I was reading https://techcommunity.microsoft.com/t5/azure-security-center/how-to-respond-to-potential-malware-uploaded-to-azure-storage/ba-p/1452005 and was confused by:
In many cases the stream operation logs contain hashes related to the blob. These hashes are compared using Microsoft's Threat Intelligence to do hash reputation analysis looking for viruses
It says "in many cases", which cases? Our company is considering using Azure Defender to alert us about malicious files being uploaded. We need it to work for all cases.
What determines if a log contains the blob's hash?
Security alerts are triggered when there's: 1.Suspicious access patterns - such as successful access from a Tor exit node or from an IP considered suspicious by Microsoft Threat Intelligence 2.Suspicious activities - such as anomalous data extraction or unusual change of access permissions 3.Upload of malicious content - such as potential malware files (based on hash reputation analysis) or hosting of phishing content Alerts include details of the incident that triggered them, as well as recommendations on how to investigate and remediate threats. Alerts can be exported to Azure Sentinel or any other third-party SIEM or any other external tool.
To determine whether an uploaded file is suspicious, Azure Defender for Storage uses hash reputation analysis supported by Microsoft Threat Intelligence. The threat protection tools don’t scan the uploaded files, rather they examine the storage logs and compare the hashes of newly uploaded files with those of known viruses, trojans, spyware, and ransomware.
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. To set up this automatic removal of files that hash reputation analysis indicates contain malware, deploy a workflow automation to trigger on alerts that contain "Potential malware uploaded to a storage account”. I would request you to please check this for reference https://learn.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction