Sep 09 2021 12:38 PM
Hi folks,
Sep 15 2021 01:02 PM
Sep 15 2021 02:07 PM
Sep 16 2021 12:34 PM
Sep 22 2021 02:17 PM
Oct 01 2021 06:31 AM
Oct 05 2021 09:25 AM
Oct 12 2021 10:24 AM - edited Oct 12 2021 10:27 AM
SolutionWe do not recommend excluding storage accounts from the Azure Defender, but If you want to perform cost optimization and you are considering the exclusion of specific storage accounts that are characterized with high traffic from the Azure Defender threat protection (e.g. storage accounts that are not open to the internet and do not contain sensitive data), it is possible to estimate the Defender for Storage costs first by following the blog post here.
To exclude specific storage accounts from Azure Defender, follow the following steps:
Step 1:
Enter the Tags section from the storage account(s) menu, and assign the following tag for the desired account(s) you would like to exclude:
Name |
AzDefenderPlanAutoEnable |
Value |
off |
After assigning the Tag name and value, click Apply.
It should look like the screenshot below after applying:
The tag excludes the account from getting updates from the subscription level enablement policy, these updates that occurs daily (If required, you can find here more information on assigning tags)
Step 2:
Disable "Azure Defender" on the desired accounts(s) by performing one of the following actions:
Option A (PowerShell command):
Run the following command in PowerShell on the relevant resource(s):
Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId>
(the cmdlet is documented here)
Option B - Enable/Disable on the account level (from the Azure Security Center portal):
Security Center ➡ Pricing & settings ➡ Select the desired subscription ➡ Toggle Storage off/on (and click Save)
Oct 12 2021 10:59 AM
May 29 2022 01:26 PM - edited May 29 2022 01:28 PM
Stanislav,
Pardon the ingenuity of my question, but what's the risk of disabling ATP for a storage account that's exclusively used to support an Azure Function App transaction?
We currently leverage Function Apps to implement our microservice architecture. ATP accounts for 69% of the billing for each Function App due to the number of transactions each generates on its dedicated storage account. As a CSP, I have to justify to my customers what type of protection this (high relative) cost adds to our architecture.
Jan 08 2023 11:18 PM
@Stanislav Belov will this tag option to exclude work on a Resource Group as well?
Oct 12 2021 10:24 AM - edited Oct 12 2021 10:27 AM
SolutionWe do not recommend excluding storage accounts from the Azure Defender, but If you want to perform cost optimization and you are considering the exclusion of specific storage accounts that are characterized with high traffic from the Azure Defender threat protection (e.g. storage accounts that are not open to the internet and do not contain sensitive data), it is possible to estimate the Defender for Storage costs first by following the blog post here.
To exclude specific storage accounts from Azure Defender, follow the following steps:
Step 1:
Enter the Tags section from the storage account(s) menu, and assign the following tag for the desired account(s) you would like to exclude:
Name |
AzDefenderPlanAutoEnable |
Value |
off |
After assigning the Tag name and value, click Apply.
It should look like the screenshot below after applying:
The tag excludes the account from getting updates from the subscription level enablement policy, these updates that occurs daily (If required, you can find here more information on assigning tags)
Step 2:
Disable "Azure Defender" on the desired accounts(s) by performing one of the following actions:
Option A (PowerShell command):
Run the following command in PowerShell on the relevant resource(s):
Disable-AzSecurityAdvancedThreatProtection -ResourceId <resourceId>
(the cmdlet is documented here)
Option B - Enable/Disable on the account level (from the Azure Security Center portal):
Security Center ➡ Pricing & settings ➡ Select the desired subscription ➡ Toggle Storage off/on (and click Save)