%3CLINGO-SUB%20id%3D%22lingo-sub-1452005%22%20slang%3D%22en-US%22%3EHow%20to%20respond%20to%20potential%20Malware%20uploaded%20to%20Azure%20Storage%20Blob%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1452005%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Security%20Center%20covers%20a%20wide%20capability%20on%20Cloud%20Workload%20Platform%20Protection%20(CWPP)%20when%20it%20comes%20protecting%20Platform%20as%20a%20Service.%20One%20of%20those%20capabilities%20is%20alerting%20to%20potential%20malware%20uploaded%20as%20a%20Blob%20to%20an%20Azure%20Storage%20Account.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20potential%20malware%20upload%20alerting%20works%20as%20follows.%20When%20Azure%20Security%20Center%20standard%20tier%20is%20protecting%20Azure%20Storage%2C%20blob%20files%20uploaded%20to%20Azure%20Storage%20produce%20telemetry%20streaming%20logs.%20In%20many%20cases%20the%20stream%20operation%20logs%20contain%20hashes%20related%20to%20the%20blob.%20These%20hashes%20are%20compared%20using%20Microsoft's%20Threat%20Intelligence%20to%20do%20hash%20reputation%20analysis%20looking%20for%20viruses%2C%20trojans%2C%20spyware%20and%20ransomware.%20When%20a%20match%20is%20found%20an%20alert%20is%20raised%20in%20Azure%20Security%20Center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%221.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197694i53D1078B7097647B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%221.png%22%20alt%3D%221.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20alerting%20can%20help%20detect%20intentional%20activity%20by%20an%20attacker%20looking%20to%20leverage%20storage%20for%20lateral%20movement%20or%20unintentional%20upload%20of%20a%20malware%20file%20from%20a%20cloud%20user%20or%20application.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlerting%20on%20the%20potential%20malware%20uploaded%20is%20very%20helpful%2C%20but%20you%20can%20take%20it%20one%20step%20further%20by%20leveraging%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fworkflow-automation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWorkflow%20Automation%3C%2FA%3E%20feature%20to%20trigger%20a%20series%20of%20actions%20upon%20receiving%20this%20alert%2C%20including%20sending%20an%20email%20and%20notify%20your%20security%20team%20when%20a%20potential%20malware%20is%20uploaded%20to%20your%20storage%20account.%20After%20your%20security%20investigation%20a%20decision%20can%20be%20made%20as%20the%20email%20that%20notified%20your%20team%20also%20contains%20a%20link%20to%20%3CSTRONG%3E%3CEM%3Eapprove%3C%2FEM%3E%3C%2FSTRONG%3E%20or%20%3CSTRONG%3E%3CEM%3Ereject%3C%2FEM%3E%3C%2FSTRONG%3E%20the%20deletion%20of%20the%20potential%20malware%20blob%20in%20the%20alert.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20deploy%20the%20Security%20Logic%20App%2C%20you%20can%20leverage%20our%20ASC%20Community%20GitHub%20Repository%2C%20specifically%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FWorkflow%2520automation%2FAsk-Remove-MalwareBlob%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20one%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBe%20sure%20to%20set%20the%20Logic%20App%E2%80%99s%20Managed%20Service%20Identity%20on%20a%20Management%20Group%20or%20Subscription%20with%20the%20%3CEM%3EStorage%20Blob%20Data%20Contributor%3C%2FEM%3E%20role%20assignment.%20In%20addition%20setup%20Workflow%20automation%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fworkflow-automation%23create-a-logic-app-and-define-when-it-should-automatically-run%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumented%20here%3C%2FA%3E%20to%20trigger%20on%20alerts%20that%20contain%20%E2%80%98%E2%80%99%20Potential%20malware%20uploaded%20to%20a%20storage%20account%E2%80%9D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20the%20Logic%20App%20and%20Workflow%20Automation%20are%20setup%20you%20can%20test%20the%20Logic%20App%20and%20Workflow%20Automation%20by%20using%20the%20following%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Fvalidating-atp-for-azure-storage-detections-in-azure-security%2Fba-p%2F1068131%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Edocumented%3C%2FA%3E%20testing%20trigger%20scenario.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Logic%20App%20upon%20detection%20starts%20by%20taking%20the%20unique%20properties%20of%20the%20alert%20and%20crafting%20the%20Blob%20Uri%20as%20a%20variable.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%222.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197695i28221B9239E1E25D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%222.png%22%20alt%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20will%20then%20send%20a%20email%20notification%20of%20the%20alert%20to%20the%20designated%20security%20team.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%223.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197696i65CD5F893E01364B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%223.png%22%20alt%3D%223.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithin%20the%20email%20a%20security%20analyst%20can%20click%20on%20the%20ASC%20link%20to%20investigate%20the%20potential%20malware%20blob%20further.%20Once%20analysis%20is%20finished%20the%20security%20analyst%20can%20%3CSTRONG%3E%3CEM%3Eapprove%3C%2FEM%3E%3C%2FSTRONG%3E%20or%20%3CSTRONG%3E%3CEM%3Ereject%3C%2FEM%3E%3C%2FSTRONG%3E%20deletion%20of%20the%20blob%20on%20Azure%20Storage%20account%20even%20though%20they%20may%20not%20have%20access%20to%20it.%20This%20is%20because%20the%20Logic%20App%20will%20execute%20using%20it%E2%80%99s%20%3CEM%3EStorage%20Blob%20Data%20Contributor%3C%2FEM%3E%20role%20assignment%20and%20specific%20to%20that%20blob%20only.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%224.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197697i35626B0470B98B2A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%224.png%22%20alt%3D%224.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20Approved%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%225.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197698i948704089F2258A4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%225.png%22%20alt%3D%225.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Logic%20App%20makes%20a%20Storage%20Data%20layer%20API%20call%20to%20DELETE%20the%20blob%20uri%20you%20captured%20in%20the%20variable%20above%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%226.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197699iADFC92FCEC65B61C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%226.png%22%20alt%3D%226.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20works%20best%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fblobs%2Fsoft-delete-overview%23configuration-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEnable%20Storage%20Soft%20Delete%3C%2FA%3E%20on%20all%20Storage%20Accounts%20as%20well%20in%20the%20advent%20a%20blob%20was%20deleted%20but%20needs%20to%20be%20restored.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20post%20you%20learned%20how%20the%20potential%20malware%20blob%20detection%20works%20by%20analyzing%20the%20streaming%20telemetry%20logs%20and%20comparing%20file%20hashes%20when%20present%20to%20Microsoft%20Threat%20Intelligence.%20You%20also%20learned%20how%20to%20leverage%20Workflow%20Automation%20to%20notify%20your%20security%20team%20and%20automate%20based%20on%20a%20decision%20to%20delete%20the%20potential%20malware%20blob.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESpecial%20thanks%20to%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%40YuriDiogenes%3C%2FSTRONG%3E%3CEM%3E%26nbsp%3Bfor%20reviewing%20this%20post%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1452005%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20post%20you%20learned%20how%20the%20potential%20malware%20blob%20detection%20works%20by%20analyzing%20the%20streaming%20telemetry%20logs%20and%20comparing%20file%20hashes%20when%20present%20to%20Microsoft%20Threat%20Intelligence.%20You%20also%20learned%20how%20to%20leverage%20Workflow%20Automation%20to%20notify%20your%20security%20team%20and%20automate%20based%20on%20a%20decision%20to%20delete%20the%20potential%20malware%20blob.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

Azure Security Center covers a wide capability on Cloud Workload Platform Protection (CWPP) when it comes protecting Platform as a Service. One of those capabilities is alerting to potential malware uploaded as a Blob to an Azure Storage Account.

 

The potential malware upload alerting works as follows. When Azure Security Center standard tier is protecting Azure Storage, blob files uploaded to Azure Storage produce telemetry streaming logs. In many cases the stream operation logs contain hashes related to the blob. These hashes are compared using Microsoft's Threat Intelligence to do hash reputation analysis looking for viruses, trojans, spyware and ransomware. When a match is found an alert is raised in Azure Security Center.

 

1.png

 

This alerting can help detect intentional activity by an attacker looking to leverage storage for lateral movement or unintentional upload of a malware file from a cloud user or application.

 

Alerting on the potential malware uploaded is very helpful, but you can take it one step further by leveraging Workflow Automation feature to trigger a series of actions upon receiving this alert, including sending an email and notify your security team when a potential malware is uploaded to your storage account. After your security investigation a decision can be made as the email that notified your team also contains a link to approve or reject the deletion of the potential malware blob in the alert.

 

To deploy the Security Logic App, you can leverage our ASC Community GitHub Repository, specifically this one

 

Be sure to set the Logic App’s Managed Service Identity on a Management Group or Subscription with the Storage Blob Data Contributor role assignment. In addition setup Workflow automation documented here to trigger on alerts that contain ‘’ Potential malware uploaded to a storage account”

 

Once the Logic App and Workflow Automation are setup you can test the Logic App and Workflow Automation by using the following documented testing trigger scenario.

 

The Logic App upon detection starts by taking the unique properties of the alert and crafting the Blob Uri as a variable.

 

2.png

 

It will then send a email notification of the alert to the designated security team.

 

3.png

 

Within the email a security analyst can click on the ASC link to investigate the potential malware blob further. Once analysis is finished the security analyst can approve or reject deletion of the blob on Azure Storage account even though they may not have access to it. This is because the Logic App will execute using it’s Storage Blob Data Contributor role assignment and specific to that blob only.

 

4.png

 

Once Approved

 

5.png

 

The Logic App makes a Storage Data layer API call to DELETE the blob uri you captured in the variable above

 

6.png

 

It works best to Enable Storage Soft Delete on all Storage Accounts as well in the advent a blob was deleted but needs to be restored.

 

In this post you learned how the potential malware blob detection works by analyzing the streaming telemetry logs and comparing file hashes when present to Microsoft Threat Intelligence. You also learned how to leverage Workflow Automation to notify your security team and automate based on a decision to delete the potential malware blob.

 

Special thanks to:

@YuriDiogenes for reviewing this post