Hi,

The malware scanning feature in Microsoft Defender for Storage scans files stored in Azure Blob Storage and Azure Files to detect and remove malware. The scanning process is automatic and continuous, ensuring that your data is always protected. When malware is detected, Microsoft Defender for Storage takes action to remove the threat and prevent it from spreading to other files or systems.

Microsoft Defender for Storage supports both real-time and on-demand scanning. Real-time scanning is performed automatically when files are uploaded to Azure Blob Storage or Azure Files. On-demand scanning can be initiated manually through the Azure portal or using PowerShell scripts. On-demand scanning is useful for detecting and removing malware that may have evaded real-time scanning or for scanning files that have been in storage for some time.

Microsoft Defender for Storage provides detailed reporting and alerts when malware is detected. Reports are available through the Azure portal and provide detailed information on the type of malware detected, the location of the infected files, and the actions taken to remove the threat. Alerts can be configured to notify security teams when malware is detected, allowing them to take immediate action to protect your data.

Limitations:

• Legacy v1 storage accounts aren’t supported
• Azure Files isn’t supported for Malware Scanning
• Client-side encrypted blobs aren’t supported (they can’t be decrypted before scan by the service). [data encrypted at rest by CMK is supported].
• File size limit is 2 GB
• The “capping” mechanism is currently not functional. You can set your limitations now, and they’ll set in when “capping” starts working.
• Malware Scanning scan throughput rate limit per-storage-account – 2GB/min
• Uploading in a higher rate results in a slow-down scan – files are scanned later
• Index tag scan result isn’t supported in storage account with Hierarchical namespace enabled (Azure Data Lake Storage Gen2)
• Append and Page blobs aren’t supported for Malware Scanning.

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan

Maxime.

Hi!

Azure Defender for Key Vault has the following new alert:

Alert (alert type)	Description	MITRE tactics	Severity
Denied access from a suspicious IP to a key vault (KV_SuspiciousIPAccessDenied)	An unsuccessful key vault access has been attempted by an IP that has been identified by Microsoft Threat Intelligence as a suspicious IP address. Though this attempt was unsuccessful, it indicates that your infrastructure might have been compromised. We recommend further investigations.	Credential Access	Low

You can see a list of all of the alerts available for Key Vault.

Maxime.

Hi!

You can now create sample alerts also for Defender for Containers plan. The new sample alerts are presented as being from AKS, Arc-connected clusters, EKS, and GKE resources with different severities and MITRE tactics. You can use the sample alerts to validate security alert configurations, such as SIEM integrations, workflow automation, and email notifications.

Maxime.