Build Remediation Logic

Implementation Effort: Medium — Requires configuration of automated workflows, access control policies, and integration with security operations tools.

User Impact: Low — Remediation actions are automated and handled by security teams; users are not directly involved.

Overview

Building remediation logic in Microsoft Defender for Storage allows organizations to automatically respond to malware scanning results and reduce the time to contain threats. This logic can be implemented using a combination of Microsoft Defender for Cloud alerts, Event Grid events, and Blob index tags.

Key remediation options include:

• Block access to malicious or unscanned files using Microsoft Entra Attribute-Based Access Control (ABAC). This ensures only clean files are accessible to users and applications.
• Delete malicious blobs automatically. It is recommended to enable soft delete on the storage account to allow recovery in case of false positives.
• Move malicious files to quarantine by transferring them to a dedicated container or storage account with restricted access. Use Microsoft Entra ID and RBAC to limit access to security personnel only.
• Tag blobs using Blob Index Tags to label files based on scan results, enabling easier filtering and automation.
• Trigger automated workflows using Event Grid or Logic Apps to notify SOC teams, log incidents, or initiate further remediation steps.

These actions can be customized based on your organization’s security policies and compliance requirements. If remediation logic is not implemented, malicious files may remain accessible, increasing the risk of data breaches or lateral movement.

This capability supports the Zero Trust principle of "Assume Breach" by ensuring threats are automatically contained and remediated based on real-time scan results.

Reference

• Malware scanning responses - Microsoft Defender for Storage
• Introduction to Defender for Storage malware scanning
• What is Microsoft Defender for Storage