Merge pull request #185016 from memildin/mdfc-melvyn-md4storageintro

Rewritten Defender for Storage docs

Author: ttorble

.openpublishing.redirection.defender-for-cloud.json

@@ -10,6 +10,21 @@
             "redirect_url": "/azure/defender-for-cloud/upcoming-changes",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/security-center/policy-reference.md",
+            "redirect_url": "/azure/defender-for-cloud/policy-reference",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/security-center/security-center-policy-definitions.md",
+            "redirect_url": "/azure/defender-for-cloud/policy-reference",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/defender-for-storage-introduction.md#what-is-hash-reputation-analysis-for-malware",
+            "redirect_url": "/azure/defender-for-cloud/defender-for-storage-introduction#what-kind-of-alerts-does-microsoft-defender-for-storage-provide",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/security-center/release-notes-archive.md",
             "redirect_url": "/azure/defender-for-cloud/release-notes-archive",

.openpublishing.redirection.json

@@ -24053,11 +24053,6 @@
       "redirect_url": "/azure/security-center/policy-reference",
       "redirect_document_id": false
     },
-    {
-      "source_path_from_root": "/articles/security-center/security-center-policy-definitions.md",
-      "redirect_url": "/azure/security-center/policy-reference",
-      "redirect_document_id": false
-    },
     {
       "source_path_from_root": "/articles/operations-management-suite/oms-security-connect-products.md",
       "redirect_url": "/azure/security-center/quick-security-solutions",

articles/defender-for-cloud/TOC.yml

@@ -238,8 +238,13 @@
     displayName: Azure Defender for App Service, defender for app
     href: defender-for-app-service-introduction.md
   - name: Protect your Azure Storage accounts
-    displayName: blob, adls, files, Microsoft Defender for Storage, Defender for Storage
-    href: defender-for-storage-introduction.md
+    items:
+    - name: Overview of Defender for Storage
+      displayName: blob, adls, files, Microsoft Defender for Storage, Defender for Storage
+      href: defender-for-storage-introduction.md
+    - name: Exclude a storage account
+      displayName: blob, adls, files, Microsoft Defender for Storage, Defender for Storage
+      href: defender-for-storage-exclude.md
   - name: Protect your Key Vault keys and secrets
     items:
     - name: Overview of Defender for Key Vault

articles/defender-for-cloud/alerts-reference.md

@@ -2,7 +2,7 @@
 title: Reference table for all security alerts in Microsoft Defender for Cloud
 description: This article lists the security alerts visible in Microsoft Defender for Cloud
 ms.topic: reference
-ms.date: 01/10/2022
+ms.date: 01/13/2022
 ---
 # Security alerts - a reference guide
 
@@ -478,7 +478,7 @@ Microsoft Defender for Containers provides security alerts on the cluster level
 | **Authenticated access from a Tor exit node**<br>(Storage.Blob_TorAnomaly<br>Storage.Files_TorAnomaly)                                                                                                                                                                         | One or more storage container(s) / file share(s) in your storage account were successfully accessed from an IP address known to be an active exit node of Tor (an anonymizing proxy). Threat actors use Tor to make it difficult to trace the activity back to them. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2                                                                                                                                                                                                                                                                                                         | Initial access                        | High/Medium          |
 | **Access from an unusual location to a storage account**<br>(Storage.Blob_GeoAnomaly<br>Storage.Files_GeoAnomaly)                                                                                                                                                                     | Indicates that there was a change in the access pattern to an Azure Storage account. Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location. An example of the latter is remote maintenance from a new application or developer.<br>Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2                                                                                                                                                                                                                                                                                                                                | Exploitation                                 | Low           |
 | **Unusual unauthenticated access to a storage container**<br>(Storage.Blob_AnonymousAccessAnomaly)                                                                                                                                                                                                    | This storage account was accessed without authentication, which is a change in the common access pattern. Read access to this container is usually authenticated. This might indicate that a threat actor was able to exploit public read access to storage container(s) in this storage account(s).<br>Applies to: Azure Blob Storage                                                                                                                                                                                                                                                                                                                                                                                                                                          | Collection                                 | Medium          |
-| **Potential malware uploaded to a storage account**<br>(Storage.Blob_MalwareHashReputation<br>Storage.Files_MalwareHashReputation)                                                                                                                                                    | Indicates that a blob containing potential malware has been uploaded to a blob container or a file share in a storage account. This alert is based on hash reputation analysis leveraging the power of Microsoft threat intelligence, which includes hashes for viruses, trojans, spyware and ransomware. Potential causes may include an intentional malware upload by an attacker, or an unintentional upload of a potentially malicious blob by a legitimate user.<br>Applies to: Azure Blob Storage, Azure Files (Only for transactions over REST API)<br>Learn more about [Azure's hash reputation analysis for malware](defender-for-storage-introduction.md#what-is-hash-reputation-analysis-for-malware).<br>Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684). | Lateral Movement                             | High          |
+| **Potential malware uploaded to a storage account**<br>(Storage.Blob_MalwareHashReputation<br>Storage.Files_MalwareHashReputation)                                                                                                                                                    | Indicates that a blob containing potential malware has been uploaded to a blob container or a file share in a storage account. This alert is based on hash reputation analysis leveraging the power of Microsoft threat intelligence, which includes hashes for viruses, trojans, spyware and ransomware. Potential causes may include an intentional malware upload by an attacker, or an unintentional upload of a potentially malicious blob by a legitimate user.<br>Applies to: Azure Blob Storage, Azure Files (Only for transactions over REST API)<br>Learn more about [Azure's hash reputation analysis for malware](defender-for-storage-introduction.md#what-kind-of-alerts-does-microsoft-defender-for-storage-provide).<br>Learn more about [Microsoft's threat intelligence capabilities](https://go.microsoft.com/fwlink/?linkid=2128684). | Lateral Movement                             | High          |
 | **Publicly accessible storage containers successfully discovered**<br>(Storage.Blob_OpenContainersScanning.SuccessfulDiscovery) | A successful discovery of   publicly open storage container(s) in your storage account was performed in the last hour by a scanning script or tool.<br><br>            This usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.<br><br>            The threat actor may use their own script or use known scanning tools like   Microburst to scan for publicly open containers.<br><br>            ✔ Azure Blob Storage<br>      ✖ Azure Files<br>      ✖ Azure Data Lake Storage Gen2 | Collection   | Medium   |
 | **Publicly accessible storage containers unsuccessfully scanned**<br>(Storage.Blob_OpenContainersScanning.FailedAttempt)        | A series of failed attempts to scan for publicly open storage containers were performed in the last hour. <br><br>This usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.<br><br> The threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.<br><br>            ✔ Azure Blob Storage<br>      ✖ Azure Files<br>      ✖ Azure Data Lake Storage Gen2                                         | Collection   | Low      |
 | **Unusual access inspection in a storage account**<br>(Storage.Blob_AccessInspectionAnomaly<br>Storage.Files_AccessInspectionAnomaly)                                                                                                                                                 | Indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account. A potential cause is that an attacker has performed reconnaissance for a future attack.<br>Applies to: Azure Blob Storage, Azure Files                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Collection                                   | Medium        |

articles/defender-for-cloud/defender-for-storage-exclude.md

@@ -0,0 +1,121 @@
+---
+title: Microsoft Defender for Storage - excluding a storage account 
+description: Excluding a specific storage account from a subscription with Microsoft Defender for Storage enabled.
+ms.date: 01/16/2022
+ms.topic: how-to
+---
+# Exclude a storage account from Microsoft Defender for Storage protections
+
+> [!CAUTION]
+> Excluding resources from advanced threat protection is not recommended and leaves your cloud workload exposed.
+
+When you [enable Microsoft Defender for Storage](../storage/common/azure-defender-storage-configure.md#set-up-microsoft-defender-for-cloud) on a subscription, all existing Azure Storage accounts will be protected and any storage resources added to that subscription in the future will also be automatically protected.
+
+If you need to exempt a specific Azure Storage account from this Defender plan, use the instructions on this page.
+
+> [!TIP]
+> We recommend enabling [Microsoft Defender for Resource Manager](defender-for-resource-manager-introduction.md) for any accounts with unprotected Azure Storage resources. Defender for Resource Manager automatically monitors your organization's resource management operations, whether they're performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients.
+
+
+## Exclude a specific storage account 
+
+To exclude specific storage accounts from Microsoft Defender for Storage when the plan is enabled on a subscription: 
+
+### [**PowerShell**](#tab/enable-storage-protection-ps)
+
+### Use PowerShell to exclude an Azure Storage account
+
+1. If you don't have the Azure Az PowerShell module installed, install it using [the instructions from the Azure PowerShell documentation](/powershell/azure/install-az-ps).
+
+1. Using an authenticated account, connect to Azure with the ``Connect-AzAccount`` cmdlet, as explained in [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps). 
+
+1. Define the AzDefenderPlanAutoEnable tag on the storage account with the ``Update-AzTag`` cmdlet (replace the ResourceId with the resource ID of the relevant storage account):
+
+    ```azurepowershell    
+    Update-AzTag -ResourceId <resourceID> -Tag @{"AzDefenderPlanAutoEnable" = "off"} -Operation Merge 
+    ```
+
+    If you skip this stage, your untagged resources will continue receiving daily updates from the subscription level enablement policy. That policy will enable Defender for Storage again on the account.
+
+    > [!TIP]
+    > Learn more about tags in [Use tags to organize your Azure resources and management hierarchy](/azure-resource-manager/management/tag-resources.md).
+
+1. Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the ``Disable-AzSecurityAdvancedThreatProtection`` cmdlet (using the same resource ID): 
+
+    ```azurepowershell    
+    Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId> 
+    ```
+
+    [Learn more about this cmdlet](/powershell/module/az.security/disable-azsecurityadvancedthreatprotection).
+
+
+### [**Azure CLI**](#tab/enable-storage-protection-cli)
+
+### Use Azure CLI to exclude an Azure Storage account
+
+1. If you don't have Azure CLI installed, install it using [the instructions from the Azure CLI documentation](/cli/azure/install-azure-cli).
+
+1. Using an authenticated account, connect to Azure with the ``login`` command as explained in [Sign in with Azure CLI](/cli/azure/authenticate-azure-cli) and enter your account credentials when prompted:
+
+    ```azurecli
+    az login
+    ```
+
+1. Define the AzDefenderPlanAutoEnable tag on the storage account with the ``tag update`` command (replace the ResourceId with the resource ID of the relevant storage account):
+
+    ```azurecli    
+    az tag update --resource-id MyResourceId --operation merge --tags AzDefenderPlanAutoEnable=off
+    ```
+
+    If you skip this stage, your untagged resources will continue receiving daily updates from the subscription level enablement policy. That policy will enable Defender for Storage again on the account.
+
+    > [!TIP]
+    > Learn more about tags in [az tag](/cli/azure/tag).
+
+1. Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the ``security atp storage`` command (using the same resource ID): 
+
+    ```azurecli    
+    az security atp storage update --resource-group MyResourceGroup  --storage-account MyStorageAccount --is-enabled false 
+    ```
+
+    [Learn more about this command](/cli/azure/security/atp/storage).
+
+
+### [**Azure portal**](#tab/enable-storage-protection-portal)
+
+### Use the Azure portal to exclude an Azure Storage account
+
+1. Define the AzDefenderPlanAutoEnable tag on the storage account:
+
+    1. From the Azure portal, open the storage account and select the **Tags** page.
+    1. Enter the tag name **AzDefenderPlanAutoEnable** and set the value to **off**.
+    1. Select **Apply**.
+
+    :::image type="content" source="media/defender-for-storage-exclude/define-tag-storage-account.png" alt-text="Screenshot of how to add a tag to a storage account in the Azure portal." lightbox="media/defender-for-storage-exclude/define-tag-storage-account.png":::
+    
+1. Verify that the tag has been added successfully. It should look similar to this:
+
+    :::image type="content" source="media/defender-for-storage-exclude/define-tag-storage-account-success.png" alt-text="Screenshot of a tag on a storage account in the Azure portal." lightbox="media/defender-for-storage-exclude/define-tag-storage-account-success.png":::
+
+1. Disable and then enable the Microsoft Defender for Storage on the subscription: 
+
+    1. From the Azure portal, open **Microsoft Defender for Cloud**. 
+    1. Open **Environment settings** > select the relevant subscription > **Defender plans** > toggle the Defender for Storage plan off > select **Save** > turn it back on > select **Save**. 
+
+    :::image type="content" source="media/defender-for-storage-exclude/defender-plan-toggle.png" alt-text="Screenshot of disabling and enabling the Microsoft Defender for Storage plan from Microsoft Defender for Cloud." lightbox="media/defender-for-storage-exclude/defender-plan-toggle.png":::
+
+---
+
+
+## Exclude an Azure Databricks Storage account
+
+When Defender for Storage is enabled on a subscription, it's not currently possible to exclude a Storage account if it belongs to an Azure Databricks workspace.
+
+Instead, you can disable Defender for Storage on the subscription and enable Defender for Storage for each Azure Storage account from the **Security** page:
+
+:::image type="content" source="media/defender-for-storage-exclude/defender-plan-enable-resource.png" alt-text="Screenshot of enabling Microsoft Defender for Storage from the security page of an Azure Storage account." lightbox="media/defender-for-storage-exclude/defender-plan-enable-resource.png":::
+
+
+## Next steps
+
+- Explore the [Microsoft Defender for Storage – Price Estimation Dashboard](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-storage-price-estimation-dashboard/ba-p/2429724)