in Workflow automation/Move Malicious Blob FunctionApp Defender for Storage/MoveMaliciousBlobEventTrigger.cs [24:81]
public static async Task RunAsync([EventGridTrigger] EventGridEvent eventGridEvent, ILogger log)
{
if (eventGridEvent.EventType != AntimalwareScanEventType)
{
log.LogInformation("Event type is not an {0} event, event type:{1}", AntimalwareScanEventType, eventGridEvent.EventType);
return;
}
var storageAccountName = eventGridEvent?.Subject?.Split("/")[^1];
log.LogInformation("Received new scan result for storage {0}", storageAccountName);
var eventData = JsonDocument.Parse(eventGridEvent.Data).RootElement;
var verdict = eventData.GetProperty("scanResultType").GetString();
var blobETag = new ETag(eventData.GetProperty("eTag").GetString());
var blobUriString = eventData.GetProperty("blobUri").GetString();
var blobUri = new Uri(blobUriString);
var blobUriBuilder = new BlobUriBuilder(blobUri);
// Filter events from interested containers
if (blobUriBuilder.BlobContainerName != InterestedContainer)
{
log.LogInformation("Event is not from the interested containers, ignoring");
return;
}
if (verdict == null || blobUriString == null)
{
log.LogError("Event data doesn't contain 'verdict' or 'blobUri' fields");
throw new ArgumentException("Event data doesn't contain 'verdict' or 'blobUri' fields");
}
if (verdict == MaliciousVerdict)
{
log.LogInformation("blob {0} is malicious, moving it to {1} container", blobUri, MalwareContainer);
try
{
await MoveMaliciousBlobAsync(blobUri, blobETag, log);
}
catch (Exception e)
{
log.LogError(e, "Can't move blob to container '{0}'", MalwareContainer);
throw;
}
}
if (verdict == CleanVerdict)
{
log.LogInformation("blob {0} is malicious, moving it to {1} container", blobUri, CleanContainer);
try
{
await MoveCleanBlobAsync(blobUri, blobETag, log);
}
catch (Exception e)
{
log.LogError(e, "Can't move blob to container '{0}'", CleanContainer);
throw;
}
}
}