Edit

Testing the Defender for Storage data security features

  • Article

After you enable Microsoft Defender for Storage, you can test the service and run a proof of concept to familiarize yourself with its features and validate the advanced security capabilities effectively protect your storage accounts by generating real security alerts. This guide will walk you through testing various aspects of the security coverage offered by Defender for Storage.

There are three main components to test:

  • Malware Scanning (if enabled)
  • Sensitive data threat detection (if enabled)
  • Activity monitoring

Tip

A hands-on lab to try out Malware Scanning in Defender for Storage

We recommend you try the Ninja training instructions for detailed step-by-step instructions on how to test Malware Scanning end-to-end with setting up responses to scanning results. This is part of the 'labs' project that helps customers get ramped up with Microsoft Defender for Cloud and provide hands-on practical experience with its capabilities.

Testing Malware Scanning

Follow these steps to test Malware Scanning after enabling the feature:

  1. To verify that the setup is successful, upload a file to the storage account. You can use the Azure portal to upload a file

  2. Inspect new blob index tags:

    1. After uploading the file, view the blob and examine its blob index tags.

    2. You should see two new tags: Malware Scanning scan result and Malware Scanning scan time.

    3. The blob index tags serve as a helpful way to view the scan results.

  3. If you don't see the new blob index tags, select the Refresh button.

Screenshot showing how to upload a file to test the Malware Scan.

Note

Index tags are not supported for ADLS Gen. To test and validate your protection for premium block blobs, look at the generated security alert.

Upload an EICAR test file to simulate malware upload

To simulate a malware upload using an EICAR test file, follow these steps:

  1. Prepare for the EICAR test file:

    1. Use an EICAR test file instead of real malware to avoid causing damage. Standardized antimalware software treats EICAR test files as malware.

    2. Exclude an empty folder to prevent your endpoint antivirus protection from deleting the file. For Microsoft Defender for Endpoint (MDE) users, refer to add an exclusion to Windows Security.

  2. Create the EICAR test file:

    1. Copy the following string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

    2. Paste the string into a .TXT file and save it in the excluded folder.

  3. Upload the EICAR test file to your storage account.

  4. Verify the Malware Scanning scan result index tag:

    1. Check for the Malware Scanning scan result index tag with the value Malicious.

    2. If the tags are not visible, select the Refresh button.

  5. Receive a Microsoft Defender for Cloud security alert:

    1. Navigate to Microsoft Defender for Cloud using the search bar in Azure.

    2. Select on Security Alerts.

  6. Review the security alert:

  7. a. Locate the alert titled Malicious file uploaded to storage account.

  8. b. Select on the alert’s View full details button to see all the related details.

  9. Learn more about Defender for Storage security alerts in the reference table for all security alerts in Microsoft Defender for Cloud.

Testing sensitive data threat detection

To test the sensitive data threat detection feature by uploading test data that represents sensitive information to your storage account, follow these steps:

  1. Create a new storage account:

    1. Choose a subscription without Defender for Storage enabled.

    2. Create a new storage account with a random name under the selected subscription.

  2. Set up a test container:

    1. Go to the Containers blade in the newly created storage account.

    2. Select the + Container button to create a new blob container.

    3. Name the new container test-container.

  3. Upload test data:

    1. Open a text editing application on your computer, such as Notepad or Microsoft Word.

    2. Create a new file and save it in a format like TXT, CSV, or DOCX.

    3. Add the following string to the file: ASD 100-22-3333 SSN Text - this is a test US (United States) SSN (Social Security Number).

      Screenshot showing how to test a file in Malware Scanning for Social Security Number information.

    4. Save and upload the file to the test-container in the storage account.

      Screenshot showing how to upload a file in Malware Scanning to test for Social Security Number information.

  4. Enable Defender for Storage:

    1. In the Azure portal, go to Microsoft Defender for Cloud.

    2. Enable Defender for Storage on the storage account with the Sensitivity Data Discovery feature enabled.

    Sensitive data discovery scans for sensitive information within the first 24 hours when enabled at the storage account level or when a new storage account is created under a subscription protected by this feature at the subscription level. Following this initial scan, the service will scan for sensitive information every 7 days from the time of enablement.

    Note

    If you enable the feature and then add sensitive data on the days after enablement, the next scan for that newly added data will occur within the next 7-day scanning cycle, depending on the day of the week the data was added.

  5. Change access level:

    1. Return to the Containers blade.

    2. Right-click on the test-container and select Change the access level.

      Screenshot showing how to change the access level for a test of Malware Scanning.

    3. Choose the Container (anonymous read access for containers and blobs) option and select OK.

    The previous step exposes the blob container's content to the internet, which will trigger a security alert within 30-60 minutes.

  6. Review the security alert:

    1. Go to the Security Alerts blade.

    2. Look for the alert titled The access level of a sensitive storage blob container was changed to allow unauthenticated public access.

    3. Select on the alert’s View full details button to see all the related details.

      Screenshot showing how to see an alert for a test file in Malware Scanning.

Learn more about Defender for Storage security alerts in the reference table for all security alerts in Microsoft Defender for Cloud.

Testing activity monitoring

To test the activity monitoring feature by simulating access from a Tor exit node to a storage account, follow these steps:

  1. Create a new storage account with a random name.

  2. Set up a test container:

    1. Go to the Containers blade in the storage account.

    2. Select the + Container button to create a new blob container.

    3. Name the new container test-container-tor.

  3. Upload any file to the test-container-tor.

  4. Generate a SAS (shared access signatures) token:

    1. Right-click on the uploaded file and select Generate SAS.

    2. Select the Generate SAS token and URL button.

    3. Copy the Blob SAS URL.

  5. Download the file using a Tor browser:

    1. Open a Tor browser.

    2. Paste the SAS URL into the address bar and press Enter.

    3. Download the file when prompted.

    The previous step will trigger a Tor anomaly security alert within 1-3 hours.

  6. Review the security alert:

    1. Go to the Security Alerts blade.

    2. Look for the alert titled Access from a Tor exit node to a storage blob container.

    3. Select on the alert’s View full details button to see all the related details.

Learn more about Defender for Storage security alerts in the reference table for all security alerts in Microsoft Defender for Cloud.

Next steps

In this article, you learned how to test data protection and threat detection in Defender for Storage.

Learn more about: