Recently I was asked about a way to selectively target the Storage ATP on certain storage accounts in a Subscription. Azure Security Center allows you to set Storage ATP on all Storage Accounts in the subscription.
To view this option in the top search bar go to Azure Security Center
Got to the pricing and setting blade and choose your subscription
From here you can selectively enable or disable what PaaS resources you want protected with Standard Tier
To get a more comprehensive view of what ASC threat protection can do check out the Azure Security Center documentation: https://docs.microsoft.com/en-us/azure/security-center/threat-protection
and a mind map I put together: https://www.mindmeister.com/1474994114/threat-protection-in-azure-security-center?fullscreen=1
As you can see a lot can be protected and covered using Azure Security Center, including Azure Files and ADLS Gen2 now: https://azure.microsoft.com/en-us/blog/azure-files-support-and-new-updates-in-advanced-threat-protection-for-azure-storage/
If for certain reasons you do not wish to turn on ASC Storage Protection on all Storage Accounts and select a handful of storage accounts you can do so with Azure PowerShell.
*Please keep in mind when Disabling ASC Protection on Storage Accounts going forward any net new storage accounts created that need ATP must be manually turned on, a Azure Policy may help with automating that.
Azure Security Center can be managed and configured from Azure PowerShell. The module is not something that is included by default with module Az.
To bring the module in Install-Module Az.Security -Force
There are many interesting things you can do, one of which is actually Enable or Disable the Storage Account ATP: https://docs.microsoft.com/en-us/powershell/module/az.security/enable-azsecurityadvancedthreatprotection?view=azps-4.4.0
Enable-AzSecurityAdvancedThreatProtection -ResourceId
I wrote a simple script that can be run on a Subscription, it collects the storage accounts and puts them in a .csv file
# Collect Storage Accounts in Subscrition $storeaccts = Get-AzStorageAccount # Exports CSV list of storage accounts, customer can remove accounts as needed $storeaccts | Export-Csv c:\temp\storageaccounts.csv
You can then go into the .csv file and remove the storage accounts you do not want protected. The script then waits until you press enter. Afterwards it import the updated .csv list.
# Prompt a break in script to allow the customer to modify the .CSV list Read-Host -Prompt 'Please modify c:\temp\storageaccount.csv removing any storage accounts you do not want to have Storage ATP turned on, Once finished press enter to continue script' # Import the modified storage account .csv list $stores = Import-csv c:\temp\storageaccounts.csv
It set Storage protection to Free on ASC on the Subscription
# Disable ASC Storage protection on Subscription, switch to free Write-Host "Disabling Storage Account Protectition on ASC" Set-AzSecurityPricing -Name "StorageAccounts" -PricingTier "Free"
It then runs through the update .csv list storage accounts and enables ATP
# Run through each storage id in imported modified list and enable ATP on Storage Account foreach($store in $stores){ Enable-AzSecurityAdvancedThreatProtection -ResourceId $store.id Write-Host "Storage Account ATP Enabled on " $store.StorageAccountName }
The script can be found here: https://github.com/swiftsolves-msft/PowerShell-Scripts/blob/master/UpdateStorageATP.ps1