last sync: 2023-Dec-04 18:38:36 UTC

Azure Policy definition

Microsoft Defender for Storage should be enabled

Source Azure Portal
Display name Microsoft Defender for Storage should be enabled
Id 640d2586-54d2-465f-877f-9ffc1d2109f4
Version 1.0.0
Details on versioning
Category Security Center
Microsoft Learn
Description Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (5)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Security/pricings/extensions[*] Microsoft.Security pricings properties.extensions[*] true
Microsoft.Security/pricings/extensions[*].isEnabled Microsoft.Security pricings properties.extensions[*].isEnabled true
Microsoft.Security/pricings/extensions[*].name Microsoft.Security pricings properties.extensions[*].name false
Microsoft.Security/pricings/pricingTier Microsoft.Security pricings properties.pricingTier false
Microsoft.Security/pricings/subPlan Microsoft.Security pricings properties.subPlan false
Rule resource types IF (1)
The following 5 compliance controls are associated with this Policy definition 'Microsoft Defender for Storage should be enabled' (640d2586-54d2-465f-877f-9ffc1d2109f4)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 DP-2 Azure_Security_Benchmark_v3.0_DP-2 Microsoft cloud security benchmark DP-2 Data Protection Monitor anomalies and threats targeting sensitive data Shared **Security Principle:** Monitor for anomalies around sensitive data, such as unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration. **Azure Guidance:** Use Azure Information protection (AIP) to monitor the data that has been classified and labeled. Use Azure Defender for Storage, Azure Defender for SQL and Azure Cosmos DB to alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive data information. Note: If required for compliance of data loss prevention (DLP), you can use a host based DLP solution from Azure Marketplace or a Microsoft 365 DLP solution to enforce detective and/or preventative controls to prevent data exfiltration. **Implementation and additional context:** Enable Azure Defender for SQL: Enable Azure Defender for Storage: n/a link 7
Azure_Security_Benchmark_v3.0 IR-3 Azure_Security_Benchmark_v3.0_IR-3 Microsoft cloud security benchmark IR-3 Incident Response Detection and analysis - create incidents based on high-quality alerts Shared **Security Principle:** Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives. High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources. **Azure Guidance:** Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use the Microsoft Defender for Cloud data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation. Export your Microsoft Defender for Cloud alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion. **Implementation and additional context:** How to configure export: How to stream alerts into Azure Sentinel: n/a link 16
Azure_Security_Benchmark_v3.0 IR-5 Azure_Security_Benchmark_v3.0_IR-5 AMicrosoft cloud security benchmark IR-5 Incident Response Detection and analysis - prioritize incidents Shared **Security Principle:** Provide context to security operations teams to help them determine which incidents ought to first be focused on, based on alert severity and asset sensitivity defined in your organization’s incident response plan. **Azure Guidance:** Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert. Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred. **Implementation and additional context:** Security alerts in Microsoft Defender for Cloud: Use tags to organize your Azure resources: n/a link 16
Azure_Security_Benchmark_v3.0 LT-1 Azure_Security_Benchmark_v3.0_LT-1 Microsoft cloud security benchmark LT-1 Logging and Threat Detection Enable threat detection capabilities Shared **Security Principle:** To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies. Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sources to reduce false positives. **Azure Guidance:** Use the threat detection capability of Azure Defender services in Microsoft Defender for Cloud for the respective Azure services. For threat detection not included in Azure Defender services, refer to the Azure Security Benchmark service baselines for the respective services to enable the threat detection or security alert capabilities within the service. Extract the alerts to your Azure Monitor or Azure Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Defender for IoT to inventory assets and detect threats and vulnerabilities. For services that do not have a native threat detection capability, consider collecting the data plane logs and analyze the threats through Azure Sentinel. **Implementation and additional context:** Introduction to Azure Defender: Microsoft Defender for Cloud security alerts reference guide: Create custom analytics rules to detect threats: Cyber threat intelligence with Azure Sentinel: n/a link 19
Azure_Security_Benchmark_v3.0 LT-2 Azure_Security_Benchmark_v3.0_LT-2 Microsoft cloud security benchmark LT-2 Logging and Threat Detection Enable threat detection for identity and access management Shared **Security Principle:** Detect threats for identities and access management by monitoring the user and application sign-in and access anomalies. Behavioral patterns such as excessive number of failed login attempts, and deprecated accounts in the subscription, should be alerted. **Azure Guidance:** Microsoft Entra ID provides the following logs that can be viewed in Microsoft Entra reporting or integrated with Azure Monitor, Azure Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases: - Sign-ins: The sign-ins report provides information about the usage of managed applications and user sign-in activities. - Audit logs: Provides traceability through logs for all changes done by various features within Microsoft Entra ID. Examples of audit logs include changes made to any resources within Microsoft Entra ID like adding or removing users, apps, groups, roles and policies. - Risky sign-ins: A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. - Users flagged for risk: A risky user is an indicator for a user account that might have been compromised. Microsoft Entra ID also provides an Identity Protection module to detect, and remediate risks related to user accounts and sign-in behaviors. Examples risks include leaked credentials, sign-in from anonymous or malware linked IP addresses, password spray. The policies in the Microsoft Entra Identity Protection allow you to enforce risk-based MFA authentication in conjunction with Azure Conditional Access on user accounts. In addition, Microsoft Defender for Cloud can be configured to alert on deprecated accounts in the subscription and suspicious activities such as an excessive number of failed authentication attempts. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources. Note: If you are connecting your on-premises Active Directory for synchronization, use the Microsoft Defender for Identity solution to consume your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. **Implementation and additional context:** Audit activity reports in Microsoft Entra ID: Enable Azure Identity Protection: Threat protection in Microsoft Defender for Cloud: n/a link 18
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
Date/Time (UTC ymd) (i) Change type Change detail
2023-08-11 17:58:20 add 640d2586-54d2-465f-877f-9ffc1d2109f4
JSON compare n/a