Microsoft Defender for Storage – Price Estimation Dashboard

Fernanda_Vela

Microsoft

Jun 09, 2021

Blog post updated on April 17th, 2024.

Estimate the cost of Microsoft Defender for Storage

Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption.

This blog post explains how to use a new workbook that helps you estimate the cost of Microsoft Defender for Storage and add-ons, like Malware Scanning, based on your current storage usage.

Prerequisites

To use the cost estimation workbook, you need the following:

At least one Azure subscription with Storage Accounts (Defender for Storage is not required)
Access to the Azure portal
Subscription or resource-level reader permission

At least Workbook Contributor permissions on the targeted resource group to save the workbook

Access the cost estimation workbook

The workbook is available in the Microsoft Defender for Cloud’s GitHub repository. You can access it directly from this link.

Deploy it

Go to the Workbook’s location Microsoft-Defender-for-Cloud/Workbooks/Microsoft Defender for Storage Price Estimation at main · Azure/Microsoft-Defender-for-Cloud (github.com)
In the ReadMe.md file, click the button “Deploy to Azure”

This will take you to the Azure portal and the template settings will display for you to fill them. The subscription, resource group and region are required for you to Review + Create.

After clicking on “Review + Create” the workbook will show in your resource group.
Click on it and then on “Open Workbook”.

How it looks like

The workbook will display the following information in the tab “Defender for Storage coverage”:

Column name	Description
Subscription	Subscription name in the scope.
In trial	True/False value if the subscription has a free trial.
Is enabled	Enabled/Disabled value if there’s a Defender for Storage plan enabled.
DF-Storage plan	The Defender for Storage plan enabled at the subscription-level or if it’s disabled.
Malware scanning enabled	True/False value if the Defender for Storage add-on Malware Scanning enabled at the subscription-level. For Classic plans, it will show in blank since this feature is not available there.
Malware scanning cap	The cap setting value at the subscription level.
Sensitive data discovery enabled	True/False value if the Defender for Storage add-on Sensitive Data Discovery is enabled at the subscription-level. For Classic plans, it will show in blank since this feature is not available there.

The tab “Cost estimation” will display the following information:

Column name	Description
Subscription	Subscription name in the scope.
Storage account	Storage account name in the scope.
Estimated monthly transactions	Transactions taken from a 7-day usage-sample and then used for a 30-day result.
Overage transactions	Total transactions that are more or equal to 73M.
Storage account cost	Cost without considering overage. This is $10 USD.
Estimated overage charge	Overage transactions cost
Estimated monthly cost (activity monitoring)	“Storage account cost” + “Estimated overage charge”
Estimated monthly uploaded GBs	7-day ingress bytes taken from microsoft.storage/storageaccounts/blobservices-Transaction-Ingress; then this is extrapolated to estimate the monthly total based on a standard 30-day month, and finally, it converts this monthly total from bytes to gigabytes using the factor 1073741824 (bytes per gigabyte). The APIs in the filter are: AppendFile, CopyBlob, CreatePathFile, FlushFile, PutBlob, PutBlock, PutBlockFromURL, PutBlockList.
Estimated malware scanning cost	Cost considering “Estimated monthly uploaded GBs”. Malware Scanning cost is currently $0.15 USD per GB scanned.

Note: You can filter the results by subscription and storage account.

Workbook estimation limitations

This tool estimates malware scanning costs based on the total volume of blobs uploaded, as indicated by Blob Ingress metrics. Please consider the following:

Multiple scans: Specific upload methods, such as PutBlockList operations, may trigger multiple scans for a single blob (e.g., when writing logs to the same blob). This tool does not accurately capture the additional costs from multiple scans triggered by such operations.
Index Tag costs: Costs associated with blob index tags, which store scan times and results on supported blobs, are not included in these estimates. Learn more on index tags costs in the Azure Storage Blobs Pricing page.
Blob size: The estimation accounts for all uploaded blobs; however, only blobs smaller than 2GB are actually scanned.

Good to know

Note: Resources protected before March 28, 2023, are protected by Defender for Storage (classic) plan. Customers who protected storage accounts prior to this (under the per-transaction or per-storage account plans) are encouraged to migrate to the new plan to enjoy enhanced capabilities. Please note that after March 28, 2023, all new subscriptions created through the Azure portal will enable the new Defender for Storage (per-storage account plan) by default. Learn about migrating to the new plan.

The cost of Defender for Storage is based on the number of storage accounts within a subscription. Storage accounts that have less than 73 million monthly transactions, are billed at $10 USD each. Storage accounts with higher transaction volume (above 73M monthly transactions) will experience an overage charge of $0.1492 per additional 1 million transactions.

This PowerShell script helps you enumerate all storage accounts in your environment and get the transaction metrics for the last week.

Calculating across several large subscriptions or a tenant

To pull Blob and File Transactions from each Storage Account in larger subscriptions or across a tenant use this PowerShell script. The Price Estimation used in the script is calculated differently from the workbook described in this blog post. Note that the PowerShell script does not currently estimate the add-on Malware Scanning. This will come in the next couple of weeks.

Known Issues

Azure Monitor Metrics data backends have limits and probably the number of requests to fetch data across Storage Accounts might time out. To solve this, you will need to narrow the scope (reduce the selected Storage Accounts).
Errors might reflect by showing 0 transactions in Files and Blobs. To verify this error, go to Edit Mode and the "Timed out" message will be displayed in the query.
If you don’t have permissions to read on the storage accounts, there might be an error like this: