You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/defender-for-storage-data-sensitivity.md
+10-11Lines changed: 10 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,32 +15,31 @@ This is a configurable feature in the new Defender for Storage plan. You can cho
15
15
16
16
Learn more about [scope and limitations of sensitive data scanning](concept-data-security-posture-prepare.md).
17
17
18
-
## How does the Sensitive Data Discovery work?
18
+
## How does sensitive data discovery work?
19
19
20
-
Sensitive Data Threat Detection is powered by the Sensitive Data Discovery engine, an agentless engine that uses a smart sampling method to find resources with sensitive data.
20
+
Sensitive data threat detection is powered by the sensitive data discovery engine, an agentless engine that uses a smart sampling method to find resources with sensitive data.
21
21
22
22
The service is integrated with Microsoft Purview's sensitive information types (SITs) and classification labels, allowing seamless inheritance of your organization's sensitivity settings. This ensures that the detection and protection of sensitive data aligns with your established policies and procedures.
23
23
24
24
:::image type="content" source="media/defender-for-storage-data-sensitivity/data-sensitivity-cspm-storage.png" alt-text="Diagram showing how Defender CSPM and Defender for Storage combine to provide data-aware security.":::
25
25
26
-
Upon enablement, the Sensitive Data Discovery engine initiates an automatic scanning process across all supported storage accounts. Results are typically generated within 24 hours. Additionally, newly created storage accounts under protected subscriptions will be scanned within six hours of their creation. Recurring scans are scheduled to occur weekly after the enablement date. This is the same Sensitive Data Discovery engine used for sensitive data discovery in Defender CSPM.
26
+
Upon enablement, the engine initiates an automatic scanning process across all supported storage accounts. Results are typically generated within 24 hours. Additionally, newly created storage accounts under protected subscriptions are scanned within six hours of their creation. Recurring scans are scheduled to occur weekly after the enablement date. This is the same engine that Defender CSPM uses to discover sensitive data.
27
27
28
28
## Prerequisites
29
29
30
-
Sensitive data threat detection is available for Blob storage accounts, including: Standard general-purpose V1, Standard general-purpose V2, Azure Data Lake Storage Gen2 and Premium block blobs. Learn more about the [availability of Defender for Storage features](defender-for-storage-introduction.md#availability).
30
+
Sensitive data threat detection is available for Blob storage accounts, including: Standard general-purpose V1, Standard general-purpose V2, Azure Data Lake Storage Gen2, and Premium block blobs. Learn more about the [availability of Defender for Storage features](defender-for-storage-introduction.md#availability).
31
31
32
-
To enable sensitive data threat detection at subscription and storage account levels, you need Owner roles (subscription owner/storage account owner) or specific roles with corresponding data actions.
33
-
Learn more about the [roles and permissions](support-matrix-defender-for-storage.md) required for sensitive data threat detection.
32
+
To enable sensitive data threat detection at subscription and storage account levels, you need to have the relevant data-related permissions from the **Subscription owner** or **Storage account owner** roles. Learn more about the [roles and permissions required for sensitive data threat detection](support-matrix-defender-for-storage.md).
34
33
35
34
## Enabling sensitive data threat detection
36
35
37
-
Sensitive data threat detection is enabled by default when you enable Defender for Storage. You can [enable it or disable it](../storage/common/azure-defender-storage-configure.md) in the Azure portal or with other at-scale methods at no additional cost.
36
+
Sensitive data threat detection is enabled by default when you enable Defender for Storage. You can [enable it or disable it](../storage/common/azure-defender-storage-configure.md) in the Azure portal or with other at-scale methods. This feature is included in the price of Defender for Storage.
38
37
39
38
## Using the sensitivity context in the security alerts
40
39
41
-
Sensitive Data Threat Detection capability will help you to prioritize security incidents, allowing security teams to prioritize these incidents and respond on time. Defender for Storage alerts will include findings of sensitivity scanning and indications of operations that have been performed on resources containing sensitive data.
40
+
The sensitive data threat detection capability helps security teams identify and prioritize data security incidents for faster response times. Defender for Storage alerts include findings of sensitivity scanning and indications of operations that have been performed on resources containing sensitive data.
42
41
43
-
In the alert’s Extended Properties, you can find sensitivity scanning findings for a **blob container**:
42
+
In the alert’s extended properties, you can find sensitivity scanning findings for a **blob container**:
44
43
45
44
- Sensitivity scanning time UTC - when the last scan was performed
46
45
- Top sensitivity label - the most sensitive label found in the blob container
@@ -51,15 +50,15 @@ In the alert’s Extended Properties, you can find sensitivity scanning findings
51
50
52
51
## Integrate with the organizational sensitivity settings in Microsoft Purview (optional)
53
52
54
-
When you enable sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) default list of Microsoft Purview. This will affect the alerts you receive from Defender for Storage and storage or containers that are found to contain these SITs are marked as containing sensitive data.
53
+
When you enable sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. This will affect the alerts you receive from Defender for Storage: storage or containers that are found with these SITs are marked as containing sensitive data.
55
54
56
55
To customize the Data Sensitivity Discovery for your organization, you can [create custom sensitive information types (SITs)](/microsoft-365/compliance/create-a-custom-sensitive-information-type) and connect to your organizational settings with a single step integration. Learn more [here](episode-two.md).
57
56
58
57
You also can create and publish sensitivity labels for your tenant in Microsoft Purview with a scope that includes Items and Schematized data assets and Auto-labeling rules (recommended). Learn more about [sensitivity labels](/microsoft-365/compliance/sensitivity-labels) in Microsoft Purview.
59
58
60
59
## Next steps
61
60
62
-
In this article, you learned about Microsoft Defender for Storage.
61
+
In this article, you learned about Microsoft Defender for Storage's sensitive data scanning.
63
62
64
63
> [!div class="nextstepaction"]
65
64
> [Enable Defender for Storage](enable-enhanced-security.md)
0 commit comments