Cloud Storage Security Help Docs
Release Notes
  • Introduction
  • Getting Started
    • How to Subscribe
      • Pay-As-You-Go (PAYG)
      • Bring Your Own License/GovCloud (BYOL)
      • AWS Transfer Family
    • How to Deploy
      • Steps to Deploy
      • Advanced Deployment Considerations
      • AWS Transfer Family
    • How to Configure
  • Console Overview
    • Dashboard
    • Malware Scanning
      • AWS
        • Buckets
        • Amazon EBS Volumes
        • Amazon EFS Volumes
        • Amazon FSx Volumes
        • WorkDocs Connections
      • Azure
        • Blob Containers
      • GCP
        • GCP Buckets
    • See What's Infected
      • Findings
      • Malware History
      • Results
    • Schedules
    • Monitoring
      • Error Logs
      • Bucket Settings
      • Deployment
      • Jobs
      • Notifications
      • Storage Assessment
      • Usage
    • Configuration
      • Classification Rule Sets
      • Classification Custom Rules
      • Scan Settings
      • Console Settings
      • AWS Integrations
      • Job Networking
      • API Agent Settings
      • Proactive Notifications
      • License Management
      • Event Agent Settings
    • Access Management
      • Manage Users
      • Manage Accounts
        • Linking an AWS Account
        • Linking an Azure Account
        • Linking a GCP Account
      • Manage Groups
    • Support
      • Getting Started
      • Stay Connected
      • Contact Us
      • Documentation
  • Product Updates
  • How It Works
    • Scanning Overview
      • Event Driven Scanning for New Files
      • Retro Scanning for Pre-Existing Files
      • API Driven Scanning
    • Architecture Overview
    • Deployment Details
    • Sizing Discussion
    • Integrations
      • AWS Security Hub
      • AWS CloudTrail Lake
      • AWS Transfer Family
      • Amazon GuardDuty
      • Amazon Bedrock
    • Demo Videos
    • Scanning APIs
    • SSO Integrations
      • Entra ID SSO Integration
      • Okta SSO Integration
  • Frequently Asked Questions
    • Getting Started
    • Product Functionality
    • Architecture Related
    • Supported File Types
  • Troubleshooting
    • CloudFormation Stack failures
    • Cross-Region Scanning on with private network
    • API Scanning: Could not connect to SSL/TLS (v7)
    • Password not received after deployment
    • Conflicted buckets
    • Modifying scaling info post-deployment
    • Objects show unscannable with access denied
    • Remote account objects not scanning
    • My scanning agents keep starting up and immediately shutting down
    • I cannot access the management console
    • Linked Account Out of Date
    • Rebooting the Management Console
    • Error when upgrading to the latest major version
    • I Cannot Create/Delete an API Agent
  • Release Notes
    • Latest (v8)
    • v7
    • v6 and older
  • Contact Us & Support
  • Data Processing Agreement
  • Privacy Policy
Powered by GitBook
On this page
  • How It Works
  • Protecting Blob Containers
  • Shield Status
  • Schedule Status
  • Enable event-based protection on a blob
  • Retro-based scanning on a blob
  • On-demand Scanning
  • Scheduled Scanning
  • Azure On-demand and Scheduled Scan Job Status
  1. Console Overview
  2. Malware Scanning
  3. Azure

Blob Containers

Similar to scanning AWS storage volumes you can also scan Azure Blobs.

PreviousAzureNextGCP

Last updated 10 days ago

Before you can start protecting your data in Azure Blobs you'll need to .

How It Works

When linking an account in the CSS console, we deploy resources in the new CSS Resource Group created in Azure. Those resources will have access to the Blob Containers that reside within the linked Azure Account.

Once the Azure Account is linked, Azure Blob Containers will be made available to be scan through the CSS Console in the Protection > Azure Blob Containers page. You can select blob containers to scan or run scans on a schedule basis.

We offer two types of scanning for Azure: Event-Based Scanning and Retro Scanning.

  1. Users upload data to storage containers.

  2. The storage account's system topic has an Event Grid Subscription tied to it that points to Azure Queue Storage as its event handler.

  3. The Azure Queue Storage receives information about the object via the Event Grid Subscription.

  4. The Container Application pulls information from the queue and scans the object that the notification refers to.

  5. Results are tagged onto the object.

  6. Results and metering are sent back to the CSS Console.

  1. Users upload data to storage containers.

  2. The Container Application runs a Crawl Job that evaluates the items to be scanned.

  3. The Crawl Job places objects in Azure Queue Storage.

  4. The Container Application pulls information from the queue and runs a Scan Job to scan the objects in the Queue.

  5. Results and metering are sent back to the CSS Console.

Protecting Blob Containers

"Protection" can mean multiple things: real-time scanning (event-based), schedule scanning (pre-defined schedule based) and on-demand (pick one or more blobs and scan immediately whenever you want).

Shield Status

The shield color shown on this page will reflect how a blob is being protected with event-based scanning. A red shield means a blob is not protected and a green shield means a blob is protected.

Schedule Status

The schedule icons shown below will reflect whether a blob is associated with a schedule and whether that schedule is active or not.

Enable event-based protection on a blob

Similar to protecting Amazon S3 buckets, you can click the red shield associated with each Blob to enable event-based protection on a blob and scan any new files being uploaded to the Blob automatically.

You can also select multiple blobs at the same time, go to the Actions menu, and select Turn On Event AV to enable event-based protection on multiple buckets at the same time.

Retro-based scanning on a blob

On-demand Scanning

You can scan pre-existing files in a blob at anytime by selecting which blob you'd like to scan and then selecting Scan Existing - AV in the Actions menu.

Scheduled Scanning

You can add blobs to a schedule by selecting the blobs you want to scan on a scheduled basis and selecting Create AV Schedule in the Actions menu.

Azure On-demand and Scheduled Scan Job Status

If you go to Monitoring > Jobs you'll be able to see the status of on-demand and scheduled retro scans for Azure blobs.

Protected by Active Schedule -

Part of an Inactive Schedule -

Not a Part of any Schedule -

link in your Azure account(s)
Green clock
Red clock
Red clock