Microsoft Defender for Cloud Scanner Resource Provider Delete EventSubscription event in Activity Log of a storage account

Question

When checking Microsoft Defender for Cloud on Azure, I received alerts related to 2 storage accounts. Checking the activity log for changes, I saw that there were "Delete EventSubscription" that were intiated by Microsoft Defender for Cloud Scanner Resource Provider.

The resource being deleted included "Microsoft.EventGrid/eventSubscriptions/StorageAntimalwareSubscription".

I haven't made a change to the subscription to remove the malware scanning. Is there a reason that it was removed or where can I look for this? Is there a reason that Microsoft Defender for Cloud Scanner Resource Provider made this change?

Where can I check to see if exemptions have expired for a resource if they were created more than 90 days ago?

Answer 1

Hi Tom

Thanks for using the Q&A platform.

Defender for Cloud’s malware scanning feature uses Event Grid subscriptions to scan blobs on upload or on demand. When malware scanning is disabled or if a storage account is deleted, Defender automatically removes those EventGrid subscriptions to clean up resources. The activity log shows “Delete EventSubscription”, even though you didn’t trigger it manually, the scanner resource provider performed it as part of its cleanup routine.

Defender might try to access stale resources, log an alert, and then clean them up; hence, the delete events are showing in your activity log. Kindly note that these are safe and expected cleanup operations.

Find additional information: https://learn.microsoft.com/en-us/azure/defender-for-cloud/introduction-malware-scanning
https://learn.microsoft.com/en-us/azure/governance/policy/samples/resource-graph-samples?tabs=azure-cli#policy-exemptions-that-expire-within-90-days

If the response was helpful, please feel free to mark it as “Accepted Answer” and consider giving it an upvote. This helps others in the community as well.

Regards,

Obinna.