Views:
When setting up your Cloud Account Management Terraform template, you have the option of setting the destination of the scanned files, depending on the results of the scan. If you do not set the parameters, the scanned files remain in their original location with metatags indicating their scan result.
File Security Storage supports three types of destination storage accounts:
  • quarantine_storage_account: Specifies the Azure storage account path where files identified as malicious will be quarantined. When a file is detected as malware or contains threats, File Security Storage will move it to this storage account for isolation and further investigation.
  • clean_storage_account: Specifies the Azure storage account path where files that pass security scanning will be moved. Clean files are those verified to be free of malware and other security threats.
  • failure_storage_account: Specifies the Azure storage account path where files that cannot be scanned will be moved. This includes files that encounter scanning errors, exceed size limits, are corrupted, or have unsupported formats.
You can configure these storage accounts to use custom, regional and global settings. Use the Terraform jsonencode() function to set these parameters. The legacy escaped-string format (with backslash-escaped inner double quotes) remains supported.

Single-Subscription

Regional:
quarantine_storage_account = jsonencode({ eastus = "quarantinefileseusacct", westeurope = "quarantinefilesweuacct" })
clean_storage_account = jsonencode({ eastus = "cleanfileseusacct", westeurope = "cleanfilesweuacct" })
failure_storage_account = jsonencode({ eastus = "failurefileseusacct", westeurope = "failurefilesweuacct" })
Global (fallback):
quarantine_storage_account = jsonencode({ global = "centralquarantineacct" })
clean_storage_account = jsonencode({ global = "centralcleanacct" })
failure_storage_account = jsonencode({ global = "centralfailureacct" })
})
Custom per source account
quarantine_storage_account = jsonencode({
  custom = {
     "source-storage-account-name" = { destAccount = "destination-account-name" }
  }
})
clean_storage_account = jsonencode({
  custom = {
    "source-storage-account-name" = { destAccount = "destination-account-name" }
  }
})
failure_storage_account = jsonencode({
  custom = {
    "source-storage-account-name" = { destAccount = "destination-account-name" }
  }
})
Combined 
quarantine_storage_account = jsonencode({
  custom = { "finance-data-acct" = { destAccount = "finance-quarantine-acct" } }
  eastus = "general-quarantine-eastus"
  global = "general-quarantine-fallback"
})
clean_storage_account = jsonencode({
  custom = { "finance-data-acct" = { destAccount = "finance-clean-acct" } }
  eastus = "general-clean-eastus"
  global = "general-clean-fallback"
})
failure_storage_account = jsonencode({
  custom = { "finance-data-acct" = { destAccount = "finance-failure-acct" } }
  eastus = "general-failure-eastus"
  global = "general-failure-fallback"
})

Set the parameters for a single subscription

To set these optional parameters, carry out the following before deploying the terraform template. If you have already deployed the template, you need to redeploy the template.
  1. In the template package, find the main.tf file.
  2. In the file, locate the file-storage-security section.
    module "file-storage-security" {
    source = "https://v1-file-security-storage.s3.amazonaws.com/latest/azureTemplates/azure-templates.zip"
    business_id = module.cam.v1_account_id
    subscription_id = module.cam.subscription_id
    resource_group_location = module.cam.cam_deployed_region
    bootstrap_token = "<bootstrap token>"
    fss_api_endpoint = "https://api.xdr.trendmicro.com/external/v2/direct/sfc/external/sfc/api"
    xlogr_api_endpoint = "https://xlogr-ue1.xdr.trendmicro.com"
    fss_bucket_name = "v1-file-security-storage"
    quarantine_storage_account = jsonencode({})
    clean_storage_account = jsonencode({}) 
    failure_storage_account = jsonencode({})
  }
  3. Update the following parameters with the desired Azure storage account:
    module "file-storage-security" {
  # ... other configuration ...
    quarantine_storage_account = jsonencode({})
    clean_storage_account = jsonencode({}) 
    failure_storage_account = jsonencode({})
}
  4. Run the deploy.sh script.

Management Group

Use lookup() to configure routing per subscription. Subscriptions not in the map will have routing disabled:
quarantine_storage_account = jsonencode(lookup(
  {
    "11111111-2222-3333-4444-555555555555" = { global = "quarantine-sub-a" }
    "22222222-3333-4444-5555-666666666666" = { global = "quarantine-sub-b" }
  },
  var.subscription_id,
  {}
))
The same pattern applies to clean_storage_account and failure_storage_account. Regional and custom routing modes are also supported within each subscription's config.

Set the parameters for a Management Group

To set these optional parameters, carry out the following before deploying the terraform template. If you have already deployed the template, you need to redeploy the template.
  1. In the template package, find the security_apps/main.tf file.
  2. In the file, locate the file-storage-security section.
    module "file-storage-security" {
    source = "https://v1-file-security-storage.s3.amazonaws.com/latest/azureTemplates/azure-templates.zip"
    business_id = module.cam.v1_account_id
    subscription_id = module.cam.subscription_id
    resource_group_location = module.cam.cam_deployed_region
    bootstrap_token = "<bootstrap token>"
    fss_api_endpoint = "https://api.xdr.trendmicro.com/external/v2/direct/sfc/external/sfc/api"
    xlogr_api_endpoint = "https://xlogr-ue1.xdr.trendmicro.com"
    fss_bucket_name = "v1-file-security-storage"
    quarantine_storage_account = jsonencode({})
    clean_storage_account = jsonencode({}) 
    failure_storage_account = jsonencode({})
  }
  3. Update the following parameters with the desired Azure storage account:
    module "file-storage-security" {
  # ... other configuration ...
    quarantine_storage_account = jsonencode(lookup(
  {
    "11111111-2222-3333-4444-555555555555" = { global = "quarantine-sub-a" }
    "22222222-3333-4444-5555-666666666666" = { global = "quarantine-sub-b" }
  },
  var.subscription_id,
  {}
))
    clean_storage_account = jsonencode(lookup(
  {
    "11111111-2222-3333-4444-555555555555" = { global = "clean-sub-a" }
    "22222222-3333-4444-5555-666666666666" = { global = "clean-sub-b" }
  },
  var.subscription_id,
  {}
))
    failure_storage_account = jsonencode(lookup(
  {
    "11111111-2222-3333-4444-555555555555" = { global = "failure-sub-a" }
    "22222222-3333-4444-5555-666666666666" = { global = "failure-sub-b" }
  },
  var.subscription_id,
  {}
))
}
  4. Run the ./mgmt_group_deploy.sh script.
Regional and custom modes are also supported within each subscription's config. Subscriptions not in the map will have routing disabled