Microsoft Defender for Storage configuration (and limits/scope of Bicep)

[jacksorjacksor]

Hi there!

I've got an Azure Storage Account. I've recently enabled Microsoft Defender for Cloud on that account, and enabled "On-upload malware scanning", setting the scan results to be sent over to an Event Grid topic.

My question is - how much of this can be handled in Bicep? Is this sort of functionality something I should be able to do from a code-first perspective, or will I always need to define this manually through the Portal [at present unsure on CLI options]?

I've had good experiences using Bicep for deploying core infrastructure (App Config, Azure SQL etc.) but my curiosity is around the limitations - should every option available through the Azure Portal be replicable via Bicep? What is out of scope for Bicep?

Cheers!

Rich