Blog post updated on April 17th, 2024.
Estimate the cost of Microsoft Defender for Storage
Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption.
This blog post explains how to use a new workbook that helps you estimate the cost of Microsoft Defender for Storage and add-ons, like Malware Scanning, based on your current storage usage.
Prerequisites
To use the cost estimation workbook, you need the following:
- At least one Azure subscription with Storage Accounts (Defender for Storage is not required)
- Access to the Azure portal
- Subscription or resource-level reader permission
- At least Workbook Contributor permissions on the targeted resource group to save the workbook
Access the cost estimation workbook
The workbook is available in the Microsoft Defender for Cloud’s GitHub repository. You can access it directly from this link.
Deploy it
- Go to the Workbook’s location Microsoft-Defender-for-Cloud/Workbooks/Microsoft Defender for Storage Price Estimation at main · Azure/Microsoft-Defender-for-Cloud (github.com)
- In the ReadMe.md file, click the button “Deploy to Azure”
- This will take you to the Azure portal and the template settings will display for you to fill them. The subscription, resource group and region are required for you to Review + Create.
- After clicking on “Review + Create” the workbook will show in your resource group.
- Click on it and then on “Open Workbook”.
How it looks like
The workbook will display the following information in the tab “Defender for Storage coverage”:
Column name |
Description |
Subscription |
Subscription name in the scope. |
In trial |
True/False value if the subscription has a free trial. |
Is enabled |
Enabled/Disabled value if there’s a Defender for Storage plan enabled. |
DF-Storage plan |
The Defender for Storage plan enabled at the subscription-level or if it’s disabled. |
Malware scanning enabled |
True/False value if the Defender for Storage add-on Malware Scanning enabled at the subscription-level. For Classic plans, it will show in blank since this feature is not available there. |
Malware scanning cap |
The cap setting value at the subscription level. |
Sensitive data discovery enabled |
True/False value if the Defender for Storage add-on Sensitive Data Discovery is enabled at the subscription-level. For Classic plans, it will show in blank since this feature is not available there. |
The tab “Cost estimation” will display the following information:
Column name |
Description |
Subscription |
Subscription name in the scope. |
Storage account |
Storage account name in the scope. |
Estimated monthly transactions |
Transactions taken from a 7-day usage-sample and then used for a 30-day result. |
Overage transactions |
Total transactions that are more or equal to 73M. |
Storage account cost |
Cost without considering overage. This is $10 USD. |
Estimated overage charge |
Overage transactions cost |
Estimated monthly cost (activity monitoring) |
“Storage account cost” + “Estimated overage charge” |
Estimated monthly uploaded GBs |
7-day ingress bytes taken from microsoft.storage/storageaccounts/blobservices-Transaction-Ingress; then this is extrapolated to estimate the monthly total based on a standard 30-day month, and finally, it converts this monthly total from bytes to gigabytes using the factor 1073741824 (bytes per gigabyte). The APIs in the filter are: AppendFile, CopyBlob, CreatePathFile, FlushFile, PutBlob, PutBlock, PutBlockFromURL, PutBlockList. |
Estimated malware scanning cost |
Cost considering “Estimated monthly uploaded GBs”. Malware Scanning cost is currently $0.15 USD per GB scanned. |
Note: You can filter the results by subscription and storage account.
Workbook estimation limitations
This tool estimates malware scanning costs based on the total volume of blobs uploaded, as indicated by Blob Ingress metrics. Please consider the following:
- Multiple scans: Specific upload methods, such as PutBlockList operations, may trigger multiple scans for a single blob (e.g., when writing logs to the same blob). This tool does not accurately capture the additional costs from multiple scans triggered by such operations.
- Index Tag costs: Costs associated with blob index tags, which store scan times and results on supported blobs, are not included in these estimates. Learn more on index tags costs in the Azure Storage Blobs Pricing page.
- Blob size: The estimation accounts for all uploaded blobs; however, only blobs smaller than 2GB are actually scanned.
Good to know
Note: Resources protected before March 28, 2023, are protected by Defender for Storage (classic) plan. Customers who protected storage accounts prior to this (under the per-transaction or per-storage account plans) are encouraged to migrate to the new plan to enjoy enhanced capabilities. Please note that after March 28, 2023, all new subscriptions created through the Azure portal will enable the new Defender for Storage (per-storage account plan) by default. Learn about migrating to the new plan.
|
The cost of Defender for Storage is based on the number of storage accounts within a subscription. Storage accounts that have less than 73 million monthly transactions, are billed at $10 USD each. Storage accounts with higher transaction volume (above 73M monthly transactions) will experience an overage charge of $0.1492 per additional 1 million transactions.
This PowerShell script helps you enumerate all storage accounts in your environment and get the transaction metrics for the last week. |
Calculating across several large subscriptions or a tenant
To pull Blob and File Transactions from each Storage Account in larger subscriptions or across a tenant use this PowerShell script. The Price Estimation used in the script is calculated differently from the workbook described in this blog post. Note that the PowerShell script does not currently estimate the add-on Malware Scanning. This will come in the next couple of weeks.
Known Issues
- Azure Monitor Metrics data backends have limits and probably the number of requests to fetch data across Storage Accounts might time out. To solve this, you will need to narrow the scope (reduce the selected Storage Accounts).
- Errors might reflect by showing 0 transactions in Files and Blobs. To verify this error, go to Edit Mode and the "Timed out" message will be displayed in the query.
- If you don’t have permissions to read on the storage accounts, there might be an error like this:
Contributors: Eitan Shteinberg, Fernanda Vela, Rogério Barros, Hasan Abo-Shally, Dick Lake, Shay Amar, Daniela Villareal,
Reviewer: Yuri Diogenes
References:
- Microsoft-Defender-for-Cloud/Workbooks/Microsoft Defender for Storage Price Estimation at main · Azure/Microsoft-Defender-for-Cloud (github.com)
- Pricing—Microsoft Defender for Cloud | Microsoft Azure
- Pricing Calculator | Microsoft Azure
- Microsoft Defender for Storage - the benefits and features | Microsoft Docs
- Azure-Security-Center/Powershell scripts/Read Azure Storage Transaction Metrics at main · Azure/Azur...
- Microsoft-Defender-for-Cloud/Powershell scripts/Storage Price Estimation Script at main · Azure/Micr...