Blog Post

Microsoft Defender for Cloud Blog
5 MIN READ

Microsoft Defender for Storage – Price Estimation Dashboard

Fernanda_Vela's avatar
Fernanda_Vela
Icon for Microsoft rankMicrosoft
Jun 09, 2021

Blog post updated on April 17th, 2024.

 

Estimate the cost of Microsoft Defender for Storage

Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption.

 

This blog post explains how to use a new workbook that helps you estimate the cost of Microsoft Defender for Storage and add-ons, like Malware Scanning, based on your current storage usage.

Prerequisites

To use the cost estimation workbook, you need the following:

  • At least one Azure subscription with Storage Accounts (Defender for Storage is not required)
  • Access to the Azure portal
  • Subscription or resource-level reader permission
  • At least Workbook Contributor permissions on the targeted resource group to save the workbook

Access the cost estimation workbook

The workbook is available in the Microsoft Defender for Cloud’s GitHub repository. You can access it directly from this link.

 

Deploy it

  1. Go to the Workbook’s location Microsoft-Defender-for-Cloud/Workbooks/Microsoft Defender for Storage Price Estimation at main · Azure/Microsoft-Defender-for-Cloud (github.com)
  2. In the ReadMe.md file, click the button “Deploy to Azure”

 

  1. This will take you to the Azure portal and the template settings will display for you to fill them. The subscription, resource group and region are required for you to Review + Create.

 

  1. After clicking on “Review + Create” the workbook will show in your resource group.
  2. Click on it and then on “Open Workbook”.

 

How it looks like

 

 

 

The workbook will display the following information in the tab “Defender for Storage coverage”:

 

Column name

Description

Subscription

Subscription name in the scope.

In trial

True/False value if the subscription has a free trial.

Is enabled

Enabled/Disabled value if there’s a Defender for Storage plan enabled.

DF-Storage plan

The Defender for Storage plan enabled at the subscription-level or if it’s disabled.

Malware scanning enabled

True/False value if the Defender for Storage add-on Malware Scanning enabled at the subscription-level. For Classic plans, it will show in blank since this feature is not available there.

Malware scanning cap

The cap setting value at the subscription level.

Sensitive data discovery enabled

True/False value if the Defender for Storage add-on Sensitive Data Discovery is enabled at the subscription-level. For Classic plans, it will show in blank since this feature is not available there.

 

 

The tab “Cost estimation” will display the following information:

 

Column name

Description

Subscription

Subscription name in the scope.

Storage account

Storage account name in the scope.

Estimated monthly transactions

Transactions taken from a 7-day usage-sample and then used for a 30-day result.

Overage transactions

Total transactions that are more or equal to 73M.

Storage account cost

Cost without considering overage. This is $10 USD.

Estimated overage charge

Overage transactions cost

Estimated monthly cost (activity monitoring)

“Storage account cost” + “Estimated overage charge”

Estimated monthly uploaded GBs

7-day ingress bytes taken from microsoft.storage/storageaccounts/blobservices-Transaction-Ingress; then this is extrapolated to estimate the monthly total based on a standard 30-day month, and finally, it converts this monthly total from bytes to gigabytes using the factor 1073741824 (bytes per gigabyte).

The APIs in the filter are: AppendFile, CopyBlob, CreatePathFile, FlushFile, PutBlob, PutBlock, PutBlockFromURL, PutBlockList.

Estimated malware scanning cost

Cost considering “Estimated monthly uploaded GBs”. Malware Scanning cost is currently $0.15 USD per GB scanned.

 

Note: You can filter the results by subscription and storage account.

 

Workbook estimation limitations

This tool estimates malware scanning costs based on the total volume of blobs uploaded, as indicated by Blob Ingress metrics. Please consider the following:

  • Multiple scans: Specific upload methods, such as PutBlockList operations, may trigger multiple scans for a single blob (e.g., when writing logs to the same blob). This tool does not accurately capture the additional costs from multiple scans triggered by such operations.
  • Index Tag costs: Costs associated with blob index tags, which store scan times and results on supported blobs, are not included in these estimates. Learn more on index tags costs in the Azure Storage Blobs Pricing page.
  • Blob size: The estimation accounts for all uploaded blobs; however, only blobs smaller than 2GB are actually scanned.

 

Good to know

 

 

Note: Resources protected before March 28, 2023, are protected by Defender for Storage (classic) plan. Customers who protected storage accounts prior to this (under the per-transaction or per-storage account plans) are encouraged to migrate to the new plan to enjoy enhanced capabilities. Please note that after March 28, 2023, all new subscriptions created through the Azure portal will enable the new Defender for Storage (per-storage account plan) by default. Learn about migrating to the new plan.

 

 

The cost of Defender for Storage is based on the number of storage accounts within a subscription. Storage accounts that have less than 73 million monthly transactions, are billed at $10 USD each. Storage accounts with higher transaction volume (above 73M monthly transactions) will experience an overage charge of $0.1492 per additional 1 million transactions.

 

 

 

 

This PowerShell script helps you enumerate all storage accounts in your environment and get the transaction metrics for the last week.

 

Calculating across several large subscriptions or a tenant

To pull Blob and File Transactions from each Storage Account in larger subscriptions or across a tenant use this PowerShell script. The Price Estimation used in the script is calculated differently from the workbook described in this blog post. Note that the PowerShell script does not currently estimate the add-on Malware Scanning. This will come in the next couple of weeks.

 

 

 

Known Issues

  • Azure Monitor Metrics data backends have limits and probably the number of requests to fetch data across Storage Accounts might time out. To solve this, you will need to narrow the scope (reduce the selected Storage Accounts).
  • Errors might reflect by showing 0 transactions in Files and Blobs. To verify this error, go to Edit Mode and the "Timed out" message will be displayed in the query.
  • If you don’t have permissions to read on the storage accounts, there might be an error like this:

 

Contributors: Eitan Shteinberg, Fernanda Vela, Rogério BarrosHasan Abo-Shally, Dick Lake, Shay Amar, Daniela Villareal,

 

Reviewer: Yuri Diogenes

 

 

References:

 

 

Updated Apr 17, 2024
Version 9.0
  • Just from my experience and a word of caution.    Running ATP on legacy VM Unmanaged disks (i.e. a Storage account you manage yourself using Page Blobs) will be included in the $.02/10k transactions, even for local VM disk reads and writes.    I had a case where a SF Cluster using unmanaged disks, racked up over $600/month in ATP since the normal behavior for the application running on it was disk heavy.  That was about a year ago.  Not sure if anything changed.    I disabled the Defender due to that.

    Kind Regards,

    Steve

  • Wise_1's avatar
    Wise_1
    Copper Contributor

    I had to modify the storage picker query in the workbook to get all our storage accounts to show up. 

    Account kind: FileStorage /Azure Files weren't showing up.
     
    Removed this | where kind == StorageV2 to allow selection of all storage accounts.  
    New Query-
    where type =~ 'microsoft.storage/storageaccounts'
    order by name asc
    extend Rank = row_number()
    project value = id
  • stian3555's avatar
    stian3555
    Copper Contributor

    It seems the price of Defender for Storage (Classic) has increased from $0.02/10K transactions/month to $0.15/10K transactions/month which is a 750% bump in cost for the old plan, if the new price is correct then the dashboard should probably reflect the change as price is a key factor when deciding which storage accounts to upgrade to the new plan.

    Best regards,
    Stian

  • alekcfia's avatar
    alekcfia
    Copper Contributor

    Is this workbook still supported/updated? It was working few months ago and now when I click on estimate "per storage account (new plan)" even with only one storage account it just endlessly spinning and nothing is listed... I redeployed the WB again but still the same issue. And yes, I have access to all SA that I'm trying to estimate.

    Thanks