🛡️ Azure Subscription Microsoft Defender Security Alerts For Storage are configured🟢⚪

• Contextual name: 🛡️ Microsoft Defender Security Alerts For Storage are configured🟢⚪
• ID: /ce/ca/azure/subscription/microsoft-defender-for-storage-security-alerts
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Description

Open File

Description

After enabling Microsoft Defender for Storage, configure an alert monitoring and response process to ensure that alerts are actioned in a timely manner. Integrate with SIEM solutions like Microsoft Sentinel, or configure email/webhook notifications to security teams.

Rationale

Enabling Microsoft Defender for Storage without a monitoring process limits its value. Continuous monitoring and alert triage ensure that detected threats are acted upon quickly, reducing risk exposure.

Impact

Requires integration effort with SIEM or alerting tools and a defined incident response process.

The amount of data logged and, thus, the cost incurred can vary significantly depending on the tenant size and the applications in your tenant that interact with the Microsoft Graph APIs.

See the following pricing calculations for respective services:

• Log Analytics: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/cost-logs#pricing-model.
• Azure Storage: https://azure.microsoft.com/en-us/pricing/details/storage/blobs/.

... see more

Remediation

Open File

Remediation

Connect Microsoft Defender for Cloud to a SIEM such as Microsoft Sentinel or another log analytics solution.

From Azure Portal

1. Go to Microsoft Defender for Cloud.
2. Under Management, click Environment Settings.
3. Expand the Tenant Root Group(s) to reveal subscriptions.

For each subscription listed:

1. Click the subscription name to open the Defender Plans settings
2. In the settings on the left, click Continuous Export
3. Select either Event Hub, Log Analytics Workspace, or both depending on your environment.
4. Set Export enabled to On
5. Under Exported data types, ensure that at least Security Alerts (Medium and High) is checked.
6. Under Export target, set the target Event Hub or Log Analytics Workspace which is tied to a SIEM that is configured to monitor and alert for security alerts.

Ensure security alerts are included in the security operations workflow and incident response plan.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 8.1.5.2 Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored (Manual)			1		no data
💼 Cloudaware Framework → 💼 Microsoft Defender Configuration			29		no data