-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAzureDefenderForStorage.yaml
99 lines (99 loc) · 4.49 KB
/
AzureDefenderForStorage.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
version: 1.0
ATT&CK version: 8.2
creation date: 02/22/2021
name: Azure Defender for Storage
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: Azure
tags:
- Azure Defender
- Azure Security Center Recommendation
description: >-
Azure Defender for Storage can detect unusual and potentially harmful attempts to access or
exploit storage accounts. Security alerts may trigger due to suspicious access patterns, suspicious
activities, and upload of malicious content. Alerts include details of the incident
that triggered them, as well as recommendations on how to investigate and remediate threats.
Alerts can be exported to Azure Sentinel or any other third-party SIEM or any other external tool.
techniques:
- id: T1530
name: Data from Cloud Storage Object
technique-scores:
- category: Detect
value: Significant
comments: >-
A variety of alerts may be generated by malicious access and enumeration of Azure Storage.
- id: T1078
name: Valid Accounts
technique-scores:
- category: Detect
value: Minimal
comments: >-
This control provides minimal detection for its procedure examples. Additionally, it is able
to detect only one of its sub-techniques (Cloud Accounts) resulting in a Minimal Coverage score
and consequently an overall score of Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1078.004
name: Cloud Accounts
scores:
- category: Detect
value: Significant
comments: >-
This control may generate alerts based on unfamiliar or suspicious IP addresses, TOR
exit node, and anonymous access.
- id: T1105
name: Ingress Tool Transfer
technique-scores:
- category: Detect
value: Partial
comments: >-
This control may alert on upload of possible malware or executable and Azure Cloud
Services Package files. These alerts are dependent on Microsoft threat intelligence and
may not alert on novel or modified malware.
- category: Respond
value: Partial
comments: >-
"When a file is suspected to contain malware, Security Center displays an alert and can
optionally email the storage owner for approval to delete the suspicious file." This delete
response capability leads to a Response type of Eradication although it is specific to Azure
Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of
Partial.
- id: T1080
name: Taint Shared Content
technique-scores:
- category: Detect
value: Partial
comments: >-
This control may alert on upload of possible malware or executable and Azure Cloud
Services Package files. These alerts are dependent on Microsoft threat intelligence and
may not alert on novel or modified malware.
- category: Respond
value: Partial
comments: >-
"When a file is suspected to contain malware, Security Center displays an alert and can
optionally email the storage owner for approval to delete the suspicious file." This delete
response capability leads to a Response type of Eradication although it is specific to Azure
Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of
Partial.
- id: T1537
name: Transfer Data to Cloud Account
technique-scores:
- category: Detect
value: Partial
comments: >-
This control may alert on unusually large amounts of data being extracted from Azure
storage and suspicious access to storage accounts. There are no alerts specifically tied
to data transfer between cloud accounts but there are several alerts for anomalous storage
access and transfer.
- id: T1485
name: Data Destruction
technique-scores:
- category: Detect
value: Minimal
comments: >-
This control may generate alerts when there has been an unusual or unexpected delete
operation within Azure cloud storage. Alerts may not be generated by disabling of storage
backups, versioning, or editing of storage objects.
references:
- 'https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction'
- 'https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage'