Azure architecture and flow

This section illustrates the File Storage Security architecture, shows how information flows through the architecture during a scan operation, and describes each of the components in detail.

Topics:

• Architecture
• Components

Architecture

The following architecture diagram illustrates the main File Storage Security components and information flow.

Information flows through this architecture as follows:

1. A user or program uploads a file to any container inside the protecting storage account. The upload generates an Microsoft.Storage.BlobCreated event and pushes the event to an Event Grid System Topic.
2. The Blob Listener Function detects the Microsoft.Storage.BlobCreated event, and sends a URL containing the shared access signature (SAS) to the Scanner Queue in the scanner stack. The URL links back to the file that needs to be scanned.
3. The Scanner Function, which is subscribed to the Scanner Queue, does the following:
   • Retrieves the URL message from the Scanner Queue.
   • Finds the file in Azure storage account at the URL location.
   • Performs scanning on the file.
   • Generates file identification information.
   • Sends the file identification information to the Trend Micro Global Smart Protection Server in the cloud.
4. The Trend Micro Global Smart Protection Server leverages the Trend Micro Smart Protection Network (not shown in diagram) to perform the remaining scanning on the file identification information (not the file). The scan results are returned to the Scanner Function.
5. The Scanner Function does the following:
   • Publishes the scan results to the Scan Result Topic in the storage stack.
   • Sends the scan results to the File Storage Security console. (The console is not shown in the diagram).
6. The Scan Result Topic notifies its subscribers that new scan results are available. Its subscribers are:
   • the File Storage Security's Post Scan Action Tag Function
   • your custom post-scan action Function function
7. After receiving the notification from Scan Result Topic:
   • The PostScanActionTagFunction adds the scan results to the file using Azure blob metadata and blob index tags. For details, see Understand tags and scan results.
   • Your custom post-scan action Function acts on the scan information provided in the Scan Result Topic. For example, it might quarantine or delete the file if it is found to be malicious.

Components

Protecting storage account

The protecting storage account is the storage account that is monitored for incoming (added) file. Files added to any container in the protecting storage account are scanned.

Storage stack

The storage stack monitors the protecting storage account for incoming (added) files and sends them to the scanner stack for scanning. The storage stack can be deployed:

• as a standalone stack, using the storage stack Azure Resource Manager template, or
• as a nested stack under the all-in-one stack.

For information on how many storage stacks you should use in your deployment, see How many stacks should I add?.

Scanner stack

The scanner stack scans files and publishes the results to the Scan Result Topic. The scanner stack can be deployed:

• as a standalone stack, using the scanner stack Azure Resource Manager template, or
• as a nested stack under the all-in-one stack.

A typical File Storage Security deployment only needs one scanner stack, but if you think you might need more, see How many stacks should I add?

All-in-one stack

The all-in-one stack is deployed using the all-in-one Azure Resource Manager template. The all-in-one stack includes:

• the scanner stack
• the storage stack
• supporting resources

Blob Listener Function

The Blob Listener Function is part of the storage stack, and is responsible for monitoring the protecting storage account for added files and sending scanning requests to the scanner stack.

Scanner Function

The Scanner Function is part of the scanner stack and is responsible for scanning files and then sending file identification information to the Trend Micro Global Smart Protection Server for further scanning.

Scanner Queue

The Azure Service Bus Scanner Queue is part of the scanner stack, and is the queue to which the BlobListenerFunction sends its scanning request messages.

Scan Result Topic

The Azure Service Bus Scan Result Topic is part of the storage stack, and is the topic to which the scanner stack publishes its results. You can subscribe your custom post-scan action function to this topic to be notified of new scans.

Post Scan Action Tag Function

The Post Scan Action Tag Function is part of the storage stack, and is responsible for tagging the scanned file with its associated scan results.

Your Microsoft Entra ID

Your Microsoft Entra ID is where you'll be installing the File Storage Security stacks. You can install the stacks into multiple Azure subscriptions under the same Microsoft Entra ID if you want. For details, see the multi-stack architecture.

Custom post-scan action function

The custom post-scan action function is a function that you write. It is responsible for processing scan results that it obtains from the Scan Result Topic. For details, see Create post-scan actions.

API and code samples

We provide APIs and code samples that you can use to create your Functions. See Create post-scan actions for details.

Console

The console is a web interface where you can view scan results and deploy stacks. The console is hosted by Trend Micro and exists outside your Microsoft Entra ID.