulnerabilities affecting Microsoft products and services, including Azure cloud services.


Audit

To determine if the Azure Defender feature is enabled for your Azure cloud storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the blade navigation panel, under Management, choose Pricing & Settings.

04 On the Pricing & Settings page, click on the name of the Azure subscription that you want to examine, to access the Azure Security Center pricing and settings.

05 In the left navigation panel, under Settings, choose Azure Defender plans to view the Azure Defender pricing plans available for your subscription.

06 Select Azure Defender on to make sure that the security feature is enabled for the selected subscription, and check the Azure Defender pricing plan status for Storage, available in the Plan column. If the pricing plan status for Storage is set to Off, Azure Defender is not enabled for the Microsoft Azure Storage accounts created in the selected subscription.

07 Repeat step no. 4 – 6 for each Azure subscription available within your cloud account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the name of the Azure Defender pricing plan configured for Azure Storage accounts within the current subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings?api-version=2018-06-01' | jq '.|.value[] | select(.name=="StorageAccounts")'|jq '.properties.pricingTier'

02 The command output should return the name of the configured pricing tier:

"Free"

If the account get-access-token command output does not return "Standard" for the name of the pricing tier, Azure Defender is not enabled for the Microsoft Azure Storage accounts created within the current subscription.

03 Repeat step no. 1 and 2 for each Azure subscription available in your cloud account.

Remediation / Resolution

To enable Azure Defender for your Microsoft Azure Storage accounts, perform the following operations:

Note: Turning on Azure Defender in Azure Security Center (ASC) incurs an additional cost per resource.

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the blade navigation panel, under Management, choose Pricing & Settings.

04 On the Pricing & Settings page, click on the name of the Azure cloud subscription that you want to access.

05 In the left navigation panel, under Settings, choose Azure Defender plans to view the Azure Defender pricing plans available for the selected subscription.

06 Select Azure Defender on to make sure that the security feature is enabled for your subscription, then choose On for the Storage pricing plan listed in the Plan column, to enable Azure Defender for Microsoft Azure Storage accounts. Choose Save from the blade main menu to apply the changes.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Define the specifications required for the account get-access-token command, where the Azure Defender pricing plan for Azure storage accounts is enabled by setting the feature pricing tier to "Standard". Replace the highlighted information, i.e. <azure-subscription-id>, with your own Azure subscription ID and save the content to a JSON file named enable-defender-for-storage-accounts.json:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/pricings/StorageAccounts",
  "name": "StorageAccounts",
  "type": "Microsoft.Security/pricings",
  "properties": {
    "pricingTier": "Standard"
  }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the specifications defined at the previous step (i.e. enable-defender-for-storage-accounts.json file) to turn on Azure Defender for the Microsoft Azure Storage accounts available in the selected subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/StorageAccounts?api-version=2018-06-01 -d@"enable-defender-for-storage-accounts.json"'

03 The command output should return the information available for the enabled pricing tier:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/pricings/StorageAccounts",
  "name": "StorageAccounts",
  "type": "Microsoft.Security/pricings",
  "properties": {
    "pricingTier": "Standard",
    "freeTrialRemainingTime": "PT0S"
  }
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your cloud account.

References

Publication date Sep 20, 2021

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Azure Defender for Azure Storage Accounts

Risk level: High