This chapter covers Microsoft Defender for Storage, a cloud-native security solution that detects threats to Azure Blob Storage, Azure Files, and Azure Data Lake Storage. It is critical for the AZ-500 exam because questions on storage security, threat detection, and Defender plans appear in the 'Compute Security' domain (Objective 2.4) and typically account for 5-10% of the exam. You will learn how Defender for Storage works, how to configure it, and exactly what the exam tests—including common traps and specific alert types.
Jump to a section
Imagine a high-security vault that stores thousands of valuable documents. The vault has motion sensors, cameras, and alarms. Normally, employees access documents via a controlled door with badge access. The motion sensors detect any unusual activity, like someone trying to pry open a window or access a document at 3 AM. When triggered, the sensors send a real-time alert to the security team, who can review camera footage and lock down the vault. Additionally, the vault has a 'honeypot' area: a fake cabinet with bait documents that, if touched, immediately triggers a high-priority alarm. This mirrors Defender for Storage: the storage account is the vault, the motion sensors are anomaly detection (e.g., unusual access patterns), the cameras are audit logs, and the honeypot is the deception feature. Defender for Storage continuously monitors blob, file, and queue storage for suspicious activities like anonymous access, malware uploads, or privilege escalation. When a threat is detected, it generates security alerts that can be integrated with Azure Sentinel or other SIEMs for automated response. Just as the vault's security team doesn't manually watch every sensor—they rely on automated alerts—Defender for Storage uses machine learning to reduce false positives and only alert on genuine threats.
What is Microsoft Defender for Storage?
Microsoft Defender for Storage is an Azure-native security intelligence layer that continuously monitors your storage accounts for threats. It is part of Microsoft Defender for Cloud (formerly Azure Security Center) and is available for Blob Storage, Azure Files, and Azure Data Lake Storage Gen2. The service uses machine learning and behavioral analytics to detect anomalies such as unusual access patterns, malware uploads, data exfiltration, and attempts to exploit storage vulnerabilities.
Why It Exists
Storage accounts are a prime target for attackers because they often contain sensitive data. Traditional security measures like network firewalls and access keys are insufficient against sophisticated attacks like credential theft, insider threats, or zero-day exploits. Defender for Storage provides an additional detection layer that can identify attacks in progress and enable automated responses.
How It Works Internally
Defender for Storage ingests telemetry from Azure Storage resource logs (formerly called storage logs). These logs capture each request to the storage account, including the caller IP, authentication type, resource accessed, and response status. The service processes this telemetry through machine learning models trained on global Azure traffic patterns. It looks for deviations from baseline behavior, such as:
Unusual geographic origins of requests
Sudden spikes in access volume
Access to a large number of blobs in a short period (potential data enumeration)
Attempts to use expired or revoked keys
Malicious file uploads (via integration with Microsoft Threat Intelligence)
When an anomaly is detected, Defender for Storage generates a security alert. The alert includes severity, description, recommended remediation steps, and links to the relevant storage account and logs. Alerts can be viewed in the Microsoft Defender for Cloud portal, sent to Azure Sentinel, or forwarded to a SIEM via continuous export.
Key Components and Defaults
- Pricing: Defender for Storage is billed per storage account per month. As of the exam, the cost is approximately $0.01 per GB of data stored per month for the first 250 TB, with tiered pricing above that. However, for the exam, remember that it is a per-account cost, not per-transaction. - Supported Storage Types: Blob Storage (including Azure Data Lake Storage Gen2), Azure Files (preview at time of writing), and Queue Storage (preview). Table Storage is NOT supported. - Alert Types: The exam expects you to recognize specific alert names. Key examples: - Access from a Tor exit node: An IP address known to be a Tor exit node accessed the storage account. - Access from an unusual location: A request originated from a geographic location not typically seen. - Anonymous access: A request using anonymous (public) access when the account is configured to allow it (or not). - Potential malware uploaded: A file with characteristics of malware was uploaded (requires Microsoft Threat Intelligence). - Data exfiltration: An unusually large amount of data was downloaded. - Privilege escalation: An attempt to change permissions or access keys. - Deception: Defender for Storage includes a deception capability that creates decoy storage accounts or containers to lure attackers. If an attacker interacts with these decoys, a high-severity alert is triggered.
Configuration and Verification
Defender for Storage is enabled at the subscription level or per storage account. To enable via Azure portal: 1. Navigate to Microsoft Defender for Cloud > Environment settings > Select your subscription > Defenders plans. 2. Toggle 'Storage' to On. 3. You can also enable per storage account under 'Security' > 'Microsoft Defender for Cloud'.
To verify via Azure CLI:
az security pricing show --name 'StorageAccounts'If the pricing tier is 'Standard', Defender is enabled.
To enable via PowerShell:
Set-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard'To view alerts:
az security alert listor in portal: Microsoft Defender for Cloud > Security alerts.
Interaction with Related Technologies
Azure Sentinel: Defender for Storage alerts can be streamed to Sentinel for automated incident response. Sentinel provides advanced analytics and playbooks.
Azure Policy: You can enforce Defender for Storage on all storage accounts using Azure Policy. The built-in policy 'Microsoft Defender for Storage should be enabled' audits and remediates non-compliant accounts.
Azure Storage Firewalls and Virtual Networks: Defender for Storage complements network controls. Even if you restrict access to a VNet, internal threats (e.g., compromised VM) are still detected.
Azure Key Vault: Defender for Storage does not directly integrate with Key Vault, but using managed identities and RBAC reduces the attack surface compared to access keys.
Step-by-Step Technical Flow
Request arrives at the storage account endpoint.
Storage resource logs (if enabled) capture the request details: timestamp, caller IP, user agent, authentication method, resource URI, HTTP method, response status, bytes sent/received.
Logs are forwarded to Defender for Storage's backend (within 5-10 minutes).
Machine learning models analyze the log against baselines built over the past 30 days.
If anomaly detected, an alert is generated with severity (High, Medium, Low).
Alert is stored in Microsoft Defender for Cloud, visible in the portal and via API.
Optional integration: Alert can trigger an Azure Sentinel playbook (e.g., isolate the storage account via automation).
Exam Tips
Defender for Storage is NOT the same as Azure Storage Analytics logs (which are deprecated). Defender uses resource logs.
The exam may ask: 'Which Defender plan protects against malware uploads?' Answer: Defender for Storage (not Defender for Servers).
Remember that enabling Defender for Storage does NOT affect storage account performance; it only reads logs.
The deception feature is called 'honeypot' or 'decoy' in the exam context.
Alerts are retained for 90 days in Microsoft Defender for Cloud.
Enable resource logs for storage account
Before Defender for Storage can detect threats, you must enable diagnostic settings on the storage account to send resource logs to a Log Analytics workspace or to Azure Event Hubs. The logs capture all read, write, and delete operations. Without these logs, Defender cannot analyze activity. In the Azure portal, navigate to the storage account, select 'Diagnostic settings', add a setting, and select 'StorageRead', 'StorageWrite', and 'StorageDelete' categories. Optionally, also enable 'Transaction' logs for detailed per-request data. The logs are sent to a Log Analytics workspace where Defender for Storage accesses them. Note: if you enable Defender for Storage at the subscription level, it may automatically enable resource logs for existing storage accounts.
Machine learning baseline establishment
After logs start flowing, Defender for Storage begins building a behavioral baseline for each storage account. It observes normal patterns over a period of at least 30 days. The baseline includes typical request volumes, geographic origins of clients, time-of-day patterns, and types of operations (e.g., reads vs writes). For example, if a storage account is normally accessed from the US East region between 9 AM and 5 PM, any access from Europe at midnight will be flagged. The machine learning models are continuously updated to adapt to gradual changes. This baseline is account-specific; global patterns are also used to detect zero-day attacks.
Anomaly detection and alert generation
When a new request deviates from the baseline, Defender for Storage evaluates the anomaly against a set of rules. For instance, if a single IP address downloads 1000 blobs in 5 minutes, it may be flagged as data exfiltration. The detection logic considers multiple factors: the magnitude of deviation, the sensitivity of the accessed data, and whether the IP is known malicious (e.g., Tor exit nodes). If the anomaly score exceeds a threshold, an alert is generated with a severity level. High-severity alerts indicate immediate risk, while low-severity may be informational. Alerts include the specific storage account name, the suspicious IP, the time, and a recommendation (e.g., 'Review recent access logs and rotate keys').
Alert ingestion and response
Alerts appear in Microsoft Defender for Cloud under 'Security alerts'. You can view details, investigate, and dismiss or suppress alerts. For automated response, configure a playbook in Azure Sentinel or use Logic Apps. For example, a playbook could automatically revoke the SAS token of the suspicious IP, or trigger a function to move the storage account to a restricted network. The exam expects you to know that you can integrate with Sentinel for SOAR (Security Orchestration, Automation, and Response). Additionally, alerts can be exported to third-party SIEMs via continuous export to Event Hubs.
Deception (honeypot) activation
Defender for Storage can deploy decoy storage accounts in the same subscription. These decoys mimic real storage accounts but contain fake data. If an attacker enumerates resources (e.g., via Azure Resource Manager) and discovers the decoy, any interaction triggers a high-severity alert. The decoy accounts are managed by Microsoft and are invisible in the portal to legitimate users. This feature helps detect reconnaissance and lateral movement. For the exam, remember that deception is an optional feature enabled under Defender for Storage settings, and it does not incur additional cost beyond the Defender plan.
Enterprise Scenario 1: Financial Services Company
A large bank uses Azure Blob Storage to store customer transaction records. They must comply with PCI DSS and GDPR. The security team enables Defender for Storage on all storage accounts. One day, an alert fires: 'Access from a Tor exit node'. Investigation reveals that an employee's credentials were phished and the attacker used Tor to anonymize access. The security team immediately rotates the storage account keys and enables conditional access policies to block Tor exit nodes. Without Defender, the exfiltration might have gone unnoticed for weeks. In production, they also integrate alerts with Azure Sentinel to automatically trigger a playbook that revokes all SAS tokens and notifies the incident response team. Key consideration: they had to enable resource logs for all accounts, which increased log storage costs, but this was outweighed by the security benefit.
Enterprise Scenario 2: Healthcare Provider
A hospital stores patient medical images in Azure Data Lake Storage Gen2. They enable Defender for Storage and configure the deception feature. An attacker gains access to the subscription via a compromised service principal. The attacker lists storage accounts and finds a decoy account. They attempt to download files, triggering a high-severity alert. The security team is notified and isolates the compromised service principal. Without the decoy, the attacker might have accessed real patient data. In this deployment, they also use Azure Policy to enforce Defender for Storage on all new storage accounts. A common issue they faced was false positives from legitimate backup processes that accessed many blobs at once. They tuned the alert threshold by excluding specific IP ranges or operations via custom alert rules (available in preview).
Scenario 3: E-commerce Platform
An online retailer uses Azure Files for shared application configuration. They enable Defender for Storage. An alert detects 'Anonymous access' even though the storage account is configured to deny anonymous access. Investigation reveals a misconfiguration: a container had public access enabled. The alert allowed them to quickly remediate. In production, they also use Defender for Storage to detect malware uploads when customers upload profile pictures. If a file matches known malware signatures, the upload is blocked (if using Azure Firewall or WAF) or alerted. They learned that Defender for Storage does not automatically block malware; it only alerts. To block, they use Azure Functions or Logic Apps to delete the blob upon alert. Performance impact is negligible because Defender only reads logs.
What AZ-500 Tests on This Topic
The exam objectives under 'Compute Security' (2.4) include: 'Implement security for storage accounts', which covers threat detection. Specifically, you must know:
How to enable Microsoft Defender for Storage (subscription vs account level)
Which storage types are supported (Blob, Files, Queue; NOT Table)
Alert types: Tor exit node, unusual location, anonymous access, malware upload, data exfiltration, privilege escalation
Integration with Azure Sentinel and Logic Apps
Deception (honeypot) feature
Azure Policy to enforce Defender
Common Wrong Answers and Why Candidates Choose Them
Wrong answer: 'Defender for Storage can block malware uploads automatically.' Why chosen: Candidates confuse detection with prevention. Reality: Defender only alerts; blocking requires custom automation.
Wrong answer: 'Defender for Storage supports Table Storage.' Why chosen: Table storage is a common Azure storage type, but Defender does not support it. The exam explicitly tests this.
Wrong answer: 'Enabling Defender for Storage requires turning on advanced threat protection for each storage account individually.' Why chosen: Candidates miss that you can enable at subscription level to cover all accounts.
Wrong answer: 'Defender for Storage uses Azure Security Center's standard tier.' Why chosen: Older name. Now it's Microsoft Defender for Cloud, and Defender for Storage is a plan within it.
Specific Numbers and Terms
Defender for Storage alerts are retained for 90 days.
Baseline period: 30 days.
Pricing: per storage account per month (not per GB or per transaction).
Supported regions: all Azure public regions.
Deception: called 'decoy storage accounts' in the portal.
Edge Cases and Exceptions
If resource logs are not enabled, Defender for Storage cannot detect threats. The exam may ask: 'What prerequisite must be met?' Answer: Enable diagnostic settings to send resource logs to a Log Analytics workspace.
Defender for Storage does not protect against data corruption or ransomware that encrypts blobs using valid credentials. It can detect unusual deletion patterns, but not encryption.
The service is not available in Azure Government or China clouds by default (check current status).
How to Eliminate Wrong Answers
If an answer says 'automatically blocks', it's wrong unless it mentions custom automation.
If an answer says 'supports all storage types', it's wrong; Table is excluded.
If an answer says 'requires per-account configuration', check if subscription-level enablement is possible.
If an answer mentions 'Azure Security Center', it's outdated; use 'Microsoft Defender for Cloud'.
Microsoft Defender for Storage is a detection-only service for Azure Blob, Files, and Queue Storage.
Enable at subscription level via Microsoft Defender for Cloud to cover all storage accounts.
Resource logs must be enabled and sent to a Log Analytics workspace for Defender to function.
Key alert types: Tor exit node, unusual location, anonymous access, malware upload, data exfiltration, privilege escalation.
Defender for Storage does NOT support Table Storage.
Alerts are retained for 90 days in Microsoft Defender for Cloud.
Deception (honeypot) feature creates decoy storage accounts to lure attackers.
Integration with Azure Sentinel enables automated response via playbooks.
Use Azure Policy to enforce Defender for Storage on all storage accounts.
Baseline establishment takes approximately 30 days of log data.
These come up on the exam all the time. Here's how to tell them apart.
Defender for Storage
Detects threats via behavioral analytics and ML
Generates security alerts for anomalous activity
Supports Blob, Files, and Queue (preview)
Requires resource logs enabled
Cost per storage account per month
Azure Storage Firewalls and Virtual Networks
Restricts network access to storage account
Blocks traffic from unauthorized IPs or VNets
Applies to all storage services (including Table)
No additional cost (part of storage account)
Does not detect threats; only prevents access
Mistake
Defender for Storage automatically blocks malicious activities.
Correct
Defender for Storage is a detection-only service. It generates alerts but does not automatically block actions. To block, you must configure automated responses via Azure Sentinel, Logic Apps, or custom scripts. For example, a Logic App can automatically revoke SAS tokens when a high-severity alert fires.
Mistake
Defender for Storage protects all Azure storage services including Table storage.
Correct
Defender for Storage currently supports Blob Storage (including Data Lake Storage Gen2), Azure Files, and Queue Storage (preview). Table Storage is not supported. If you need threat detection for Table Storage, you must use alternative methods such as custom log analytics.
Mistake
You must enable Defender for Storage on each storage account individually.
Correct
You can enable Defender for Storage at the subscription level, which automatically enables it for all existing and future storage accounts in that subscription. Individual account-level enablement is also possible but is not required. The subscription-level approach is recommended for consistent coverage.
Mistake
Defender for Storage uses storage analytics logs (deprecated).
Correct
Defender for Storage uses Azure resource logs (diagnostic settings), not the deprecated storage analytics logs. Resource logs provide more detailed telemetry and are required for Defender to function. Storage analytics logs (metrics and logs under the 'Monitoring' blade) are legacy and not used by Defender.
Mistake
Defender for Storage can detect ransomware encryption in real time.
Correct
Defender for Storage can detect unusual patterns such as mass deletion or modification of blobs, which may indicate ransomware activity. However, it cannot detect encryption itself because encryption happens client-side. It alerts on the anomalous behavior, not on the encryption algorithm. You need additional tools like Azure Backup or file integrity monitoring for recovery.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Storage Analytics (deprecated) provided metrics and logs for storage accounts but did not include threat detection. Microsoft Defender for Storage uses resource logs and machine learning to detect anomalies and generate security alerts. Storage Analytics is legacy; Defender is the modern replacement for security monitoring. You should use diagnostic settings (resource logs) instead of Storage Analytics logs.
Yes, Defender for Storage supports Azure Data Lake Storage Gen2, which is built on Blob Storage. It provides the same threat detection capabilities for Data Lake Storage Gen2 accounts. Note that Data Lake Storage Gen1 is not supported (it is a separate service).
Defender for Storage can detect behavioral patterns associated with ransomware, such as mass file deletion or modification, but it cannot detect encryption itself. If an attacker encrypts blobs with valid credentials, Defender may alert on the unusual volume of write operations. However, it does not provide ransomware prevention or recovery. For recovery, use Azure Backup or snapshots.
Use the built-in policy 'Microsoft Defender for Storage should be enabled'. Assign it at the subscription or management group level. The policy audits storage accounts that do not have Defender enabled and can automatically remediate by enabling it (if the 'DeployIfNotExists' effect is used). This ensures all current and future storage accounts are covered.
If resource logs are disabled, Defender for Storage will no longer receive telemetry and will stop generating alerts. You will not be billed for Defender for Storage on that account (or you will be billed but with no functionality). To maintain protection, keep diagnostic settings enabled for the storage account.
Yes, Defender for Storage analyzes all requests, including those using SAS tokens. It can detect anomalous usage of SAS tokens, such as a token used from an unusual IP or at an unusual time. However, it does not differentiate between SAS types (service vs account). If a SAS token is compromised, Defender may alert on the suspicious activity.
Microsoft Defender for Cloud offers a 30-day free trial for all Defender plans, including Defender for Storage. During the trial, you get full functionality without cost. After the trial, you must enable billing for each storage account. The exam may ask about the trial period.
You've just covered Storage Threat Detection and Defender for Storage — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?