Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Storage should be able to receive defender scan results #542

Open
7 tasks
SandGrainOne opened this issue Nov 6, 2024 · 0 comments
Open
7 tasks

Storage should be able to receive defender scan results #542

SandGrainOne opened this issue Nov 6, 2024 · 0 comments
Labels
kind/user-story Used for issues that describes functionality for our users.

Comments

@SandGrainOne
Copy link
Member

SandGrainOne commented Nov 6, 2024
edited
Loading

Description

Storage should be expanded with an endpoint that can handle defender scan results report. Defender can be configured to publish scan results on an EventGrid topic. Storage should consume the reports and update correct DataElement with the scan results.

We need a new controller with a new POST endpoint as an event receiver. The endpoint should be secured with an AccessKey. This will also require more Azure resources defined in terraform. "The event topic must be a custom topic in the same region as the storage account". The Storage application must also have a defined event subscription, possibly for every storage account unless we find a way to publish all reports to the same topic.

We need to analyze what we need to include in the report so that Storage can find correct DataElement. The report need to contain app id, instance id and data id as well as the scan result. Some of that might be unknown for defender and would need to be included in the event subscription for each storage account if possible

Additional Information

This issue is part of a change where the goal is to discontinue the file scan application and the use of Clam AV. Defender is already active, but the reports aren't being used for anything.

Most of the required setup, wiring and authorization has already been done once in the Notifications Email application.
Take a look at the DeliveryReportController implementation. It must be adapted for Defender, but the framework should be usable.

Take a look at terraform resource definitions, but note that we want to change how AccessKey is included in a request.

Tasks

  • Create a new controller: DefenderScanReportController
  • Add an endpoint to handle defender reports: storage/api/v1/defender/reports
    • Update correct DataElement with correct status (Clean/Infected) using existing Service and Repository logic if possible.
  • Create a new AccessKeyAttribute class to authorize requests. Inspired by the same class in the notifications-email project, but using header instead of query parameter.
    • Add Configuration settings for the shared secret: New section. DefenderSettings with property AccessKey.
    • Decorate the controller with the attribute.
  • Add necessary terraform resources to add a new event grid topic and subscriptions for delivery report. Ensure that the subscription includes a header value with the access key. Look for how to set up "delivery parameters" with terraform.

Acceptance Criterias

No response
@SandGrainOne SandGrainOne added kind/user-story Used for issues that describes functionality for our users. status/draft Status: When you create an issue before you have enough info to properly describe the issue. and removed status/draft Status: When you create an issue before you have enough info to properly describe the issue. labels Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/user-story Used for issues that describes functionality for our users.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SandGrainOne