%3CLINGO-SUB%20id%3D%22lingo-sub-1452005%22%20slang%3D%22en-US%22%3EHow%20to%20respond%20to%20potential%20Malware%20uploaded%20to%20Azure%20Storage%20Blob%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1452005%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Security%20Center%20covers%20a%20wide%20capability%20on%20Cloud%20Workload%20Platform%20Protection%20(CWPP)%20when%20it%20comes%20protecting%20Platform%20as%20a%20Service.%20One%20of%20those%20capabilities%20is%20alerting%20to%20potential%20malware%20uploaded%20as%20a%20Blob%20to%20an%20Azure%20Storage%20Account.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20potential%20malware%20upload%20alerting%20works%20as%20follows.%20When%20Azure%20Security%20Center%20standard%20tier%20is%20protecting%20Azure%20Storage%2C%20blob%20files%20uploaded%20to%20Azure%20Storage%20produce%20telemetry%20streaming%20logs.%20In%20many%20cases%20the%20stream%20operation%20logs%20contain%20hashes%20related%20to%20the%20blob.%20These%20hashes%20are%20compared%20using%20Microsoft's%20Threat%20Intelligence%20to%20do%20hash%20reputation%20analysis%20looking%20for%20viruses%2C%20trojans%2C%20spyware%20and%20ransomware.%20When%20a%20match%20is%20found%20an%20alert%20is%20raised%20in%20Azure%20Security%20Center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%221.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197694i53D1078B7097647B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%221.png%22%20alt%3D%221.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20alerting%20can%20help%20detect%20intentional%20activity%20by%20an%20attacker%20looking%20to%20leverage%20storage%20for%20lateral%20movement%20or%20unintentional%20upload%20of%20a%20malware%20file%20from%20a%20cloud%20user%20or%20application.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlerting%20on%20the%20potential%20malware%20uploaded%20is%20very%20helpful%2C%20but%20you%20can%20take%20it%20one%20step%20further%20by%20leveraging%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fworkflow-automation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWorkflow%20Automation%3C%2FA%3E%20feature%20to%20trigger%20a%20series%20of%20actions%20upon%20receiving%20this%20alert%2C%20including%20sending%20an%20email%20and%20notify%20your%20security%20team%20when%20a%20potential%20malware%20is%20uploaded%20to%20your%20storage%20account.%20After%20your%20security%20investigation%20a%20decision%20can%20be%20made%20as%20the%20email%20that%20notified%20your%20team%20also%20contains%20a%20link%20to%20%3CSTRONG%3E%3CEM%3Eapprove%3C%2FEM%3E%3C%2FSTRONG%3E%20or%20%3CSTRONG%3E%3CEM%3Ereject%3C%2FEM%3E%3C%2FSTRONG%3E%20the%20deletion%20of%20the%20potential%20malware%20blob%20in%20the%20alert.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20deploy%20the%20Security%20Logic%20App%2C%20you%20can%20leverage%20our%20ASC%20Community%20GitHub%20Repository%2C%20specifically%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FWorkflow%2520automation%2FAsk-Remove-MalwareBlob%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20one%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBe%20sure%20to%20set%20the%20Logic%20App%E2%80%99s%20Managed%20Service%20Identity%20on%20a%20Management%20Group%20or%20Subscription%20with%20the%20%3CEM%3EStorage%20Blob%20Data%20Contributor%3C%2FEM%3E%26nbsp%3Band%20%3CEM%3ESecurity%20Admin%3C%2FEM%3E%20role%20assignment.%20In%20addition%20setup%20Workflow%20automation%20%5B%23%24dp30%5D%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fworkflow-automation%23create-a-logic-app-and-define-when-it-should-automatically-run%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumented%20here%3C%2FA%3E%20to%20trigger%20on%20alerts%20that%20contain%20%E2%80%98%E2%80%99%20Potential%20malware%20uploaded%20to%20a%20storage%20account%E2%80%9D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20the%20Logic%20App%20and%20Workflow%20Automation%20are%20setup%20you%20can%20test%20the%20Logic%20App%20and%20Workflow%20Automation%20by%20using%20the%20following%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Fvalidating-atp-for-azure-storage-detections-in-azure-security%2Fba-p%2F1068131%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Edocumented%3C%2FA%3E%20testing%20trigger%20scenario.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Logic%20App%20upon%20detection%20starts%20by%20taking%20the%20unique%20properties%20of%20the%20alert%20and%20crafting%20the%20Blob%20Uri%20as%20a%20variable.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%222.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197695i28221B9239E1E25D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%222.png%22%20alt%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20will%20then%20send%20a%20email%20notification%20of%20the%20alert%20to%20the%20designated%20security%20team.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%223.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197696i65CD5F893E01364B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%223.png%22%20alt%3D%223.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithin%20the%20email%20a%20security%20analyst%20can%20click%20on%20the%20ASC%20link%20to%20investigate%20the%20potential%20malware%20blob%20further.%20Once%20analysis%20is%20finished%20the%20security%20analyst%20can%20%3CSTRONG%3E%3CEM%3Eapprove%3C%2FEM%3E%3C%2FSTRONG%3E%20or%20%3CSTRONG%3E%3CEM%3Ereject%3C%2FEM%3E%3C%2FSTRONG%3E%20deletion%20of%20the%20blob%20on%20Azure%20Storage%20account%20even%20though%20they%20may%20not%20have%20access%20to%20it.%20This%20is%20because%20the%20Logic%20App%20will%20execute%20using%20it%E2%80%99s%20%3CEM%3EStorage%20Blob%20Data%20Contributor%3C%2FEM%3E%20role%20assignment%20and%20specific%20to%20that%20blob%20only.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%224.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197697i35626B0470B98B2A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%224.png%22%20alt%3D%224.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20Approved%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%225.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197698i948704089F2258A4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%225.png%22%20alt%3D%225.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Logic%20App%20makes%20a%20Storage%20Data%20layer%20API%20call%20to%20DELETE%20the%20blob%20uri%20you%20captured%20in%20the%20variable%20above%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%226.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197699iADFC92FCEC65B61C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%226.png%22%20alt%3D%226.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20works%20best%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fblobs%2Fsoft-delete-overview%23configuration-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEnable%20Storage%20Soft%20Delete%3C%2FA%3E%20on%20all%20Storage%20Accounts%20as%20well%20in%20the%20advent%20a%20blob%20was%20deleted%20but%20needs%20to%20be%20restored.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Logic%20App%20will%20then%20send%20a%20confirmation%20email%20ensuring%20confirmation%20of%20successful%20deletion%20of%20the%20Blob%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%222020-08-14_9-53-14.png%22%20style%3D%22width%3A%20606px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212432iEB8FC044953F4DDF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%222020-08-14_9-53-14.png%22%20alt%3D%222020-08-14_9-53-14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20a%20final%20step%20the%20Logic%20App%20will%20dismiss%20the%20Azure%20Security%20Alert%20using%20it%E2%80%99s%20%3CEM%3ESecurity%20Admin%3C%2FEM%3E%20role%20assignment%20since%20remediation%20has%20taken%20place.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%222020-08-14_10-09-49.png%22%20style%3D%22width%3A%20606px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212434i4D190C48673C2879%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%222020-08-14_10-09-49.png%22%20alt%3D%222020-08-14_10-09-49.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20URI%20path%20is%20also%20informed%20by%20using%20Logic%20App%20expressions%20to%20split%20on%20the%20AzureResourceID%20of%20the%20affected%20storage%20account.%20It%20can%20now%20properly%20pass%20the%20Subscription%20ID%20and%20Resource%20Group%20name%20when%20dismissing%20this%20security%20alert%20in%20Azure%20Security%20Center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20an%20example%20of%20the%20expression%20that%20will%20take%20the%20AzureResourceID%20and%20split%20on%20'%2F'%20values%20in%20the%20string%20and%20starting%20first%20at%20the%20beginning%20choosing%20the%202nd%20position%20of%20that%20split.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CEM%3Efirst(skip(split(triggerBody()%3F%5B'AzureResourceId'%5D%2C'%2F')%2C2))%3C%2FEM%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2Fsubscriptions%2F%3CSTRONG%3E%7BSubscription%20GUI%7D%3C%2FSTRONG%3E%2FresourceGroups%2Frgtestblob%2Fproviders%2FMicrosoft.Storage%2FstorageAccounts%2Ftestblobstoragelogging%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFinally%20you%20will%20need%20to%20take%20some%20post%20installations%20steps%20with%20the%20Logic%20App%20and%20Azure%20Security%20Center%20Workflow%20Automation%20to%20ensure%20this%20will%20execute%20properly%20after%20deployment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20will%20need%20to%20first%20go%20to%20the%20Logic%20App%20and%20go%20to%20a%20specific%20blade%20called%20API%20connection%20seend%20below%20to%20Authorize%20and%20Save%20your%20Office%20365%20API%20Connection.%20This%20ensures%20the%20Logic%20App%20can%20send%20an%20email%20on%20behalf%20of%20the%20mailbox.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22apiauth.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212435i1C803C793FC3EC71%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22apiauth.png%22%20alt%3D%22apiauth.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22apiauth2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212436iFF3FAF9F976F5973%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22apiauth2.png%22%20alt%3D%22apiauth2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20another%20step%20you%20need%20to%20assign%20the%20Logic%20App%20which%20will%20deploy%20as%20a%20Managed%20Service%20Identity%20access%20to%20your%20subscription%20or%20Management%20Group%20with%20Role%20Assignments.%20This%20allows%20the%20Logic%20App%20to%20execute%20it's%20steps%20with%20proper%20authorization%20against%20storage%20account%20and%20Azure%20Security%20Center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20assign%26nbsp%3B%3CEM%3EStorage%20Blob%20Data%20Contributor%3C%2FEM%3E%26nbsp%3Band%20%3CEM%3ESecurity%20Admin%3C%2FEM%3E%20roles%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22roleassign.png%22%20style%3D%22width%3A%20918px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212437iF7771AA1C2764DAE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22roleassign.png%22%20alt%3D%22roleassign.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22roleassign2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212438iAAB3DB5558769F82%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22roleassign2.png%22%20alt%3D%22roleassign2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20final%20step%20will%20be%20to%20go%20to%20Azure%20Security%20Center%20and%20Workflow%20Automation%20blade%20and%20wire%20up%20so%20that%20when%20a%20specific%20alert%20comes%20in%20it%20will%20trigger%20this%20deployed%20Logic%20App.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22ascwfa.png%22%20style%3D%22width%3A%20984px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212440i38D81B2A56306402%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22ascwfa.png%22%20alt%3D%22ascwfa.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20pay%20attention%20to%20the%20field%20%3CSTRONG%3EAlert%20name%20contains%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20need%20to%20ensure%20this%20will%20trigger%20on%20a%20specific%20alert%20called%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3EPotential%20malware%20uploaded%20to%20a%20storage%20blob%20container%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22ascwfa2.png%22%20style%3D%22width%3A%20572px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212441i629C7393CDDB4930%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22ascwfa2.png%22%20alt%3D%22ascwfa2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20saved%20you%20now%20have%20the%20alert%20firing%20the%20logic%20app.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20post%20you%20learned%20how%20the%20potential%20malware%20blob%20detection%20works%20by%20analyzing%20the%20streaming%20telemetry%20logs%20and%20comparing%20file%20hashes%20when%20present%20to%20Microsoft%20Threat%20Intelligence.%20You%20also%20learned%20how%20to%20leverage%20Workflow%20Automation%20to%20notify%20your%20security%20team%20and%20automate%20based%20on%20a%20decision%20to%20delete%20the%20potential%20malware%20blob.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESpecial%20thanks%20to%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%40YuriDiogenes%3C%2FSTRONG%3E%3CEM%3E%26nbsp%3Bfor%20reviewing%20this%20post%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1452005%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20post%20you%20learned%20how%20the%20potential%20malware%20blob%20detection%20works%20by%20analyzing%20the%20streaming%20telemetry%20logs%20and%20comparing%20file%20hashes%20when%20present%20to%20Microsoft%20Threat%20Intelligence.%20You%20also%20learned%20how%20to%20leverage%20Workflow%20Automation%20to%20notify%20your%20security%20team%20and%20automate%20based%20on%20a%20decision%20to%20delete%20the%20potential%20malware%20blob.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1762558%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20respond%20to%20potential%20Malware%20uploaded%20to%20Azure%20Storage%20Blob%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1762558%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F225494%22%20target%3D%22_blank%22%3E%40Nathan%20Swift%3C%2FA%3E%26nbsp%3Bgreat%20article%20-%20really%20easy%20to%20follow%20and%20I%20was%20able%20to%20leverage%20the%20GIT%20to%20set%20up%20a%20POC%20in%20about%2015%20minutes%20start%20to%20finish.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20any%20reference%20material%20on%20how%20deep%20the%20ATP%20threat%20detection%20is.%20We%20use%20some%20files%20for%20pen%20testing%20that%20when%20we%20run%20through%20an%20AV%20are%20detected%20as%20a%20virus%2C%20however%2C%20when%20added%20to%20blob%20they%20do%20not%20result%20in%20any%20messages%20in%20security%20center.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHappy%20to%20share%20the%20files%20(or%20a%20video%20of%20the%20process%20if%20you%20prefer)%20-%20would%20be%20keen%20to%20get%20your%20thoughts.%20At%20the%20moment%20we%20are%20needing%20to%20use%20a%20VM%20to%20manage%20real%20time%20scanning%20of%20our%20customer%20blob%20sites%20and%20we%20are%20keen%20to%20get%20away%20from%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1769598%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20respond%20to%20potential%20Malware%20uploaded%20to%20Azure%20Storage%20Blob%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1769598%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F225494%22%20target%3D%22_blank%22%3E%40Nathan%20Swift%3C%2FA%3E%26nbsp%3Ba%20quick%20follow%20up.%20The%20file%20uploaded%20as%20a%20test%20has%20the%20following%20hash%26nbsp%3B%26nbsp%3B73fbe01a04db66912b3248f65a424c5684b5e0c63d8d79ae99f311e97bd84975%20you%20can%20search%20the%20hash%20at%20virustotal.com%20and%20see%20the%20results.%20This%20is%20the%20file%20that%20was%20uploaded%20to%20blob%20and%20ATP%20did%20not%20detect%20an%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1795598%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20respond%20to%20potential%20Malware%20uploaded%20to%20Azure%20Storage%20Blob%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1795598%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F825842%22%20target%3D%22_blank%22%3E%40dzimmerman%3C%2FA%3E%26nbsp%3BThank%20you%20for%20the%20information.%20I%20went%20ahead%20and%20forwarded%20the%20information%20to%20the%20product%20team.%20I%20recommend%20putting%20in%20a%20support%20request%20as%20well%20to%20have%20engineering%20look%20into%20the%20storage%20streaming%20logs.%20The%20Blob%20detection%20does%20not%20scan%20uploaded%20files%20like%20traditional%20AV%20but%20uses%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fdefender-for-storage-introduction%23what-is-hash-reputation-analysis-for-malware%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehash%20reputation%20analysis%2C%20some%20detail%20can%20be%20found%20here%3C%2FA%3E%26nbsp%3Bagainst%20the%20back%20end%20storage%20logging.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1795601%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20respond%20to%20potential%20Malware%20uploaded%20to%20Azure%20Storage%20Blob%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1795601%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F225494%22%20target%3D%22_blank%22%3E%40Nathan%20Swift%3C%2FA%3E%26nbsp%3Bappreciate%20the%20response.%26nbsp%3B%3C%2FP%3E%3CP%3EI'll%20raise%20a%20support%20request%20as%20suggested%20and%20understand%20that%20the%20blob%20detection%20does%20not%20scan%20like%20traditional%20AV.%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20think%20it%20is%20a%20fair%20statement%20that%20the%20ATP%20is%20not%20a%20replacement%20for%20AV%20in%20its%20current%20state%20or%20have%20I%20simply%20uploaded%20an%20anomaly%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Azure Security Center covers a wide capability on Cloud Workload Platform Protection (CWPP) when it comes protecting Platform as a Service. One of those capabilities is alerting to potential malware uploaded as a Blob to an Azure Storage Account.

 

The potential malware upload alerting works as follows. When Azure Security Center standard tier is protecting Azure Storage, blob files uploaded to Azure Storage produce telemetry streaming logs. In many cases the stream operation logs contain hashes related to the blob. These hashes are compared using Microsoft's Threat Intelligence to do hash reputation analysis looking for viruses, trojans, spyware and ransomware. When a match is found an alert is raised in Azure Security Center.

 

1.png

 

This alerting can help detect intentional activity by an attacker looking to leverage storage for lateral movement or unintentional upload of a malware file from a cloud user or application.

 

Alerting on the potential malware uploaded is very helpful, but you can take it one step further by leveraging Workflow Automation feature to trigger a series of actions upon receiving this alert, including sending an email and notify your security team when a potential malware is uploaded to your storage account. After your security investigation a decision can be made as the email that notified your team also contains a link to approve or reject the deletion of the potential malware blob in the alert.

 

To deploy the Security Logic App, you can leverage our ASC Community GitHub Repository, specifically this one

 

Be sure to set the Logic App’s Managed Service Identity on a Management Group or Subscription with the Storage Blob Data Contributor and Security Admin role assignment. In addition setup Workflow automation documented here to trigger on alerts that contain ‘’ Potential malware uploaded to a storage account”

 

Once the Logic App and Workflow Automation are setup you can test the Logic App and Workflow Automation by using the following documented testing trigger scenario.

 

The Logic App upon detection starts by taking the unique properties of the alert and crafting the Blob Uri as a variable.

 

2.png

 

It will then send a email notification of the alert to the designated security team.

 

3.png

 

Within the email a security analyst can click on the ASC link to investigate the potential malware blob further. Once analysis is finished the security analyst can approve or reject deletion of the blob on Azure Storage account even though they may not have access to it. This is because the Logic App will execute using it’s Storage Blob Data Contributor role assignment and specific to that blob only.

 

4.png

 

Once Approved

 

5.png

 

The Logic App makes a Storage Data layer API call to DELETE the blob uri you captured in the variable above

 

6.png

 

It works best to Enable Storage Soft Delete on all Storage Accounts as well in the advent a blob was deleted but needs to be restored.

 

The Logic App will then send a confirmation email ensuring confirmation of successful deletion of the Blob

 

2020-08-14_9-53-14.png

 

As a final step the Logic App will dismiss the Azure Security Alert using it’s Security Admin role assignment since remediation has taken place.

 

2020-08-14_10-09-49.png

 

The URI path is also informed by using Logic App expressions to split on the AzureResourceID of the affected storage account. It can now properly pass the Subscription ID and Resource Group name when dismissing this security alert in Azure Security Center.

 

Here is an example of the expression that will take the AzureResourceID and split on '/' values in the string and starting first at the beginning choosing the 2nd position of that split.

 

first(skip(split(triggerBody()?['AzureResourceId'],'/'),2))

 

/subscriptions/{Subscription GUI}/resourceGroups/rgtestblob/providers/Microsoft.Storage/storageAccounts/testblobstoragelogging

 

Finally you will need to take some post installations steps with the Logic App and Azure Security Center Workflow Automation to ensure this will execute properly after deployment.

 

You will need to first go to the Logic App and go to a specific blade called API connection seend below to Authorize and Save your Office 365 API Connection. This ensures the Logic App can send an email on behalf of the mailbox.

 

apiauth.png

 apiauth2.png

 

As another step you need to assign the Logic App which will deploy as a Managed Service Identity access to your subscription or Management Group with Role Assignments. This allows the Logic App to execute it's steps with proper authorization against storage account and Azure Security Center.

 

Please assign Storage Blob Data Contributor and Security Admin roles

 

roleassign.png

 roleassign2.png

 

The final step will be to go to Azure Security Center and Workflow Automation blade and wire up so that when a specific alert comes in it will trigger this deployed Logic App.

 

ascwfa.png

 

Please pay attention to the field Alert name contains 

 

You need to ensure this will trigger on a specific alert called:

 

Potential malware uploaded to a storage blob container

 

ascwfa2.png

 

Once saved you now have the alert firing the logic app.

 

In this post you learned how the potential malware blob detection works by analyzing the streaming telemetry logs and comparing file hashes when present to Microsoft Threat Intelligence. You also learned how to leverage Workflow Automation to notify your security team and automate based on a decision to delete the potential malware blob.

 

Special thanks to:

@YuriDiogenes for reviewing this post

 

4 Comments
Visitor

@Nathan Swift great article - really easy to follow and I was able to leverage the GIT to set up a POC in about 15 minutes start to finish.

Is there any reference material on how deep the ATP threat detection is. We use some files for pen testing that when we run through an AV are detected as a virus, however, when added to blob they do not result in any messages in security center.

 

Happy to share the files (or a video of the process if you prefer) - would be keen to get your thoughts. At the moment we are needing to use a VM to manage real time scanning of our customer blob sites and we are keen to get away from that.

Visitor

@Nathan Swift a quick follow up. The file uploaded as a test has the following hash  73fbe01a04db66912b3248f65a424c5684b5e0c63d8d79ae99f311e97bd84975 you can search the hash at virustotal.com and see the results. This is the file that was uploaded to blob and ATP did not detect an issue.

Microsoft

@dzimmerman Thank you for the information. I went ahead and forwarded the information to the product team. I recommend putting in a support request as well to have engineering look into the storage streaming logs. The Blob detection does not scan uploaded files like traditional AV but uses a hash reputation analysis, some detail can be found here against the back end storage logging.

Visitor

Thanks @Nathan Swift appreciate the response. 

I'll raise a support request as suggested and understand that the blob detection does not scan like traditional AV. 

Do you think it is a fair statement that the ATP is not a replacement for AV in its current state or have I simply uploaded an anomaly?