Near Real-Time DLP Scan and Malware Scan for Azure
Skyhigh CASB provides Near Real-Time (NRT) DLP and Malware detection capability for Azure blob storage. This feature significantly reduces the time to find new DLP and Malware violations in blob storage by detecting file creation or modification events in almost real-time and evaluating associated DLP and Malware policies.
NRT DLP and Malware Scans for Azure leverages event subscription for the storage account which is mapped to the Skyhigh CASB webhook. Whenever a blob storage event is generated, it sends a notification to the webhook, which is then processed and triggers the evaluation of the appropriate DLP or Malware policies.
Prerequisites
Configure an Azure instance in Skyhigh CASB. For more information, see Enable Microsoft Azure.
Note : Azure does not support events on v1 storage accounts, hence NRT DLP is supported on v2 storage accounts only.
Enable NRT DLP and Malware for Azure
To enable Near Real-Time DLP and Malware Scans for Azure:
- Login to Skyhigh CASB and go to Settings > Service Management.
- Select your Microsoft Azure instance and click Setup > Edit.
- You are redirected to the Summary page. Under Enabled Features, click Edit.
- To enable NRT DLP, select the checkbox Near Real Time.
- To view the prerequisite steps to set up NRT DLP, click the link NRT DLP. You are redirected to the current page.
Configure Event Subscriptions
You can configure Event Subscriptions using an ARM template or manually.
Use the ARM Template
- In the Azure Portal, go to Templates.
- Select Add.
- For General, add a name and description, and click OK.
- Download the file update_Storage_account_with_Event_sub.json. Use this template if you want to create event subscription for multiple storage accounts.
- Copy and paste the contents into the ARM Template page. Then click OK and Add.
- The result should look like this:
- Deploy the template.
- Fill in the required information:
- Your storage name and endpoint will be different than the screenshot.
- Storage account names should be provided in this ["strgAccnt1","strgAccnt2"] format .
- Your Endpoint will be either one of the following:
- Canada region: https://webhooks.myshn.ca/azure/events
- EU region: https://webhooks.myshn.eu/azure/events
- Prod region: https://webhooks.myshn.net/azure/events
- Your storage name and endpoint will be different than the screenshot.
- Accept terms and conditions, then select Purchase.
- To make sure everything works, check that events are configured for the intended storage blobs.
Configure Event Subscriptions Manually
- In the Azure portal, go to the Storage account that you want to configure.
- Add Event Subscription and provide the required information:
- Name. Name of the event subscription
- Event Types. Select Blob Created, Blob Renamed.
- Endpoint Type. Select Webhook.
- Endpoint. Depending on your region, select one of the following endpoints:
- Canada region: https://webhooks.myshn.ca/azure/events
- EU region: https://webhooks.myshn.eu/azure/events
- Prod region: https://webhooks.myshn.net/azure/events
- Click Create.
Configure DLP and Malware Policies for NRT
- Go to Skyhigh CASB and choose Policy > DLP Policies.
- You can create a new DLP policy or edit an existing one and choose Services as Microsoft Azure. For complete details, see Create or Edit a Sanctioned DLP Policy.
- Review your policy and Save.
- You can create a new malware policy or edit an existing one. Choose Policy > Malware Policies
- Click Actions > Create a Malware Policy.
- For Services select Microsoft Azure.
- Complete the further steps, and then save your policy. For complete details, see Create a Malware Policy.