| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | significant | T1078.004 | Cloud Accounts |
Comments
This control may generate alerts based on unfamiliar or suspicious IP addresses, TOR exit node, and anonymous access.
References
|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | significant | T1530 | Data from Cloud Storage |
Comments
A variety of alerts may be generated by malicious access and enumeration of Azure Storage.
References
|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | respond | partial | T1105 | Ingress Tool Transfer |
Comments
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | respond | partial | T1080 | Taint Shared Content |
Comments
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | partial | T1537 | Transfer Data to Cloud Account |
Comments
This control may alert on unusually large amounts of data being extracted from Azure storage and suspicious access to storage accounts. There are no alerts specifically tied to data transfer between cloud accounts but there are several alerts for anomalous storage access and transfer.
References
|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | partial | T1105 | Ingress Tool Transfer |
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | partial | T1080 | Taint Shared Content |
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | minimal | T1485 | Data Destruction |
Comments
This control may generate alerts when there has been an unusual or unexpected delete operation within Azure cloud storage. Alerts may not be generated by disabling of storage backups, versioning, or editing of storage objects.
References
|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | minimal | T1078 | Valid Accounts |
Comments
This control provides minimal detection for its procedure examples. Additionally, it is able to detect only one of its sub-techniques (Cloud Accounts) resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| Capability ID | Capability Name | Number of Mappings |
|---|---|---|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | 9 |