Forum Discussion

GianlucaSB's avatar
GianlucaSB
Brass Contributor
Mar 12, 2025

DeleteBlobLogicApp on malware blob upload

Dear All,

I start by saying that I don't know whether this matter (and issue for me) was already raised here or somewhere else, I couldn't find anything relevant to me.

I have deployed the DeleteBlobLogicApp as explained here: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-configure-malware-scan 

However, there seem to be issues with the workflow actions. 

Firstly, the trigger event action was good, but then it failed at the next action "GetBlobEntity": the error that it returned was:

 "The 'from' property value in the 'query' action inputs is of type 'Null'. The value must be an array.because of that the blob is not deleted from the container"

which I fixed, thanks mostly to Copilot as I am not programmer or developer, by changing the relevant code part like so:

{ "type": "Query", "inputs": { "from": "@if(empty(triggerBody()?['Entities']), json('[]'), triggerBody()?['Entities'])", "where": "@equals(item().type, 'blob')" }, "runAfter": {} }

But then I got stuck and had to give up at the next action "Delete Blob": Here the returned error was:

 InvalidTemplate. Unable to process template language expressions in action 'Delete_Blob' inputs at line '0' and column '0': 'The template language expression 'body('GetBlobEntity')[0].Url' cannot be evaluated because array index '0' cannot be selected from empty array.

The action's code part is the following:

{ "type": "Http",

"inputs": {

"uri": "@{body('GetBlobEntity')[0].Url}",

"method": "DELETE",

"headers": { "x-ms-version": "2019-07-07" },

"authentication": {

   "audience": "https://@{triggerBody()?

['CompromisedEntity']}.blob.core.windows.net/",

"type": "ManagedServiceIdentity"

  }

}, "runAfter": {

"GetBlobEntity": [

"Succeeded" ]

 }

}

Do you have any clue on how to code it correctly?

 

Thank you very much and I am sorry if it wasn't the right discussion board!

 

Gianluca

1 Reply

Sort By
  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Mar 13, 2025

    Please consider the following:

     

    • Check the Output of GetBlobEntity:
      • The error indicates that the array returned by GetBlobEntity is empty. This could mean that the query isn't fetching any blobs. Double-check the logic in your Query action to ensure it's correctly identifying blobs.
    • Add a Condition to Handle Empty Arrays:
      • Before the Delete Blob action, add a condition to check if the output of GetBlobEntity contains any items. If the array is empty, you can skip the Delete Blob action to avoid errors.
    • Modify the Delete Blob Action:
      • Update the uri property in the Delete Blob action to handle cases where the array might be empty:
    "uri": "@{if(empty(body('GetBlobEntity')), null, body('GetBlobEntity')[0].Url)}"
      • This ensures that the uri is only set if the array is not empty.

Resources