cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
How to respond to potential Malware uploaded to Azure Storage Blob
By
Nathan Swift
Published Jun 10 2020 06:23 AM 21.5K Views
Nathan Swift
Microsoft
‎Jun 10 2020 06:23 AM

How to respond to potential Malware uploaded to Azure Storage Blob

‎Jun 10 2020 06:23 AM

Microsoft Defender for Cloud covers a wide capability on Cloud Workload Platform Protection (CWPP) when it comes protecting Platform as a Service. One of those capabilities is alerting to potential malware uploaded as a Blob to an Azure Storage Account.

 

The potential malware upload alerting works as follows. When Microsoft Defender for Cloud is protecting Azure Storage, blob files uploaded to Azure Storage produce telemetry streaming logs. In many cases the stream operation logs contain hashes related to the blob. These hashes are compared using Microsoft's Threat Intelligence to do hash reputation analysis looking for viruses, trojans, spyware and ransomware. When a match is found an alert is raised in Microsoft Defender for Cloud.

 

1.png

 

This alerting can help detect intentional activity by an attacker looking to leverage storage for lateral movement or unintentional upload of a malware file from a cloud user or application.

 

Alerting on the potential malware uploaded is very helpful, but you can take it one step further by leveraging Workflow Automation feature to trigger a series of actions upon receiving this alert, including sending an email and notify your security team when a potential malware is uploaded to your storage account. After your security investigation a decision can be made as the email that notified your team also contains a link to approve or reject the deletion of the potential malware blob in the alert.

 

To deploy the Security Logic App, you can leverage our Microsoft Defender for Cloud Community GitHub Repository, specifically this one

 

Be sure to set the Logic App’s Managed Service Identity on a Management Group or Subscription with the Storage Blob Data Contributor and Security Admin role assignment. In addition setup Workflow automation documented here to trigger on alerts that contain ‘’ Potential malware uploaded to a storage account”

 

Once the Logic App and Workflow Automation are setup you can test the Logic App and Workflow Automation by using the following documented testing trigger scenario.

 

The Logic App upon detection starts by taking the unique properties of the alert and crafting the Blob Uri as a variable.

 

2.png

 

It will then send a email notification of the alert to the designated security team.

 

3.png

 

Within the email a security analyst can click on the Microsoft Defender for Cloud link to investigate the potential malware blob further. Once analysis is finished the security analyst can approve or reject deletion of the blob on Azure Storage account even though they may not have access to it. This is because the Logic App will execute using it’s Storage Blob Data Contributor role assignment and specific to that blob only.

 

4.png

 

Once Approved

 

5.png

 

The Logic App makes a Storage Data layer API call to DELETE the blob uri you captured in the variable above

 

6.png

 

It works best to Enable Storage Soft Delete on all Storage Accounts as well in the advent a blob was deleted but needs to be restored.

 

The Logic App will then send a confirmation email ensuring confirmation of successful deletion of the Blob

 

2020-08-14_9-53-14.png

 

As a final step the Logic App will dismiss the Azure Security Alert using it’s Security Admin role assignment since remediation has taken place.

 

2020-08-14_10-09-49.png

 

The URI path is also informed by using Logic App expressions to split on the AzureResourceID of the affected storage account. It can now properly pass the Subscription ID and Resource Group name when dismissing this security alert in Microsoft Defender for Cloud.

 

Here is an example of the expression that will take the AzureResourceID and split on '/' values in the string and starting first at the beginning choosing the 2nd position of that split.

 

first(skip(split(triggerBody()?['AzureResourceId'],'/'),2))

 

/subscriptions/{Subscription GUI}/resourceGroups/rgtestblob/providers/Microsoft.Storage/storageAccounts/testblobstoragelogging

 

Finally you will need to take some post installations steps with the Logic App and Microsoft Defender for Cloud Workflow Automation to ensure this will execute properly after deployment.

 

You will need to first go to the Logic App and go to a specific blade called API connection send below to Authorize and Save your Office 365 API Connection. This ensures the Logic App can send an email on behalf of the mailbox.

 

apiauth.png

 apiauth2.png

 

As another step you need to assign the Logic App which will deploy as a Managed Service Identity access to your subscription or Management Group with Role Assignments. This allows the Logic App to execute it's steps with proper authorization against storage account and Microsoft Defender for Cloud.

 

Please assign Storage Blob Data Contributor and Security Admin roles

 

roleassign.png

 roleassign2.png

 

The final step will be to go to Microsoft Defender for Cloud and Workflow Automation blade and wire up so that when a specific alert comes in it will trigger this deployed Logic App.

 

workflow.png

 

 

Please pay attention to the field Alert name contains 

 

You need to ensure this will trigger on a specific alert called:

 

Potential malware uploaded to a storage blob container

 

ascwfa2.png

 

Once saved you now have the alert firing the logic app.

 

In this post you learned how the potential malware blob detection works by analyzing the streaming telemetry logs and comparing file hashes when present to Microsoft Threat Intelligence. You also learned how to leverage Workflow Automation to notify your security team and automate based on a decision to delete the potential malware blob.

 

Special thanks to:

@YuriDiogenes for reviewing this post

 

12 Comments
dzimmerman
Copper Contributor
‎Oct 08 2020 11:13 PM
‎Oct 08 2020 11:13 PM

@Nathan Swift great article - really easy to follow and I was able to leverage the GIT to set up a POC in about 15 minutes start to finish.

Is there any reference material on how deep the ATP threat detection is. We use some files for pen testing that when we run through an AV are detected as a virus, however, when added to blob they do not result in any messages in security center.

 

Happy to share the files (or a video of the process if you prefer) - would be keen to get your thoughts. At the moment we are needing to use a VM to manage real time scanning of our customer blob sites and we are keen to get away from that.

dzimmerman
Copper Contributor
‎Oct 11 2020 02:16 PM
‎Oct 11 2020 02:16 PM

@Nathan Swift a quick follow up. The file uploaded as a test has the following hash  73fbe01a04db66912b3248f65a424c5684b5e0c63d8d79ae99f311e97bd84975 you can search the hash at virustotal.com and see the results. This is the file that was uploaded to blob and ATP did not detect an issue.

0 Likes
Like
Nathan Swift
Microsoft
‎Oct 19 2020 07:05 AM
‎Oct 19 2020 07:05 AM

@dzimmerman Thank you for the information. I went ahead and forwarded the information to the product team. I recommend putting in a support request as well to have engineering look into the storage streaming logs. The Blob detection does not scan uploaded files like traditional AV but uses a hash reputation analysis, some detail can be found here against the back end storage logging.

0 Likes
Like
dzimmerman
Copper Contributor
‎Oct 19 2020 07:10 AM
‎Oct 19 2020 07:10 AM

Thanks @Nathan Swift appreciate the response. 

I'll raise a support request as suggested and understand that the blob detection does not scan like traditional AV. 

Do you think it is a fair statement that the ATP is not a replacement for AV in its current state or have I simply uploaded an anomaly?

0 Likes
Like
vishalaw
Copper Contributor
‎Dec 22 2020 02:52 PM
‎Dec 22 2020 02:52 PM

@Nathan Swift i think two fixes are needed in the documentation:

 

1) Logic App's last step's subscription/resource group extraction expression needs to be changed to following as the original attribute is no longer found in  the trigger body

first(skip(split(triggerBody()?['entities']['0']['resourceId'],'/'),4))
 
2) A seconds IAM role for the RG level security admin is not well documented (only BLOB contributor is documented) 
0 Likes
Like
JamesHeathcote
Copper Contributor
‎Mar 31 2021 03:28 AM
‎Mar 31 2021 03:28 AM

Hi all

 

This works incredibly well, the only issue we have run into, is that we use CDN backed storage accounts and whilst the item is deleted successfully from the storage account, it remains in the CDN for the defaults of 10 days we beleive preventing users from downloading the file.  Is there a way to also delete from the Akami CDN within Azure as well?

 

Kind regards

 

James

0 Likes
Like
David_Klempfner
Copper Contributor
‎Jun 02 2021 06:24 PM
‎Jun 02 2021 06:24 PM

For the workflow automation, should it be "Potential malware uploaded to a storage blob container" instead of "Potential malware uploaded to a storage account"?
That's what I see in Security Center:

David_Klempfner_0-1622683427116.png

 

 

0 Likes
Like
Nathan Swift
Microsoft
‎Jun 02 2021 08:25 PM
‎Jun 02 2021 08:25 PM

Thank you for brining to my attention @David_Klempfner that is correct, I submitted a correction to the article to reflect the screenshot.

0 Likes
Like
David_Klempfner
Copper Contributor
‎Jun 02 2021 09:28 PM
‎Jun 02 2021 09:28 PM

I can see you updated the screenshot, but the article still has the text Potential malware uploaded to a storage account.

 

Also, do you think they just haven't updated this document yet?
https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
They still have "Potential malware uploaded to a storage account" listed there.
Here's a StackOverflow question if you know the answer:
https://stackoverflow.com/questions/67814369/potential-malware-uploaded-to-a-storage-account-vs-pote...

0 Likes
Like
hak18500
Copper Contributor
‎Jul 01 2021 08:34 PM
‎Jul 01 2021 08:34 PM

Hi,

 

Thank you for this great article, I have a question related to the hash reputation check.


Does it happen upon  the blob uploading?

 

And if the tool detects a potential malware, does the blob available to download in the container or is it kind of pause until validation of the security team?

 

Thanks in advance for your answer

0 Likes
Like
Nathan Swift
Microsoft
‎Jul 02 2021 06:15 AM
‎Jul 02 2021 06:15 AM

@hak18500 - please check out the detection details of hash reputation analysis here: Azure Defender for Storage - the benefits and features | Microsoft Docs 

 

If you are looking for a more gated method of the blob and closer to real time scanning upon upload please see the Azure Storage AV Automation project: Azure/azure-storage-av-automation (github.com)

0 Likes
Like
AzureManiX
Copper Contributor
‎Aug 06 2021 12:37 AM
‎Aug 06 2021 12:37 AM

@Nathan Swift Thanks for sharing insights. Is this project (Azure Storage AV Automation project: Azure/azure-storage-av-automation (github.com)) a production grade solution or it is like a POC to demonstrate a possibility? 

0 Likes
Like
Co-Authors
Version history
Last update:
‎Nov 02 2021 04:48 PM
Updated by: