Microsoft Defender for Storage: Automating the Detection and Removal of Malicious Files

In the ever-evolving landscape of cybersecurity, safeguarding your data and ensuring the integrity of your digital assets is paramount. With the proliferation of cloud storage solutions, businesses and organizations are increasingly relying on services like Microsoft Azure for their data storage needs. However, as the digital realm expands, so do the threats that seek to compromise sensitive information. This is where Microsoft Defender for Storage steps in as your trusted guardian in the Azure-native realm of security intelligence.

Unveiling Microsoft Defender for Storage

Microsoft Defender for Storage is a formidable sentinel in the realm of Azure cloud security. Its primary mission is to detect potential threats to your storage accounts, thwarting them before they can wreak havoc. To fully grasp its significance, let’s delve into its core functionalities and how it contributes to the safeguarding of your digital assets.

1. Better Protection Against Malware

Malware is an ever-present threat in the digital world, and Defender for Storage takes this threat head-on. The Malware Scanning feature is your first line of defense against malicious files. It operates in near-real-time, ensuring that every uploaded blob is scrutinized thoroughly. The result? Fast and reliable malware detection that prevents your storage accounts from becoming unwitting entry points for threats. With this feature, you can trust that your digital assets remain untainted.

2. Improved Threat Detection and Sensitive Data Protection

Defender for Storage is not just about thwarting threats; it’s about doing it intelligently. The sensitive data threat detection capability is a game-changer in this regard. It empowers security professionals to prioritize and investigate security alerts based on the sensitivity of the data at risk. By honing in on the most critical risks, this capability significantly enhances threat detection and protection. It reduces the chances of data breaches by identifying exposure events and suspicious activities within resources housing sensitive data.

3. Detection of Entities Without Identities

In the digital realm, entities without identities can pose a significant risk. Defender for Storage is vigilant in detecting suspicious activities originating from entities lacking clear identities. These entities may access your data using misconfigured or overly permissive Shared Access Signatures (SAS tokens) that have leaked or been compromised. By identifying and addressing these anomalies, Defender for Storage bolsters security hygiene and reduces the risk of unauthorized access. This capability extends the purview of the Activity Monitoring security alerts suite.

4. Coverage of Top Cloud Storage Threats

Microsoft Defender for Storage leverages the formidable Microsoft Threat Intelligence, behavioral models, and machine learning to spot unusual and suspicious activities. As a result, it provides comprehensive security coverage against the most critical cloud storage threats. Whether it’s sensitive data exfiltration, data corruption, or malicious file uploads, Defender for Storage has you covered.

5. Comprehensive Security Without Enabling Logs

One of the standout features of Defender for Storage is its ability to provide comprehensive security without the need to enable diagnostic logs. When activated, it continuously analyzes both the data plane and control plane telemetry streams generated by Azure Blob Storage, Azure Files, and Azure Data Lake Storage services. This means you get top-tier security without the hassle of enabling logs.

6. Frictionless Enablement at Scale

Deploying security solutions at scale can be a daunting task, but not with Microsoft Defender for Storage. It’s an agentless solution, which means it’s easy to deploy across your Azure environment. This frictionless enablement ensures that you can achieve security protection at scale without breaking a sweat. It seamlessly integrates with the native Azure ecosystem, making it a hassle-free choice for businesses of all sizes.

In this post, we are going to talk about the Malware Scanning in Microsoft Defender !

Malware Scanning in Microsoft Defender

In the realm of cybersecurity, the battle against malware is unceasing. Malicious content can lurk within seemingly innocuous files, ready to compromise the security of your data. Microsoft Defender for Storage’s Malware Scanning feature is your stalwart guardian, standing vigil to ensure that your storage accounts remain impervious to such threats.

To read more about : Malware scanning in Microsoft Defender for Storage — Microsoft Defender for Cloud | Microsoft Learn

Use case : Detect malicious files in Azure Storage Blobs and remove them

In the ever-advancing world of cybersecurity, swift and decisive action is essential to protect your digital assets. When it comes to malware detection in Azure Storage Blobs, detecting and removing malicious files is a crucial use case. Let’s explore how this process works to ensure the security of your data.

The Workflow for Malware Detection and Removal

1. Malware Scanning with Microsoft Defender for Storage: Microsoft Defender for Storage, equipped with powerful malware scanning capabilities, continuously monitors your Azure Storage Blobs for potential threats. It identifies files that exhibit signs of malware or other malicious content.
2. Immediate Detection: As soon as Defender for Storage identifies a file as malicious, it triggers an alert or notification. This alert signifies that a potential threat has been detected within your storage environment.
3. Automation with Azure Logic Apps: To streamline the response to detected malware files, you can set up an Azure Logic App. This Logic App is configured to listen for alerts from Defender for Storage.
4. Automated Removal: When the Logic App receives an alert indicating the presence of malware, it initiates an automated removal process. Instead of manually hunting down and deleting these files, the Logic App swiftly takes action to remove them from your Azure Storage Blobs.

How to achieve this technically ?

First we are aware that we need three components :

• Azure Storage Account
• Azure Logic Apps
• Microsoft Defender for Storage

Let’s start then by deploying a storage account with a container :

• mainContainer : Which will contain our files

Then we need to enable the second component which is Microsoft Defender for Storage :

After deploying we got :

Now we need a logic app, when we detect a malware we just remove the blob to the threat container :

These Bicep files will :

• Create the following Logic App with its connectors :

• Create this workflow automation in Microsoft Defender for Cloud :

Let’s try now to put all together and test our Proof Of Concept. First let’s create a fake malicious file with “EICAR.com”;

Once is done let’s upload it into our storage account :

Then the file is tagged as malicious :

And finally, the blob is removed through the triggered logic app :

In conclusion, Microsoft Defender for Storage is the epitome of cutting-edge security in the Azure cloud. Its feature-rich arsenal ensures that your data remains shielded from malware, unauthorized access, and other digital threats. With its intelligent threat detection and protection mechanisms, it not only prevents breaches but also empowers security professionals to take swift action. Defender for Storage is a comprehensive security solution that doesn’t compromise on ease of use or scalability.

Embrace the power of Microsoft Defender for Storage and fortify your Azure storage accounts with the best-in-class security intelligence.