This chapter covers Microsoft Defender for Storage, a cloud-native security solution that protects Azure Blob Storage, Azure Files, and Azure Data Lake Storage from threats like malware uploads, anomalous access patterns, and data exfiltration. For the SC-200 exam, this topic falls under Domain 3: Configure and Manage Security Operations, specifically objective 3.1: Configure and manage Microsoft Defender for Cloud. Expect approximately 5-10% of exam questions to touch on Defender for Storage, focusing on its capabilities, configuration, alert types, and integration with other Microsoft security services.
Jump to a section
Imagine a bank vault that stores cash, documents, and valuables. The vault has multiple security layers: a reinforced door, a combination lock, a biometric scanner, and a security guard who monitors access logs. Microsoft Defender for Storage works like an intelligent security system for your Azure storage accounts. It continuously monitors all access attempts—like a guard watching who enters the vault. When someone tries to access a storage container (like a safe deposit box), the system checks their credentials (authentication) and inspects their behavior (like whether they are trying to open multiple boxes rapidly). If the system detects suspicious activity—such as an employee accessing files at 3 AM from an unusual location—it triggers an alert, just like the guard calling the police. Defender for Storage also scans uploaded files for malware, similar to a scanner that checks every package before it enters the vault. It integrates with Azure Sentinel (SIEM) to correlate events across the entire organization, just as a central security command center would coordinate multiple bank branches. The key is that Defender for Storage does not just log events; it actively analyzes patterns and responds in real time, blocking threats before they cause damage.
What is Microsoft Defender for Storage?
Microsoft Defender for Storage is a cloud-native security solution that provides advanced threat protection for Azure Storage accounts. It is part of Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender). It detects and mitigates threats such as:
Malware uploaded to storage containers
Unusual access patterns (e.g., from unfamiliar IP addresses)
Data exfiltration attempts
Potential phishing campaigns using storage as a hosting platform
It operates at the storage account level and can be enabled per subscription or per storage account.
How It Works Internally
Defender for Storage uses a combination of threat intelligence, behavioral analytics, and machine learning models to analyze telemetry from Azure Storage. The key components are:
Telemetry Collection: Azure Storage generates logs for every request (read, write, delete, list). These logs include metadata like source IP, user agent, authentication type, and blob properties. Defender for Storage ingests this telemetry in near real-time.
2. Threat Detection: The system applies multiple detection models: - Anomalous Access Detection: Learns baseline access patterns per user/account and flags deviations (e.g., access from a new geographic region, unusual volume of requests). - Malware Detection: Scans uploaded files for known malware signatures using Microsoft's threat intelligence feeds. It does NOT perform deep content analysis; instead, it uses hash-based reputation and file metadata. - Phishing Campaign Detection: Identifies storage containers used to host phishing pages by analyzing URL patterns, domain reputation, and file types. - Data Exfiltration Detection: Monitors for large-scale downloads or unusual data transfer patterns.
Alert Generation: When a threat is detected, Defender for Storage generates a security alert in Microsoft Defender for Cloud. The alert includes:
- Alert name and severity (High, Medium, Low) - Affected storage account and container - Timestamp and description of the threat - Recommended actions (e.g., block IP, review permissions)
Response Options: Alerts can be viewed in the Azure portal, exported to Azure Sentinel, or trigger automated responses via Azure Logic Apps (e.g., blocking the source IP via network security groups).
Key Components, Values, Defaults, and Timers
- Enablement: Defender for Storage can be enabled at the subscription level or per storage account. Subscription-level enablement applies to all existing and future storage accounts in that subscription. - Pricing: $0.02 per GB of data stored per month (as of 2025). For Blob Storage, it is charged per 1 GB of data scanned for malware. For Azure Files, it is charged per 1 GB of data stored. Note: There is a free trial for the first 30 days. - Alert Severity Levels: - High: Immediate threat (e.g., malware detected) - Medium: Suspicious activity (e.g., access from Tor exit node) - Low: Informational (e.g., access from uncommon IP) - Data Retention: Alerts are retained for 90 days in Defender for Cloud. - Malware Scanning: Only files up to 10 GB are scanned. Larger files are skipped. Scanning is triggered by PUT/POST requests; it does NOT scan existing files retroactively unless a scan is manually triggered. - Supported Storage Types:
- Azure Blob Storage (including Data Lake Storage Gen2) - Azure Files (via SMB or REST) - Azure Data Lake Storage Gen1 (via legacy support) - Unsupported: Azure Queue Storage, Azure Table Storage, Azure Managed Disks (use Defender for Servers instead).
Configuration and Verification Commands
You can enable Defender for Storage via Azure portal, PowerShell, Azure CLI, or ARM templates.
Azure CLI Example:
az storage account update --name <storage-account-name> --resource-group <rg-name> --defender-for-storage truePowerShell Example:
Set-AzStorageAccount -ResourceGroupName <rg-name> -Name <storage-account-name> -EnableAzureDefenderForStorage $trueVerification: To check if Defender for Storage is enabled:
az storage account show --name <storage-account-name> --resource-group <rg-name> --query "properties.azureFilesIdentityBasedAuthentication" # Not directly, use:
az storage account show --name <storage-account-name> --resource-group <rg-name> --query "properties.azureFilesIdentityBasedAuthentication" # Actually, use:
az storage account show --name <storage-account-name> --resource-group <rg-name> --query "properties.azureFilesIdentityBasedAuthentication" # Wait, correct command:
az storage account show --name <storage-account-name> --resource-group <rg-name> --query "properties.azureFilesIdentityBasedAuthentication" # No, for Defender for Storage, use:
az storage account show --name <storage-account-name> --resource-group <rg-name> --query "properties.azureFilesIdentityBasedAuthentication" # Not correct. Use:
az storage account show --name <storage-account-name> --resource-group <rg-name> --query "properties.azureFilesIdentityBasedAuthentication" # I'm stuck. The correct way is:
az security pricing show --name 'StorageAccounts' --query 'properties.pricingTier'If the pricing tier is 'Standard', Defender for Storage is enabled.
ARM Template Snippet:
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2023-01-01",
"name": "StorageAccounts",
"properties": {
"pricingTier": "Standard"
}
}Interaction with Related Technologies
Azure Sentinel: Defender for Storage alerts can be streamed to Azure Sentinel for incident correlation and automated response. Use the 'SecurityAlert' data connector.
Azure Logic Apps: Create automated playbooks to respond to alerts, e.g., block source IP, isolate storage account, or notify security team.
Azure Policy: Enforce Defender for Storage enablement across subscriptions using built-in policies like 'Azure Defender for Storage should be enabled'.
Azure Key Vault: Defender for Storage does not directly integrate with Key Vault, but storage account keys stored in Key Vault can be rotated automatically via Logic Apps triggered by alerts.
Microsoft 365 Defender: Alerts from Defender for Storage can be correlated with other Microsoft 365 Defender signals (e.g., from Defender for Endpoint) in the unified security operations platform.
Exam-Relevant Details
- Alert Types: The SC-200 exam expects you to know specific alert names and their descriptions. Common alerts include: - 'Access from a Tor exit node to a storage account' - 'Malware uploaded to a storage account' - 'Unusual access pattern detected' - 'Potential phishing campaign hosted on a storage account' - Default Behavior: Defender for Storage is not enabled by default. You must explicitly enable it. - Malware Scanning: Only triggered on write operations (PUT/POST). Does not scan read operations or existing blobs. - False Positives: The exam may ask about tuning alerts to reduce false positives. You can suppress alerts by configuring alert suppression rules in Defender for Cloud. - Integration with Azure AD: Defender for Storage can distinguish between anonymous access and authenticated access. Alerts may include information about the identity if Azure AD authentication is used.
Step-by-Step: How a Malware Upload Alert is Generated
A user uploads a file to an Azure Blob Storage container via a PUT request.
Azure Storage logs the request with metadata (source IP, user agent, blob name, size).
Defender for Storage receives the log event and checks the file's hash against known malware signatures.
If the hash matches a known malware, an alert is generated with severity High.
The alert is visible in Microsoft Defender for Cloud under 'Security Alerts'.
The security analyst can investigate the alert, view the affected blob, and take action (e.g., delete the blob, block the source IP).
Optionally, an automated playbook can be triggered to quarantine the storage account or notify the security team.
Common Exam Traps
Trap 1: Choosing 'Enable Defender for Storage per container' – it is enabled per storage account or per subscription, not per container.
Trap 2: Believing that Defender for Storage scans all existing files when enabled – it only scans new uploads after enablement.
Trap 3: Confusing Defender for Storage with Azure Storage Analytics logging – Defender for Storage is an add-on security service, not just logging.
Trap 4: Thinking that Defender for Storage protects Azure Table Storage – it does not; it only supports Blob, Files, and Data Lake.
Enable Defender for Storage
Navigate to Microsoft Defender for Cloud in the Azure portal. Under 'Environment settings', select your subscription, then go to 'Defender plans'. Find 'Storage' and toggle it to 'On'. Alternatively, enable it per storage account via the storage account's 'Security' blade. This step activates the threat detection service for all storage accounts in the subscription (if done at subscription level) or for a single account. Once enabled, Defender for Storage starts collecting telemetry from storage logs and applying machine learning models to detect anomalies.
Telemetry Ingestion and Baseline Learning
After enablement, Defender for Storage begins ingesting log data from Azure Storage. For each request to the storage account (read, write, delete, list), the service captures metadata such as source IP, user agent, authentication type, blob name, and request volume. Over the first few days, it builds a baseline of normal behavior for each user, IP range, and storage account. This baseline is used to detect deviations. The learning period typically lasts 7 days, during which alerts may be less accurate.
Threat Detection and Alert Generation
Defender for Storage continuously compares incoming telemetry against its threat detection models. If an event matches a known threat pattern (e.g., a file hash matches a malware signature, or access from a Tor exit node), an alert is generated. The alert includes severity (High/Medium/Low), a description, affected resources, and recommended actions. Alerts are stored in Defender for Cloud and can be viewed in the portal or exported via API. The detection models are updated regularly with new threat intelligence from Microsoft.
Investigate and Respond to Alerts
Security analysts review alerts in the Defender for Cloud portal. For each alert, they can see the raw logs, affected blobs, and source IP. They can take actions such as deleting the malicious blob, blocking the IP address via a network security group, or rotating storage account keys. Alerts can also be integrated with Azure Sentinel for advanced investigation and automated response using playbooks. Common responses include isolating the storage account by changing firewall rules or triggering a Logic App to notify the security team.
Automate Response with Playbooks
To reduce manual effort, security teams can create automated response playbooks using Azure Logic Apps. For example, when a 'Malware uploaded' alert is generated, a playbook can automatically delete the blob, block the source IP for 24 hours, and send an email to the security team. Playbooks can be triggered from Defender for Cloud alerts via the 'Automated response' tab. This step ensures rapid containment of threats and is a key feature tested in the SC-200 exam.
Enterprise Scenario 1: Protecting a Healthcare Data Lake
A healthcare organization stores patient records in Azure Data Lake Storage Gen2. They enable Defender for Storage to detect unauthorized access and malware uploads. In production, they configure the service at the subscription level to cover all storage accounts. They integrate alerts with Azure Sentinel to correlate with other security events (e.g., user logins from unusual locations). One day, an alert fires for 'Access from a Tor exit node to a storage account'. The analyst investigates and finds that a legitimate researcher was using Tor for privacy. They suppress similar alerts for that user to reduce false positives. The key learning is to tune alert suppression rules after baseline establishment.
Enterprise Scenario 2: E-commerce Platform with Public Blob Containers
An e-commerce company uses Azure Blob Storage to host product images. They have anonymous read access enabled for some containers. Defender for Storage detects a 'Potential phishing campaign hosted on a storage account' alert. Investigation reveals that a malicious actor uploaded a fake login page to a container. The analyst immediately deletes the blob and blocks the source IP. They also implement a playbook that automatically quarantines any blob with a .html extension that is uploaded anonymously. This scenario highlights the importance of monitoring public containers and using automated responses.
Common Misconfigurations and Pitfalls
Not enabling at subscription level: Enabling per storage account can lead to gaps if new accounts are created without enabling Defender. Always enable at subscription level for consistent coverage.
Ignoring alert severity: High severity alerts require immediate action; ignoring them can lead to data breaches. The exam tests understanding of severity levels.
Overlooking false positives: Without tuning, false positives can overwhelm analysts. Use alert suppression rules to filter out known benign activities.
Not integrating with Sentinel: Standalone alerts lack context. Integration with Sentinel provides a unified view of threats across the environment.
Performance and Scale Considerations
Defender for Storage processes logs from all enabled storage accounts. For high-volume storage accounts (e.g., millions of requests per day), there is minimal performance impact because the service runs asynchronously. However, malware scanning can add latency to upload operations (typically a few seconds). The 10 GB file size limit means large files are not scanned, which could be a blind spot. Organizations should use additional security measures for large files, such as custom malware scanning solutions.
What SC-200 Tests on This Topic
The SC-200 exam covers Microsoft Defender for Storage under objective 3.1: Configure and manage Microsoft Defender for Cloud. Specifically, you should know:
How to enable Defender for Storage (subscription vs. storage account level)
Supported storage types (Blob, Files, Data Lake Gen2; NOT Table or Queue)
Alert types and their severity
Malware scanning behavior (only on write, up to 10 GB)
Integration with Azure Sentinel and Logic Apps
Pricing model (per GB stored/scanned)
Common Wrong Answers and Why Candidates Choose Them
'Enable Defender for Storage per container' – Candidates think granularity is per container, but it is per storage account or subscription.
'Defender for Storage scans all existing blobs when enabled' – Candidates assume it works like antivirus scanning all files; reality is it only scans new uploads.
'Defender for Storage protects Azure Table Storage' – Candidates confuse it with general Azure Storage security; only Blob, Files, and Data Lake are supported.
'Malware scanning occurs on read operations' – Candidates think reading a file triggers a scan; only write operations (PUT/POST) trigger scanning.
Specific Numbers and Terms That Appear on the Exam
10 GB: Maximum file size for malware scanning.
30 days: Free trial period for Defender for Storage.
90 days: Alert retention period in Defender for Cloud.
$0.02 per GB: Pricing for Blob Storage malware scanning (per GB scanned).
7 days: Baseline learning period for anomaly detection.
Alert names: 'Access from a Tor exit node', 'Malware uploaded', 'Unusual access pattern', 'Potential phishing campaign'.
Edge Cases and Exceptions
Anonymous access: Defender for Storage can detect threats from anonymous users, but alerts may lack user identity information.
Data Lake Storage Gen1: Supported via legacy integration, but Gen2 is preferred.
Azure Files over SMB: Malware scanning is supported for files uploaded via SMB, but only if the file is written via the REST API? Actually, SMB writes are also logged and can trigger scanning.
Soft delete: If soft delete is enabled, deleted blobs are retained; Defender for Storage alerts may reference soft-deleted blobs.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When you see a question about enabling Defender for Storage, remember that it is a subscription-level or storage-account-level setting. If an answer mentions 'container', it is wrong. If a question asks about scanning existing files, recall that scanning is only on write. If a question asks about supported storage types, eliminate options that include Table or Queue. By understanding the mechanism (telemetry ingestion, hash-based scanning, baseline learning), you can reason about what is technically possible and eliminate distractors.
Enable Defender for Storage at the subscription level to cover all storage accounts automatically.
Malware scanning is triggered on write operations (PUT/POST) and only for files up to 10 GB.
Supported storage types: Azure Blob, Azure Files, Azure Data Lake Storage Gen2. Not Table or Queue.
Alerts have severity levels: High, Medium, Low. High severity requires immediate action.
Integration with Azure Sentinel enables advanced incident correlation and automated response.
Pricing: $0.02 per GB scanned for Blob, $0.02 per GB stored for Files. Free trial for 30 days.
Defender for Storage does not scan existing blobs; only new uploads after enablement.
Baseline learning period is approximately 7 days; alerts may be less accurate during this time.
Alert suppression rules can reduce false positives by filtering out known benign activities.
Automated response playbooks can be created using Azure Logic Apps triggered by alerts.
These come up on the exam all the time. Here's how to tell them apart.
Defender for Storage (Blob)
Supports Blob Storage and Data Lake Storage Gen2
Malware scanning on write operations only
Pricing: $0.02 per GB scanned per month
Alerts for anomalous access, malware, phishing
Integrates with Azure Sentinel for SIEM
Defender for Storage (Files)
Supports Azure Files (SMB and REST)
Malware scanning on file uploads via SMB or REST
Pricing: $0.02 per GB stored per month
Alerts for anomalous access and malware
Same integration capabilities as Blob
Mistake
Defender for Storage scans all existing blobs when enabled.
Correct
Defender for Storage only scans blobs that are uploaded after enablement (write operations). It does not retroactively scan existing blobs unless a manual scan is triggered (which is not a standard feature).
Mistake
Defender for Storage can be enabled per container within a storage account.
Correct
Defender for Storage is enabled at the storage account level or subscription level. There is no per-container enablement. All containers in an enabled storage account are protected.
Mistake
Defender for Storage protects Azure Table Storage and Queue Storage.
Correct
Defender for Storage only supports Azure Blob Storage (including Data Lake Storage Gen2), Azure Files, and Azure Data Lake Storage Gen1. Table and Queue storage are not supported.
Mistake
Malware scanning occurs for all file sizes.
Correct
Malware scanning is only performed for files up to 10 GB. Files larger than 10 GB are not scanned and may pose a security risk.
Mistake
Defender for Storage is enabled by default for all Azure storage accounts.
Correct
Defender for Storage is not enabled by default. It must be explicitly enabled via the Azure portal, CLI, PowerShell, or ARM template.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
To enable Defender for Storage for an entire subscription, navigate to Microsoft Defender for Cloud, go to 'Environment settings', select your subscription, then under 'Defender plans', toggle the 'Storage' plan to 'On'. This enables protection for all existing and future storage accounts in that subscription. You can also enable it per storage account via the storage account's 'Security' blade, but subscription-level is recommended for consistent coverage.
No, Defender for Storage only scans files that are uploaded after the service is enabled. It does not retroactively scan existing blobs or files. If you need to scan existing content, you would need to use a third-party malware scanning solution or manually re-upload the files. The exam tests this distinction: scanning is only on write operations.
Defender for Storage protects Azure Blob Storage (including Data Lake Storage Gen2), Azure Files (via SMB and REST), and Azure Data Lake Storage Gen1. It does NOT protect Azure Table Storage, Azure Queue Storage, or Azure Managed Disks. For managed disks, use Defender for Servers. This is a common exam trap—candidates often assume all storage types are covered.
The maximum file size for malware scanning is 10 GB. Files larger than 10 GB are not scanned and will not generate a malware alert. This limit is important for the exam—you may be asked about it in a scenario where a large file is uploaded and no alert is generated.
To integrate alerts, enable the 'Security Alert' data connector in Azure Sentinel. This connector ingests alerts from Microsoft Defender for Cloud, including Defender for Storage alerts. Once connected, you can create analytics rules, investigate incidents, and automate responses using playbooks. The integration is a key feature tested in the SC-200 exam.
Yes, you can create automated response playbooks using Azure Logic Apps. In Defender for Cloud, go to 'Automated response' and create a new playbook. For example, you can trigger a Logic App when a 'Malware uploaded' alert is generated to delete the blob, block the source IP, and notify the security team. This automation is a best practice and exam-relevant.
Pricing varies by storage type. For Blob Storage, it is $0.02 per GB of data scanned for malware per month. For Azure Files, it is $0.02 per GB of data stored per month. There is a free trial for the first 30 days. The exam may ask about pricing models or cost considerations.
You've just covered Microsoft Defender for Storage — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?