| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| azure_defender_for_storage | Azure Defender for Storage | detect | significant | T1530 | Data from Cloud Storage Object |
Comments
A variety of alerts may be generated by malicious access and enumeration of Azure Storage.
References
|
| azure_defender_for_storage | Azure Defender for Storage | detect | minimal | T1078 | Valid Accounts |
Comments
This control provides minimal detection for its procedure examples. Additionally, it is able to detect only one of its sub-techniques (Cloud Accounts) resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| azure_defender_for_storage | Azure Defender for Storage | detect | significant | T1078.004 | Cloud Accounts |
Comments
This control may generate alerts based on unfamiliar or suspicious IP addresses, TOR exit node, and anonymous access.
References
|
| azure_defender_for_storage | Azure Defender for Storage | detect | partial | T1105 | Ingress Tool Transfer |
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
|
| azure_defender_for_storage | Azure Defender for Storage | respond | partial | T1105 | Ingress Tool Transfer |
Comments
"When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file." This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
|
| azure_defender_for_storage | Azure Defender for Storage | detect | partial | T1080 | Taint Shared Content |
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
|
| azure_defender_for_storage | Azure Defender for Storage | respond | partial | T1080 | Taint Shared Content |
Comments
"When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file." This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
|
| azure_defender_for_storage | Azure Defender for Storage | detect | partial | T1537 | Transfer Data to Cloud Account |
Comments
This control may alert on unusually large amounts of data being extracted from Azure storage and suspicious access to storage accounts. There are no alerts specifically tied to data transfer between cloud accounts but there are several alerts for anomalous storage access and transfer.
References
|
| azure_defender_for_storage | Azure Defender for Storage | detect | minimal | T1485 | Data Destruction |
Comments
This control may generate alerts when there has been an unusual or unexpected delete operation within Azure cloud storage. Alerts may not be generated by disabling of storage backups, versioning, or editing of storage objects.
References
|
| Capability ID | Capability Name | Number of Mappings |
|---|---|---|
| azure_defender_for_storage | Azure Defender for Storage | 9 |