Please advise on whether this was intentional or an anomaly.
{
"value": [
{
"properties": {
"reportedTimeUtc": "2020-06-24T00:33:05.0257171Z",
"detectedTimeUtc": "2020-06-23T23:40:37.472Z",
"alertDisplayName": "Potential malware uploaded to a storage account",
"alertName": "Storage.Blob_MalwareHashReputation",
"vendorName": "Microsoft",
"reportedSeverity": "Medium",
"associatedResource": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Storage/storageAccounts/REDACTED",
"compromisedEntity": "REDACTED",
"state": "Active",
"isIncident": false,
"correlationKey": "RYwSG8FW/l7l/PH4LvZ6RZ3ZeaYtW46exwOTW+4QEG8=",
"description": "Someone has uploaded potential malware to your Azure Storage account 'REDACTED'.",
"remediationSteps": "• Remove the malicious blob from your storage account.\r\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\r\n• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\r\n• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.",
"actionTaken": "Undefined",
"subscriptionId": "REDACTED",
"instanceId": "ada17f78-31e6-4e32-9cb8-ba6a55379264",
"extendedProperties": {
"alert Id": "ada17f78-31e6-4e32-9cb8-ba6a55379264",
"azure AD user": "N/A (Azure AD authentication was not used)",
"user agent": "Azure-Storage/2.0.0-2.0.1 (Python CPython 3.6.10; Linux 5.3.0-59-generic) AZURECLI/2.7.0 (DEB)",
"client IP address": "REDACTED",
"client location": "Seattle, United States",
"authentication type": "Shared access signature (SAS)",
"investigation steps": "{\"displayValue\":\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\",\"kind\":\"Link\",\"value\":\"https:\\/\\/go.microsoft.com\\/fwlink\\/?linkid=2075734\"}",
"operations types": "PutBlob",
"service type": "Azure Blobs",
"container": "REDACTED",
"blob": "eicar_test.txt",
"malware description": "File was identified as malicious, MalwareFamily = Virus:DOS/EICAR_Test_File",
"detection source": "Team Cymru",
"mD5 hash": "44D88612FEA8A8F36DE82E1278ABB02F",
"threat report": "{\"displayValue\":\"View report\",\"kind\":\"Link\",\"value\":\"https:\\/\\/interflowwebportalext.trafficmanager.net\\/reports\\/DisplayReport?callerIdentity=11f6b1d5-4924-41e8-bc4d-011d503247d5&reportCreateDateTime=2020-06-24T00%3a33%3a03&reportName=MSTI-TS-EICAR-File.pdf&tenantId=797d4884-c830-4b7f-a13a-eeb3e6e25ae4&urlCreateDateTime=2020-06-24T00%3a33%3a03&token=REDACTED"}",
"threat report summary": "The European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.",
"potential causes": "This alert indicates that a blob containing potential malware has been uploaded to your storage account.\r\nPotential causes:\r\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\r\n• A legitimate user has unintentionally uploaded a malicious blob.\r\n• A legitimate user is performing tests on the system (e.g. penetration testing).",
"resourceType": "Storage",
"killChainIntent": "LateralMovement"
},
"workspaceArmId": "/subscriptions/REDACTED/resourcegroups/REDACTED/providers/microsoft.operationalinsights/workspaces/azbisqlalertlogworkspace",
"confidenceReasons": [],
"canBeInvestigated": true,
"entities": [
{
"$id": "centralus_1",
"address": "REDACTED",
"location": {
"countryName": "United States",
"city": "Seattle"
},
"type": "ip"
},
{
"$id": "centralus_2",
"sourceAddress": {
"$ref": "centralus_1"
},
"protocol": "Tcp",
"type": "network-connection"
},
{
"$id": "centralus_3",
"resourceId": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Storage/storageAccounts/REDACTED",
"type": "azure-resource"
}
]
},
"id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Security/locations/centralus/alerts/2518093451625279999_ada17f78-31e6-4e32-9cb8-ba6a55379264",
"type": "Microsoft.Security/Locations/alerts",
"name": "2518093451625279999_ada17f78-31e6-4e32-9cb8-ba6a55379264"
}
]
}
"value": [
{
"properties": {
"detectedTimeUtc": "2020-06-23T23:40:37.472Z",
"vendorName": "Microsoft",
"alertDisplayName": "Potential malware uploaded to a storage account",
"alertName": "Storage.Blob_MalwareHashReputation",
"description": "Someone has uploaded potential malware to your Azure Storage account 'stgvendorenscodev'.",
"remediationSteps": "• Remove the malicious blob from your storage account.\r\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\r\n• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\r\n• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.",
"actionTaken": "Undefined",
"reportedSeverity": "Medium",
"compromisedEntity": "REDACTED",
"associatedResource": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Storage/storageAccounts/REDACTED",
"subscriptionId": "REDACTED",
"instanceId": "ada17f78-31e6-4e32-9cb8-ba6a55379264",
"extendedProperties": {
"alert Id": "ada17f78-31e6-4e32-9cb8-ba6a55379264",
"azure AD user": "N/A (Azure AD authentication was not used)",
"user agent": "Azure-Storage/2.0.0-2.0.1 (Python CPython 3.6.10; Linux 5.3.0-59-generic) AZURECLI/2.7.0 (DEB)",
"client IP address": "REDACTED",
"client location": "Seattle, United States",
"authentication type": "Shared access signature (SAS)",
"investigation steps": "{\"displayValue\":\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\",\"kind\":\"Link\",\"value\":\"https:\\/\\/go.microsoft.com\\/fwlink\\/?linkid=2075734\"}",
"operations types": "PutBlob",
"service type": "Azure Blobs",
"container": "REDACTED",
"blob": "eicar_test.txt",
"malware description": "File was identified as malicious, MalwareFamily = Virus:DOS/EICAR_Test_File",
"detection source": "Team Cymru",
"mD5 hash": "44D88612FEA8A8F36DE82E1278ABB02F",
"threat report": "{\"displayValue\":\"View report\",\"kind\":\"Link\",\"value\":\"https:\\/\\/interflowwebportalext.trafficmanager.net\\/reports\\/DisplayReport?callerIdentity=11f6b1d5-4924-41e8-bc4d-011d503247d5&reportCreateDateTime=2020-06-24T00%3a33%3a03&reportName=MSTI-TS-EICAR-File.pdf&tenantId=797d4884-c830-4b7f-a13a-eeb3e6e25ae4&urlCreateDateTime=2020-06-24T00%3a33%3a03&token=REDACTED"}",
"threat report summary": "The European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.",
"potential causes": "This alert indicates that a blob containing potential malware has been uploaded to your storage account.\r\nPotential causes:\r\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\r\n• A legitimate user has unintentionally uploaded a malicious blob.\r\n• A legitimate user is performing tests on the system (e.g. penetration testing).",
"resourceType": "Storage",
"killChainIntent": "LateralMovement"
},
"state": "Active",
"reportedTimeUtc": "2020-06-24T00:33:05.0257171Z",
"workspaceArmId": "/subscriptions/REDACTED/resourcegroups/REDACTED/providers/microsoft.operationalinsights/workspaces/azbisqlalertlogworkspace",
"confidenceReasons": [],
"canBeInvestigated": true,
"isIncident": false,
"entities": [
{
"$id": "centralus_1",
"address": "REDACTED",
"location": {
"countryName": "United States",
"city": "Seattle"
},
"type": "ip"
},
{
"$id": "centralus_2",
"sourceAddress": {
"$ref": "centralus_1"
},
"protocol": "Tcp",
"type": "network-connection"
},
{
"$id": "centralus_3",
"resourceId": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Storage/storageAccounts/REDACTED",
"type": "azure-resource"
}
],
"correlationKey": "RYwSG8FW/l7l/PH4LvZ6RZ3ZeaYtW46exwOTW+4QEG8="
},
"id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Security/locations/centralus/alerts/2518093451625279999_ada17f78-31e6-4e32-9cb8-ba6a55379264",
"name": "2518093451625279999_ada17f78-31e6-4e32-9cb8-ba6a55379264",
"type": "Microsoft.Security/Locations/alerts"
}
]
}
The schema has remained in this format since then.