Microsoft Defender for Storage - the benefits and features - Microsoft Defender for Cloud (2023)

  • Article
  • 6 minutes to read

Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage accounts. It uses advanced threat detection capabilities and Microsoft Threat Intelligence data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks.

You can enable Microsoft Defender for Storage at either the subscription level (recommended) or the resource level.

Defender for Storage continually analyzes the telemetry stream generated by the Azure Blob Storage and Azure Files services. When potentially malicious activities are detected, security alerts are generated. These alerts are displayed in Microsoft Defender for Cloud, together with the details of the suspicious activity along with the relevant investigation steps, remediation actions, and security recommendations.

Analyzed telemetry of Azure Blob Storage includes operation types such as Get Blob, Put Blob, Get Container ACL, List Blobs, and Get Blob Properties. Examples of analyzed Azure Files operation types include Get File, Create File, List Files, Get File Properties, and Put Range.

Defender for Storage doesn't access the Storage account data and has no impact on its performance.

You can learn more by watching this video from the Defender for Cloud in the Field video series:

  • Defender for Storage in the field


Release state:General availability (GA)
Pricing:Microsoft Defender for Storage is billed as shown on the pricing page
Protected storage types:Blob Storage (Standard/Premium StorageV2, Block Blobs)
Azure Files (over REST API and SMB)
Azure Data Lake Storage Gen2 (Standard/Premium accounts with hierarchical namespaces enabled)
Clouds:Microsoft Defender for Storage - the benefits and features - Microsoft Defender for Cloud (1) Commercial clouds
Microsoft Defender for Storage - the benefits and features - Microsoft Defender for Cloud (2) Azure Government
Microsoft Defender for Storage - the benefits and features - Microsoft Defender for Cloud (3) Azure China 21Vianet
Microsoft Defender for Storage - the benefits and features - Microsoft Defender for Cloud (4) Connected AWS accounts

What are the benefits of Microsoft Defender for Storage?

Defender for Storage provides:

  • Azure-native security - With 1-click enablement, Defender for Storage protects data stored in Azure Blob, Azure Files, and Data Lakes. As an Azure-native service, Defender for Storage provides centralized security across all data assets that are managed by Azure and is integrated with other Azure security services such as Microsoft Sentinel.

  • Rich detection suite - Powered by Microsoft Threat Intelligence, the detections in Defender for Storage cover the top storage threats such as unauthenticated access, compromised credentials, social engineering attacks, data exfiltration, privilege abuse, and malicious content.

  • Response at scale - Defender for Cloud's automation tools make it easier to prevent and respond to identified threats. Learn more in Automate responses to Defender for Cloud triggers.

Microsoft Defender for Storage - the benefits and features - Microsoft Defender for Cloud (5)

Security threats in cloud-based storage services

Microsoft security researchers have analyzed the attack surface of storage services. Storage accounts can be subject to data corruption, exposure of sensitive content, malicious content distribution, data exfiltration, unauthorized access, and more.

The potential security risks are described in the threat matrix for cloud-based storage services and are based on the MITRE ATT&CK® framework, a knowledge base for the tactics and techniques employed in cyber attacks.

What kind of alerts does Microsoft Defender for Storage provide?

Security alerts are triggered for the following scenarios (typically from 1-2 hours after the event):

Type of threatDescription
Unusual access to an accountFor example, access from a TOR exit node, suspicious IP addresses, unusual applications, unusual locations, and anonymous access without authentication.
Unusual behavior in an accountBehavior that deviates from a learned baseline, such as a change of access permissions in an account, unusual access inspection, unusual data exploration, unusual deletion of blobs/files, or unusual data extraction.
Hash reputation based Malware detectionDetection of known malware based on full blob/file hash. This can help detect ransomware, viruses, spyware, and other malware uploaded to an account, prevent it from entering the organization, and spreading to more users and resources. See also Limitations of hash reputation analysis.
Unusual file uploadsUnusual cloud service packages and executable files that have been uploaded to an account.
Public visibilityPotential break-in attempts by scanning containers and pulling potentially sensitive data from publicly accessible containers.
Phishing campaignsWhen content that's hosted on Azure Storage is identified as part of a phishing attack that's impacting Microsoft 365 users.

You can check out the full list of Microsoft Defender for Storage alerts.

Alerts include details of the incident that triggered them, and recommendations on how to investigate and remediate threats. Alerts can be exported to Microsoft Sentinel or any other third-party SIEM or any other external tool. Learn more in Stream alerts to a SIEM, SOAR, or IT Service Management solution.


For a comprehensive list of all Defender for Storage alerts, see the alerts reference page. This is useful for workload owners who want to know what threats can be detected and help SOC teams gain familiarity with detections before investigating them. Learn more about what's in a Defender for Cloud security alert, and how to manage your alerts in Manage and respond to security alerts in Microsoft Defender for Cloud.

Explore security anomalies

When storage activity anomalies occur, you receive an email notification with information about the suspicious security event. Details of the event include:

  • The nature of the anomaly
  • The storage account name
  • The event time
  • The storage type
  • The potential causes
  • The investigation steps
  • The remediation steps

The email also includes details on possible causes and recommended actions to investigate and mitigate the potential threat.

Microsoft Defender for Storage - the benefits and features - Microsoft Defender for Cloud (7)

You can review and manage your current security alerts from Microsoft Defender for Cloud's Security alerts tile. Select an alert for details and actions for investigating the current threat and addressing future threats.

Limitations of hash reputation analysis

  • Hash reputation isn't deep file inspection - Microsoft Defender for Storage uses hash reputation analysis supported by Microsoft Threat Intelligence to determine whether an uploaded file is suspicious. The threat protection tools don’t scan the uploaded files; rather they analyze the telemetry generated from the Blobs Storage and Files services. Defender for Storage then compares the hashes of newly uploaded files with hashes of known viruses, trojans, spyware, and ransomware.

  • Hash reputation analysis isn't supported for all files protocols and operation types - Some, but not all, of the telemetry logs contain the hash value of the related blob or file. In some cases, the telemetry doesn't contain a hash value. As a result, some operations can't be monitored for known malware uploads. Examples of such unsupported use cases include SMB file-shares and when a blob is created using Put Block and Put Block List.


When a file is suspected to contain malware, Defender for Cloud displays an alert and can optionally email the storage owner for approval to delete the suspicious file. To set up this automatic removal of files that hash reputation analysis indicates contain malware, deploy a workflow automation to trigger on alerts that contain "Potential malware uploaded to a storage account”.

FAQ - Microsoft Defender for Storage

  • How do I estimate charges at the account level?
  • Can I exclude a specific Azure Storage account from a protected subscription?
  • How do I configure automatic responses for security alerts?

How do I estimate charges at the account level?

To optimize costs, you might want to exclude specific Storage accounts associated with high traffic from Defender for Storage protections. To get an estimate of Defender for Storage costs, use the Price Estimation Workbook in the Azure portal.

Can I exclude a specific Azure Storage account from a protected subscription?

To exclude a specific Storage account when Defender for Storage is enabled on a subscription, follow the instructions in Exclude a storage account from Microsoft Defender for Storage protections.

How do I configure automatic responses for security alerts?

Use workflow automation to trigger automatic responses to Defender for Cloud security alerts.

For example, you can set up automation to open tasks or tickets for specific personnel or teams in an external task management system.


Explore the automations available from the Defender for Cloud community pages: ServiceNow automation, Jira automation, Azure DevOps automation, Slack automation or build your own.

Use automation for automatic response - to define your own or use ready-made automation from the community (such as removing malicious files upon detection). For more solutions, visit the Microsoft community on GitHub. 

Next steps

In this article, you learned about Microsoft Defender for Storage.

Enable Defender for Storage

Top Articles
Latest Posts
Article information

Author: Tish Haag

Last Updated: 01/17/2023

Views: 6144

Rating: 4.7 / 5 (67 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Tish Haag

Birthday: 1999-11-18

Address: 30256 Tara Expressway, Kutchburgh, VT 92892-0078

Phone: +4215847628708

Job: Internal Consulting Engineer

Hobby: Roller skating, Roller skating, Kayaking, Flying, Graffiti, Ghost hunting, scrapbook

Introduction: My name is Tish Haag, I am a excited, delightful, curious, beautiful, agreeable, enchanting, fancy person who loves writing and wants to share my knowledge and understanding with you.