Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
Microsoft managed storage accounts triggering defender rules
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 45%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Janne Kujanpää
266
Reputation points
Databricks managed storage accounts are again triggering some Defender rules:
Following rules are triggered by databricks managed storage accounts
- Storage account should use a private link connection
- Storage accounts should restrict network access using virtual network rules
Exemption cannot be added because resource group has deny assignment => the policy itself should ignore storage account managed by Microsoft/Databricks to avoid false positives.
Is there any workarounds for this while waiting policy fixes?
If anyone has contact with team writing those policies, please let them know. Otherwise, I'll just wait for policies being GAd and create support ticket(s).
Azure Databricks
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
-
Janne Kujanpää 266 Reputation points
2023-03-29T20:38:05.82+00:00 I'm not sure but how editing built-in policy that is part of builtin ASC policy initiative is supposed to work and where is the actual logic to use
ExcludedTagsparameter?Did you just use this answer:
Also https://github.com/Azure/azure-policy/search?q=ExcludedTags returns zero hits.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 36%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBM%3C/text%3E%3C/svg%3E)
Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator2023-03-30T03:13:24.85+00:00 Hello Janne Kujanpää,
Apologies for the inconvenience here. I am looking into it further and will get back to you with an update soon.
-
Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator
2023-03-30T14:22:11.02+00:00 Hello Janne Kujanpää,
Welcome to the MS Q&A platform.
One workaround for this issue is to exclude the Databricks managed storage accounts from the Defender policies triggering false positives. You can do this by adding a tag to the storage accounts and then excluding the accounts with that tag from the policies.
You can use the Azure portal or Azure CLI to add a tag to the storage accounts. Here is an example of adding a tag to a storage account using Azure CLI:
az storage account update --name <storage-account-name> --resource-group <resource-group-name> --tags tag-name=tag-valueOnce you have added the tag to the storage accounts, you can exclude them from the Defender policies by modifying the policy definitions. You can do this using the Azure portal or Azure PowerShell. Here is an example to exclude storage accounts with a specific tag from a Defender policy using Azure PowerShell:
$policy = Get-AzPolicyDefinition -Id <policy-definition-id> $policy.Parameters.ExcludedTags.Value = "<tag-name>:<tag-value>" Set-AzPolicyDefinition -Id <policy-definition-id> -Policy $policyNote that you will need to replace
<storage-account-name>,<resource-group-name>,<tag-name>,<tag-value>, and<policy-definition-id>with the appropriate values for your environment.I hope this helps. Please let me know if you have any further questions.
-
Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator
2023-03-30T22:46:27.2+00:00 Hello Janne Kujanpää,
As a workaround, please check if disabling Microsoft Defender for Storage for the desired account on the relevant subscription using the below command.
az security atp storage update --resource-group MyResourceGroup --storage-account MyStorageAccount --is-enabled falseThis command will disable Advanced Threat Protection for a storage account on a subscription scope.
https://learn.microsoft.com/en-us/cli/azure/security/atp/storage?view=azure-cli-latest
-
Janne Kujanpää 266 Reputation points
2023-03-31T06:14:43.6633333+00:00 No AFAIK that will not work.
Reason 1:
The command you mentioned will create again an extension resource. Creation will be blocked by deny assignment just like exemption creation is being blocked.
Reason 2:
Disabling Defender plan for storage account has nothing to do with mentioned policies:
"Storage accounts should use private link" aka "Storage account should use a private link connection":
"policyRule": { "if": { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Storage/storageAccounts/privateEndpointConnections", "existenceCondition": { "field": "Microsoft.Storage/storageAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status", "equals": "Approved" } } } }=> The policy is checking if private links connection statte is Approved. Disable Defender plan does not fix this policy alert.
"Storage accounts should restrict network access using virtual network rules" :
"policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "anyOf": [ { "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction", "notEquals": "Deny" }, { "count": { "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]" }, "greaterOrEquals": 1 } ] } ] }, "then": { "effect": "[parameters('effect')]" } }And this policy rule checks storage account network default actions and existence of IP-based rules. Disabling defender plan for storage will not fix detections of this policy rule.
-
Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator
2023-03-31T22:13:12.3766667+00:00 Hello Janne Kujanpää,
Thank you for the details. I tried checking with my internal team but didn't get much help.
As the next steps, I suggest filing a support request with the policies team to assist here further.
If you don't have a support plan, I can enable one-time free support for you to work closely on this matter.
I am looking forward to hearing from you.
-
Janne Kujanpää 266 Reputation points
2023-04-01T07:13:18.89+00:00 Those policies are still on review phase => too high risk ATM that support just tells they are still on preview.
I seriously hope that there would be a channel to send feedback directly to PG/teams during preview.
-
Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator
2023-04-04T18:58:21.75+00:00 Hello Janne Kujanpää, Appreciate if you could share the feedback on our Azure Governance feedback channel, which would be open for the user community to upvote & comment on. This allows our product team to prioritize your request against our existing feature backlog effectively and gives insight into the potential impact of implementing the suggested feature. Here is the feedback channel: https://feedback.azure.com/d365community/forum/675ae472-f324-ec11-b6e6-000d3a4f0da0
Sign in to comment
Sign in to answer