Set Up Responses to Malware Scanning
Implementation Effort: Medium — Requires configuration of automation workflows, permissions, and integration with security operations tools.
User Impact: Low — Responses are automated and handled by security teams; users are not directly involved.
Overview
After enabling malware scanning in Microsoft Defender for Storage, organizations can configure automated responses to scanning results to reduce risk and streamline incident response. These responses help ensure that malicious files are isolated or removed quickly, and clean files are handled appropriately.
Supported response options include:
- Block access to unscanned or malicious files using Microsoft Entra Attribute-Based Access Control (ABAC). This ensures only clean files are accessible to users and applications.
- Delete malicious blobs automatically. It's recommended to enable soft delete on the storage account to allow recovery in case of false positives.
- Move malicious files to quarantine by transferring them to a dedicated container or storage account with restricted access. Use Microsoft Entra ID and role-based access control (RBAC) to limit access to security personnel only.
- Tag blobs using Blob Index Tags to label files based on scan results for easier filtering and automation.
- Trigger workflows using Event Grid events or Defender for Cloud alerts to initiate custom remediation actions (e.g., notify SOC, log incidents, or trigger Logic Apps).
If these responses are not configured, malicious files may remain accessible, increasing the risk of lateral movement, data exfiltration, or compliance violations.
This capability supports the Zero Trust principle of "Assume Breach" by ensuring that threats are contained and remediated automatically based on real-time scan results.