Control: 8.1.5.2 Ensure Advanced Threat Protection Alerts for Storage Accounts Are Monitored
Description
After enabling Microsoft Defender for Storage, configure an alert monitoring and response process to ensure that alerts are actioned in a timely manner. Integrate with SIEM solutions like Microsoft Sentinel, or configure email/webhook notifications to security teams.
Enabling Microsoft Defender for Storage without a monitoring process limits its value. Continuous monitoring and alert triage ensure that detected threats are acted upon quickly, reducing risk exposure.
Remediation
Connect Microsoft Defender for Cloud to a SIEM such as Microsoft Sentinel or another log analytics solution.
Remediate from Azure Portal
- Go to Microsoft Defender for Cloud.
- Under Management, click Environment Settings.
- Expand the Tenant Root Group(s) to reveal subscriptions.
For each subscription listed:
- Click the subscription name to open the Defender Plans settings
- In the settings on the left, click Continuous Export
- Select either Event Hub, Log Analytics Workspace, or both depending on your environment.
- Set Export enabled to On
- Under Exported data types, ensure that at least Security Alerts (Medium and High) is checked.
- Under Export target, set the target Event Hub or Log Analytics Workspace which is tied to a SIEM that is configured to monitor and alert for security alerts. Ensure security alerts are included in the security operations workflow and incident response plan.
Default Value
By default, continuous export is off.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_8_1_5_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_8_1_5_2 --shareSQL
This control uses a named query:
select id as resource, 'info' as status, 'Manual verification required.' as reason, display_name as subscriptionfrom azure_subscription;