Hi, when Defender for Storage scans an uploaded archive, the documented schema only guarantees fields like scanResultType, malwareNamesFound, and sha256. The pathHints you’re seeing is an undocumented internal field that lists inner files in a zip. Since it’s not in the official event contract, Microsoft can change or remove it anytime, so you shouldn’t rely on it in automation. Use only the documented fields for enforcement and treat pathHints as optional/context info; if you want it formally supported, submit feedback to Microsoft docs.
Get Malicious file name(s) within Zipped file from Azure Defender scan results for Storage

I am using on-upload malware scanning feature of Defender for Azure storage. When I upload a zipped file to blob, I can see in the scan results the following response:-
{
"malwareNamesFound": [
"Virus:DOS/EICAR_Test_File"
],
"sha256": "55ACA31E55CF8019BC7D135FC2B1B1AA8D91052C4F1EC2E94FB4A5405B907C45",
"pathHints": [
"->MTest/eicar.com.txt",
"->MTest/eicar2.com",
"->MTest/footestfromp.com"
]
}
As per the documentation, the scanResultDetails json doesn't contain any **pathHints**
field. Could you please let us know if this is an internal field and shouldn't be used in our automation? Or only the documentation is missing?