How to respond to potential Malware uploaded to Azure Storage Blob

Published 06-10-2020 06:23 AM 7,441 Views

Azure Security Center covers a wide capability on Cloud Workload Platform Protection (CWPP) when it comes protecting Platform as a Service. One of those capabilities is alerting to potential malware uploaded as a Blob to an Azure Storage Account.


The potential malware upload alerting works as follows. When Azure Security Center standard tier is protecting Azure Storage, blob files uploaded to Azure Storage produce telemetry streaming logs. In many cases the stream operation logs contain hashes related to the blob. These hashes are compared using Microsoft's Threat Intelligence to do hash reputation analysis looking for viruses, trojans, spyware and ransomware. When a match is found an alert is raised in Azure Security Center.




This alerting can help detect intentional activity by an attacker looking to leverage storage for lateral movement or unintentional upload of a malware file from a cloud user or application.


Alerting on the potential malware uploaded is very helpful, but you can take it one step further by leveraging Workflow Automation feature to trigger a series of actions upon receiving this alert, including sending an email and notify your security team when a potential malware is uploaded to your storage account. After your security investigation a decision can be made as the email that notified your team also contains a link to approve or reject the deletion of the potential malware blob in the alert.


To deploy the Security Logic App, you can leverage our ASC Community GitHub Repository, specifically this one


Be sure to set the Logic App’s Managed Service Identity on a Management Group or Subscription with the Storage Blob Data Contributor and Security Admin role assignment. In addition setup Workflow automation documented here to trigger on alerts that contain ‘’ Potential malware uploaded to a storage account”


Once the Logic App and Workflow Automation are setup you can test the Logic App and Workflow Automation by using the following documented testing trigger scenario.


The Logic App upon detection starts by taking the unique properties of the alert and crafting the Blob Uri as a variable.




It will then send a email notification of the alert to the designated security team.




Within the email a security analyst can click on the ASC link to investigate the potential malware blob further. Once analysis is finished the security analyst can approve or reject deletion of the blob on Azure Storage account even though they may not have access to it. This is because the Logic App will execute using it’s Storage Blob Data Contributor role assignment and specific to that blob only.




Once Approved




The Logic App makes a Storage Data layer API call to DELETE the blob uri you captured in the variable above




It works best to Enable Storage Soft Delete on all Storage Accounts as well in the advent a blob was deleted but needs to be restored.


The Logic App will then send a confirmation email ensuring confirmation of successful deletion of the Blob




As a final step the Logic App will dismiss the Azure Security Alert using it’s Security Admin role assignment since remediation has taken place.




The URI path is also informed by using Logic App expressions to split on the AzureResourceID of the affected storage account. It can now properly pass the Subscription ID and Resource Group name when dismissing this security alert in Azure Security Center.


Here is an example of the expression that will take the AzureResourceID and split on '/' values in the string and starting first at the beginning choosing the 2nd position of that split.




/subscriptions/{Subscription GUI}/resourceGroups/rgtestblob/providers/Microsoft.Storage/storageAccounts/testblobstoragelogging


Finally you will need to take some post installations steps with the Logic App and Azure Security Center Workflow Automation to ensure this will execute properly after deployment.


You will need to first go to the Logic App and go to a specific blade called API connection seend below to Authorize and Save your Office 365 API Connection. This ensures the Logic App can send an email on behalf of the mailbox.





As another step you need to assign the Logic App which will deploy as a Managed Service Identity access to your subscription or Management Group with Role Assignments. This allows the Logic App to execute it's steps with proper authorization against storage account and Azure Security Center.


Please assign Storage Blob Data Contributor and Security Admin roles





The final step will be to go to Azure Security Center and Workflow Automation blade and wire up so that when a specific alert comes in it will trigger this deployed Logic App.




Please pay attention to the field Alert name contains 


You need to ensure this will trigger on a specific alert called:


Potential malware uploaded to a storage blob container




Once saved you now have the alert firing the logic app.


In this post you learned how the potential malware blob detection works by analyzing the streaming telemetry logs and comparing file hashes when present to Microsoft Threat Intelligence. You also learned how to leverage Workflow Automation to notify your security team and automate based on a decision to delete the potential malware blob.


Special thanks to:

@YuriDiogenes for reviewing this post



@Nathan Swift great article - really easy to follow and I was able to leverage the GIT to set up a POC in about 15 minutes start to finish.

Is there any reference material on how deep the ATP threat detection is. We use some files for pen testing that when we run through an AV are detected as a virus, however, when added to blob they do not result in any messages in security center.


Happy to share the files (or a video of the process if you prefer) - would be keen to get your thoughts. At the moment we are needing to use a VM to manage real time scanning of our customer blob sites and we are keen to get away from that.


@Nathan Swift a quick follow up. The file uploaded as a test has the following hash  73fbe01a04db66912b3248f65a424c5684b5e0c63d8d79ae99f311e97bd84975 you can search the hash at and see the results. This is the file that was uploaded to blob and ATP did not detect an issue.


@dzimmerman Thank you for the information. I went ahead and forwarded the information to the product team. I recommend putting in a support request as well to have engineering look into the storage streaming logs. The Blob detection does not scan uploaded files like traditional AV but uses a hash reputation analysis, some detail can be found here against the back end storage logging.


Thanks @Nathan Swift appreciate the response. 

I'll raise a support request as suggested and understand that the blob detection does not scan like traditional AV. 

Do you think it is a fair statement that the ATP is not a replacement for AV in its current state or have I simply uploaded an anomaly?

Occasional Visitor

@Nathan Swift i think two fixes are needed in the documentation:


1) Logic App's last step's subscription/resource group extraction expression needs to be changed to following as the original attribute is no longer found in  the trigger body

2) A seconds IAM role for the RG level security admin is not well documented (only BLOB contributor is documented) 
Senior Member

Hi all


This works incredibly well, the only issue we have run into, is that we use CDN backed storage accounts and whilst the item is deleted successfully from the storage account, it remains in the CDN for the defaults of 10 days we beleive preventing users from downloading the file.  Is there a way to also delete from the Akami CDN within Azure as well?


Kind regards



New Contributor

For the workflow automation, should it be "Potential malware uploaded to a storage blob container" instead of "Potential malware uploaded to a storage account"?
That's what I see in Security Center:





Thank you for brining to my attention @David_Klempfner that is correct, I submitted a correction to the article to reflect the screenshot.

New Contributor

I can see you updated the screenshot, but the article still has the text Potential malware uploaded to a storage account.


Also, do you think they just haven't updated this document yet?
They still have "Potential malware uploaded to a storage account" listed there.
Here's a StackOverflow question if you know the answer:

Version history
Last update:
‎Aug 14 2020 08:59 AM
Updated by: