ยทS6 E21
Protecting Data within Storage Accounts with Microsoft Defender for Storage
Episode Transcript
Hello and welcome to the let's Talk Azure podcast with your host, Sam Foote and Ian Armstrong.
If you're new here, we're a pair of Azure and Microsoft 365 focused IT security professionals.
It's episode 21 of season six.
In this episode, we dive into Microsoft Defender for storage, a key component of Microsoft Defender for cloud.
We look at its features for threat detection and malware scanning.
We discuss its real world benefits and we also cover the pricing considerations.
We've noticed that a large number of you aren't subscribed, so if you do enjoy our podcast, please do consider subscribing.
It would mean a lot to us for you to show support to the show.
It's a really good episode, so let's jump in.
Hey, Alan, how are you this week?
Hey, Sam.
Not doing too bad.
How are you?
Yeah, I am good, thank you.
I think we should congratulate ourselves for, you know, recording the correct episode on time in August.
So.
Yeah, yeah, I'll pass both on the back for that one.
Anything, anything new in your sort of universe over the last week?
No, no, it was good.
Long bank holiday weekend from a personal side, nice little bit of a rest.
But yeah, work's busy.
Purview is.
Seems to be the thing at the moment, rightly or wrongly.
So, you know, funny you should say that because I've just.
I've actually just started a purview project as well, actually, to be totally.
It just it.
Yeah.
I don't.
I don't know what's driving it.
I.
I feel like it's.
I do actually genuinely feel like it's AI driving a lot of the.
It's giving people more of a reason, if that makes sense.
Right.
Like it's right in front of their face.
Yeah.
I wonder if some of it.
Well, I think there's some regulatory compliance changes.
We've always said, I think in previous, you know, beginnings and things, but I think the AI part is exposing what access users have.
Yeah.
And it's like, oh, we need to.
Tell me about your SharePoint governance model.
He left two years ago.
Right.
Yeah.
Or they just copy and pasted it.
Lift and shift.
Where is all your data?
I have no idea.
So Microsoft promotes that.
You should first know your data.
What data?
Oh, the stuff that we need to protect.
Oh, yeah, that data.
No, no, it's good.
And I do really think that Microsoft do really have a compelling offering in that area.
You know, I don't really see too much pushback on adopting that technology, which I think is really Good to see.
No, no, definitely not.
I mean there's, there could be some maybe improvements to some of it, but it's more of a day to day part of it, I think.
What, how fast the pages load.
That's.
That's one thing maybe, but I think there's just.
And yeah, some of, some of the interfaces maybe need.
They've got better, don't get me wrong, than what they were, but there's sometimes you're a bit like, oh, yeah, okay, I got to do this because of this.
Not just, you know, go straight to it or, or something like that.
There's a few bits, but it's not the, you know, nothing's at the end of the world kind of thing.
It's just because, you know, because we have to do the same thing.
Well, I'm not going to say same thing every day, but because we have to rinse, repeat the same sort of initial processes, sometimes with other customers, you notice it a lot more, I think.
Yeah, it is, yeah.
And it's, it's quite.
I don't know the best way to describe it.
The, the amount that you have to configure and the way that you configure it is very like dry, isn't it?
Right.
It's, it's a lot of like jumping between different screens, configuring one bit here, one bit there, waiting for a test to run.
You know, it's, it's not like just slapping, slap it on and go, if that makes sense.
Right.
It's not this cookie cutter, is that right?
So it's.
Yeah, no, it's definitely not, you know, a Defender for Endpoint Roller or a Defender.
Yeah, that's what, that's what I mean.
Yeah.
It's not like, you know, there's only.
10 options or 20 options.
This is like can of worms.
Because it's data.
Yeah, yeah, exactly.
100%.
Talking of data, Alan, look at that.
Segue that we didn't even know we were going to do.
Yes.
So what's this episode on then, Sam?
Well, we're doing Defender for storage, which is.
How convenient.
Yeah.
So we're going to cover Defender for Storage, which is a workload protection as part of Defender for Cloud.
We were slowly working our way through the Defender for Cloud because it is not just a single Defender, it's.
I don't know how many.
Wait there.
One.
I think they've added a couple since we started.
11.
It's 11 protective workloads plus CSPM.
So I'll call it 12.
12 products.
Yeah, so yeah, so we're slowly working our way through them.
Some we are going to combine in an episode because they're not like kind of big enough to run standal but you know there is a load of really good, you know, workload protections that are there and CSPM is really good as well, don't get me wrong.
But you know, Defender for Cloud, you know, if you do have, you know, resources and assets in Azure, you know, should be seriously considered.
I know that some other tools can do like the CSPM, you know, like checking side of things and auditing, etc.
But from a protective workloads perspective.
Yeah, some real key value adds there.
Yeah, I mean you did mention Azure.
Don't forget the other two big players as well for some of the workloads.
Yeah, that's true.
Yeah.
To be fair.
And how cloud agnostic Microsoft have been across AWS and GCP as well.
So we do have an episode on Defender for Cloud I and cspm.
We've got a fair few episodes.
Maybe we'll grab those at the end if you want to find out more about the wider ecosystem.
Yeah.
Okay, so let's get started then, I guess.
So can you give us an overview of then of the Defender for storage in the Defender Cloud portfolio?
Yeah.
Okay, so as the name suggests, you know, it is designed to, is designed as a protection layer on top of various storage mechanisms within Azure.
And really what the idea here is that you have these stores of data.
It doesn't really matter in this scenario what they are I suppose but your, you know, you're potentially uploading sensitive information.
Your users could also be uploading potentially sensitive information.
And you know, you want to be able to monitor like you would with like a traditional files, you know, server.
Right.
You might have like in a, traditionally you might have had like a file server with like an antivirus and anti malware solution on it.
Well, you know, when you upload to an Azure blob storage bob storage account you don't natively have like anti malware capability etc.
So this is a separate product on top of those resources.
Now one of the things you might be thinking is like well why do you need a product on top?
You know and I, I do think it's right to have this split out because you know, for some storage locations you may not need this type of malware, you know, and not just malware but you know, protection capability and monitoring capability.
So you have that flexibility to sort of decouple that cost, you know, from your actual resources.
But also in the traditional sense, you know, a lot of like files systems or file servers would have licensed this technology separately.
You know, if you'd had like a traditional web server.
So maybe let's say you had like a WordPress site where people could upload, you know, items to or something like that, you would have had to pay for or use like an open source, you know, malware solution.
The, the operating system, you know, the applications themselves didn't handle that and still don't really today.
It's all these separate solutions anyway.
So that is similar to what's happening in like the rest of the industry in you know, quotes non cloud type services.
So you know, it essentially is a security solution that analyzes data and control plane technology generated from Azure Blob storage, Azure Files, Azure Data Lake storage services.
So if you're using any of those solutions, then you know, Defender for Storage may be applicable to your workload.
It also pulls in data for threat detection capabilities.
And that is powered by Microsoft Defender Threat Intelligence as well.
Microsoft Defender antivirus is used for malware scanning.
And there is also a sensitive data discovery element as well, which I will go into.
But imagine, you know, you have this, this, this, this sensitive and valuable data that you're uploading into the cloud.
Just, just think that, you know, Defender for storage is a protection mechanism on top of that data as well.
You know, because really you need to think about, when you are protecting that data, you need to think about first, you know, sort of control plane analysis, you know, who's got access to that data, how they're moving that data, you know, between workloads, et cetera.
You also need to think about the types of data that is being uploaded.
There, you know, is, you know, is that data bound by some sort of regulatory compliance framework, you know, what would happen if that data was compromised and leaked from your systems.
You know, you need to think about, you know, what protection you're going to put in place on top of it.
So having a system that is constantly monitoring those, that storage mechanisms is vitally important because we do see attacks, you know, we see sort of malware like upload type attacks, you know, malicious payloads.
You might have malicious insiders that are exfiltrating data.
You might have people trying to use reconnaissance to identify and to probe for different data within those storage mechanisms and all of that.
Well, you can think, have things like token abuse and credential theft of your administrators or a compromised third party that has access to that data as well.
So you have all these different like you know, monitoring and protection capabilities that you would want and they've.
Microsoft have wrapped that into one singular product.
So I guess we're also saying, I suppose an example of one of your sort of, I suppose use cases for storage accounts or data lakes, etc.
Could be if you had.
I guess, I think we always use like the social media example, don't we?
As being the example having a social media website where you maybe upload files to and it can go to Blob storage and potentially maybe not in the, in the data being transferred sort of.
There may not be any, you know, protection or checks for, for malware or anything like that in that I suppose processing, but once it gets dropped into Blob storage thing, etc, someone else could then pick it up and then yeah, be ransomware etc or whatever it might be.
But in effect we're saying that if anything like that potentially could be scanned.
As an example, like you said, if it was on a web server or file share, that would be AV on that product, wouldn't there?
Yeah.
And you know, in that example you've got users that are uploading, you know, content that's going to be consumed by other users, you know, so you have, you do have a, you know, a duty of care there to your users to say, to make sure that, you know, your users aren't uploading malicious, you know, artifacts and you could try and bake that into your application product, you know, and try and license in that technology and you know, get your developers to integrate it.
Or you could just apply defender for storage onto the storage account and have it clean up and monitor for you and your security teams and to prevent, you know, abuse and misuse.
Yeah, okay.
Okay, can you take us through then some of the key features?
You kind of mentioned some of them just then as the sort of overview.
But can we dive in a little bit more?
Yeah.
So the first one is really around activity monitoring.
So this is detection of unusual and potentially harmful activities.
So it analyzes access patterns and behaviors of end users.
So this is helpful for identifying things such as unauthorized access data exfiltration attempts and reconnaissance type activity as well.
So who's accessing these items, how are they accessing them, when are they accessing them, to what degree are they accessing them, that type of thing.
So how should I go through this with you?
Let's just think about this a second.
No, let's.
Okay, so the next area is sensitive data threat detection as well.
So this is in place to identify and protect sensitive data to essentially look at the actual data that is stored in those storage accounts and looking at how that data is accessed and how that data is potentially exfiltrated as well.
So when we're looking through this, let's just talk about how this essentially works.
So in combination with Defender for cspm, Defender for CSPM gives you data aware security posture.
Okay?
So it will understand the, it'll give you visibility of your data estate and the criticality and the sensitivity of the data.
Essentially, you know, look at the data, apply classifications to it to understand what is there and how sensitive it is.
And then Defender for Storage layers on top of that, in combination with that to give you prioritized security alerts on that sensitive data as it's being exposed, etc.
So it's not Defender for storage isn't doing that, you know, security posture analysis that is Defender for CSPM alongside it.
But together that gives you sensitive data discovery.
So not only can you identify the data sitting there, but you can also understand how it's actually being used.
And really when we're looking at data and we are sort of data custodians and guardians, that monitoring aspect of how data is used is ultimately just as important as labeling or you know, and classifying the data as it's sitting there, you know, not being used, if that makes sense.
So you use a capability called the sensitivity context with, inside the portal to understand when a security alert is triggered, what, what sensitive information types have been identified, so what types of data is there.
And it gives you that sensitivity context when you've got an alert.
So it's really just operationalizing that data discovery that you would have had previously.
And the other main area really is around malware scanning.
So this is the example that we've already spoken about quite a bit.
So yeah, scan the storage accounts for malware by analyzing files that are known threats and suspicious content.
So you configure malware scanning and there's a few different, there's a couple of different modes that you can set this to.
So there is on and I'm assuming you know, most people know what malware scanning is.
You know, that is, you know, trying to identify like known bad artifacts, executables, objects that are uploaded by threat actors.
So there's two types of malware scanning.
So on upload malware scanning.
So that scans blobs automatically when they're uploaded or modified.
So that provides near real time detection essentially.
So you know, this is perfect for like user file uploads, web applications, collaborative platforms, you know, scanning content as it's uploaded, you know, helps you to prevent those files from even entering your storage environments in the first place because you may have downstream processes that users use that data and you don't want it to make, to make its way downstream before you've had a chance to nuke it out of your systems.
But you do have to be a bit cautious on that.
You know, you, you need to make sure that when you're uploading those files, you know, those scan durations can, can vary based on like file size, the load of the service, the type of file, the latency of the underlying storage accounts.
So you do need to factor that into your sort of, you know, development process and your user experience and workflows as well.
So the other one is on demand as well.
So you can scan, you know, your existing blob storage or your existing blobs, sorry I should say, whenever necessary.
So you can do that retrospectively for, you know, compliance, instant response.
You know, it's, it's great for, if you're applying this after the fact, let's say you, you don't have a product today and you're applying it on top of existing data stores, you can, you know, alert where you can scan on demand afterwards.
You know, and, and really, you know, any system that stores data, it doesn't even, I don't, in my mind, it doesn't even need to be real time and collaborative communications.
You know, every data store should have an element of, you know, malware scanning if you know that, that date well, however that data is uploaded.
Right.
You know, you would have, you would have anti malware on every single one of your endpoints and your servers.
You know, how would, how's that any different to like a storage account in, in Azure you might have compliance regulatory requirements that require you to have anti malware everywhere.
That is, you know, quite common nowadays as well.
So it allows you to check that box as well.
It also supports things like Zip and RAR files, up to 50 gigabytes per blob as well.
So that's also, also important, you know, being able to jump into those types of files and understand that.
And it also, we'll talk about how it integrates shortly.
I suppose actually when we talk about monitoring the scan results out of this system can go to different places.
So you can add an index tag on a blog, a blob.
So that's like a tag actually on the blob and you can read that from your server side.
You can, you can get a defender for cloud security Alert so your security teams can be alerted as well.
You can fire an event into event grid as well to feed back to your development, you know, your applications and your development teams.
And you can also put the scan results into a log analytics workspace as well.
So if you're utilizing, you know, monitor or sentinel to scan for that, you, you can do as well because there is that feedback loop with this, you know, this actual protection.
There's quite a few different ways that you can, you can integrate it as well.
What is.
Let's just talk about some of the limitations of it.
Because it's.
You.
It can't.
I can't do everything.
So client side encrypted blobs can't be scanned as the service can't decrypt them.
But blobs encrypted at REST with customer managed keys are supported.
So you know, there's going to be only so much that, you know, anti malware can do in terms of, you know, encrypted files.
Blobs uploaded to NFS3 via NFS3 protocol aren't scanned.
That could be quite a big one for some organizations.
The scan time limits as well.
Depending on, you know, how big and complex a blob is, it could take a long time to scan.
So, so you know, if you've got a, a large blob, it could range between like 30 minutes and 3 hours depending on the size of that blob.
If it, if it, if it goes past that, that time limit, the, the scan is halted and it can be marked as scan timed out.
So if you are uploading large blobs, you know, just cater for that.
That's the potential time delay.
Yeah, and there's, there's lots of various, like, I don't know, edge cases and scenarios where it might not be, you know, effective for you, but you know, for, especially if you're just storing large amounts of data in these storage types, these storage type solutions, it's going to be really beneficial for you to have visibility of it.
I do just want to call out as a feature, it is agentless.
You just sort of like you enable it in, you enable it in the Azure portal.
So, you know, there's nothing to install from that perspective.
There's an RBAC model around it and also it can be deployed via policy as well to scope specifically storage containers, to actually have this applied to them.
So it is very flexible from that perspective.
You don't have to scope in every single item, every single resource if you don't want to.
Is There anything else on the feature side that I wanted to go over?
I don't think so.
I think that's it for the features.
No, that's cool.
Yeah, there's a lot there like you said and it's, it is going to catch maybe 60, you know, 80% of the use cases, isn't it?
It's going to be.
There are going to be some edge cases that don't work, but it's going to cover most scenarios.
And so yeah, there is again, after we've done the next question, I might bring it up.
There's some new stuff in XDR around this as well.
I don't know if you're covering that or not.
Just like I seen on LinkedIn or somewhere that something turned up for it.
Okay.
No, I don't.
Well, it's.
It's storage account related or.
Yeah, storage account related.
But I might as well talk about now because I'm pretty much saying about it.
Yeah, go on.
So in Defender xdr there's a new in preview a cloud storage aggregated events table.
But you have to have Defender for cloud enabled.
But it doesn't tell you which Defender cloud.
It just says you need, you know, records are recorded by Defender Cloud.
If your organization doesn't have it, then you won't be able to query the data.
So I wonder if you need, you know, like you were saying about the, the monitoring of activity, etc.
Because Defender Cloud's, you know, collecting that data and storing it somewhere.
Microsoft decided in effect to store it in the XDR pool so that in effect you're paying for that storage, I suppose of the logs because of the service you're buying or you're consuming in Defender Cloud that it's, it's included in the price source scenario.
So they've actually exposed it to the end user.
Yeah, exactly.
Yeah.
It's like there, they might as well hook into it.
Right?
Yeah, exactly.
So yeah, I thought that was quite good because again, storing data like that in Sentinel could, you know, storage account information can incur costs or will incur costs, should say.
But how much depends on how much activity sort of thing.
So I don't know if it's as good obviously as detailed as, you know, storing the logs, activity logs, etc, you know, the diagnostic settings part of it into Sentinel is, is good.
But I think it, yeah, but I also think it's also, you know, what you've got to like build in content and Sentinel and manage as well, isn't it?
Because you know these workloads are there to help you not have to build that content.
Right, I know you're talking about that table existing.
Right.
And then you're making that reference back to sentinel and diagnostic settings.
I get that, but.
Yeah, and that makes total sense.
But you know.
Microsoft's doing those checks for you.
Like you said, it's doing it, it's.
Doing it for you.
But my kind of point with it is that we talked about this last week about the double handling of data, the duplication of data.
Right.
Because you might have compliance reasons that you need to store that.
So, you know, so Sentinel Data Lake is going to be your, your friend for that in the future.
Right.
But if you don't need that and you are just wanting to use this service, you know, as it is, you know, you want to be able to, you know, get the benefit of the workload protection, which is this is giving you, and you just want easy access to the data.
And that's what the integration with Defender is going to give you because, well, it can just see like up to date, you know, near real time data.
You know, maybe it won't go back like six months for you, but maybe you don't need that.
Right.
You know, it's part of your use case.
Yeah.
And then also it provides context, I think, into any other alerts in XDR as well, because the table's there of data, so bonuses there.
Yeah, exactly.
Okay.
Talking around, I suppose, monitoring response.
Then how do we monitor and respond to the, to the threats that, you know, it identifies.
Defender Cloud identifies.
Yeah, so let's talk about some sort of actual, you know, tangible, you know, threats that it aims to identify.
You know, we first need to think about.
Well, actually, no, I just, I discussed some of the areas.
So let's just jump straight into the alerts, I think.
Right, so here are some of the more pronounced security alerts that can be triggered from Defender for storage.
So the first one is malicious content uploaded.
So that's malware scanning, scanning every file and you getting an alert for malicious content being detected.
The next one is back to that sensitive data exposure event.
So detection of an access change to unauthenticated public access to blob containers with sensitive data from the Internet.
You know, I don't know about you, Alan, but I'm sure there's plenty of publicly accessible blob containers out there with sensitive data on them.
And sometimes when you go in to remediate those issues, people want to know whether things have been accessed or not.
So this can also give you those types of Alerts, you know, probably not the same as an access log from diagnostic settings, etc.
But again this is a tool always watching over your shoulder.
So there's an exposure event for sensitive data, but there's also suspicious activities.
So this could be, you know, information from threat intelligence usage patterns of the data.
You know, is it reconnaissance, is it, you know, bulk exfiltration, etc.
It might not be public exposure, it might be an insider risk.
It could be, you know, a lateral movement within your side of your environment.
So that's what that's aiming to look at.
Compromise, misconfigured and unusual authentication tokens.
So it can detect compromised SAS tokens used for data, data plane authentication and detection of unusual SAS tokens that can be generated by a malicious actor as well.
So this isn't just the tokens themselves going missing.
This is people you know in the portal creating new ones.
Data and permissions inspection.
So this is looking for, specifically for reconnaissance, you know, you know, brute force drive by reconnaissance type activities on your public storage accounts.
It can alert you to that as well.
General detection, data exfiltration and also data deletion.
So mass exfiltration of data from storage accounts above norms or you know, unusual amounts of deletions from your storage accounts as well.
Specific call out for blob hunting attempts.
So this is where people will scan and enumerate resources to specifically go over a potential known storage account resources.
So you know, we've seen a lot of like independent investigation that's being done on blob hunting.
You know, there's some really cool reports out there of like how much, how many, you know, publicly accessible storage accounts there are on like AWS, Amazon, etc.
So this can actually detect if that type of activity is coming through.
And another one that I wanted to call out as well is phishing campaigns as well.
So this is a detection for specific phishing content hosted on storage accounts and identified as being part of a phishing attack that impacts Microsoft 365 users.
So that's cool, that must be fed in from another service.
You know, all of these, you know, all of these security alerts, the remediation actions, the recommendations, you know, they will bubble into Defender for cloud and they can be exported to Sentinel, etc.
For sort of consolidated management as well.
The other area as well that you need to think about is that malware scanning result.
You know, I talked about, you know, the places that, you know, the blob index tag, the event grid, log analytics or a security alert.
Well, you're going to get the security alert anyway.
So you need to think about how that's going to link into your, your applications and your systems that you're, you're actually hooking in as well.
There is also a bunch of error states as well that can be created by why it didn't work.
So like if the service timed out or, you know, it's encrypted or X, Y and Z, you're going to get that level of error message as well.
What you can do to test it is you can upload like an ICAR test file into it and it will trigger your, your detection end to end.
And also, you know, if you want to test, you know, sensitive data threat detection, you can upload like specific formats of like fake test credit cards, Social Security numbers, etc.
In order to test that end to end.
So like you would in purview, you can do that type of testing as well if you want to make sure that, you know, because, you know, it's not just really just about, you know, Defender for storage raising the alert.
You have got that, the verification that like, you know, it's actually fit for purpose, but you also have all that downstream process as well that you might want to trigger as part of your Siemens source solutions.
And that's pretty much it.
You know, they are Defender for, Defender for cloud alerts that can be bubbled essentially anywhere that Defender for Cloud can be bubbled.
And you've got that malware scanning integration as well.
Nice.
Yeah, it's very good that there's, there's loads of different types there and like you said, it gives you a lot of information and then you can integrate with the Sentinel or XDR Portal in effect to see it all in one place.
Cool.
Okay, next question.
Question we normally ask near the end.
What's the cost of, of getting, you know, using the service?
Yeah.
Okay, so there's the base cost for Microsoft Defender for storage.
So that's $10 per storage account per month.
So I believe it used to be on a per transaction pricing for the classic version, but now It's a flat $10 per storage account per month.
So that could be limiting depending on how you've got your storage account set up, whether you've got like large, large amounts of storage accounts or whether you've, you know, you've got many little ones that could, that could be an issue for you.
We did also hear about that requirement for Defender CSPM as well.
You know, if you want to do sensitive data discovery.
So watch out for that as well because you know that is charged at $5 per billable resource per month.
So.
Yeah, but storage, I don't think storage accounts count as a billable resource at the moment.
Well, I'm on the pricing page now and I'll quote directly from the pricing page.
Microsoft Defender CSPM protects across all your multi cloud workloads, but billing only applies for compute database and storage resources.
Okay, so yes, no actually I just needed to continue on.
Billable workloads are VMs storage accounts, open source, open source databases and SQL Pass and servers machines.
Billing begins on August 1, 2023.
So yeah, so I believe that is also needed as well and that's going to scope in pricing for other resources as well.
Which is a little bit sucky, isn't it?
You know but again, you know, if you do want to detect and track sensitive data and how it is being used, there is a solution there for you.
In addition to the fees I've already talked about, there is also a malware scanning add on that you need to add.
So you add the malware scanning add on to Defender for storage and for every gigabyte of data that is scanned it is 15 cents.
But it's per gigabyte, not per like transaction.
So if you've got lots of little files that's going to be advantageous to you.
If you've got lots of big files, well it's going to be expensive because $0.15 per gigabyte is quite expensive compared to like just straight storage.
But this is essentially running Defender on these files.
Right?
So yeah, yeah and that's your lot really.
But, but again you're only going to pay that $0.15 per gigabyte if you do like a, an on demand scan of all your data or you know you are uploading and changing data frequently.
So yeah, and I assume you can apply the one year pre purchase plans anyway as well to it.
Yeah, that would be part of the, what you call it.
Yeah, just the Defender side of it really.
The Defender cloud in general.
Any, anything in there.
$1 is one consumer unit.
I think it is, isn't it?
So commit unit.
Commit unit.
Yeah.
Yeah.
Okay.
Yeah.
So you could, you know the worst discount that you can get on Pre committing is 10%.
So you could read.
I said that in that way because it's the lowest tier.
That's the best way I could describe it.
But, but you know, if you were spending a lot of money you could get a 22% discount on those figures as well.
And that's all I've got for Pricing and Defender for Storage.
I think Alan, if you got anything else to add.
Any other questions I was going to.
Ask does it include S3 buckets and I don't know what the Google Cloud.
Version is, but not that I'm aware.
I thought so too.
I'm just double checking in the background.
Please do.
But.
Because I thought it.
I thought it was one of the workloads because you got compute databases and maybe storage wasn't one of it.
Maybe it was database.
I'm thinking of.
Oh, just talking about pricing.
There is a pricing estimation workbook that is linked from the documentation to give you a pricing estimate for Defender for storage as well.
But you can.
For the actual Defender for storage element of it, you can be quite, you know, granular on what you apply it to because you can apply it via policy.
So.
I can't check on this machine.
It's not working for me.
I've got any.
I need me other dev account.
But anyway, yeah, I.
I can't see in any of like the prereqs or anything like that.
I can't see anything that even mentions it.
I thought it did, but it doesn't seem to.
Yeah, that's cool.
I got us a list of previous episodes.
I don't think we ever done Defender Cloud or on its own and talked about it because I don't think there's much point per se.
I think we agreed that it's like a portfolio.
Yes.
So we had Defender for Cloud DevOps back in season five of episode 39.
We did Defender for APIs at the start of this season, episode two.
We then looked at CSPM, which I suppose that really is the overarching product, isn't it?
In some respects.
I don't know.
It's probably not fair to say.
But we did CSPM in episode three, the next episode, and then we did Defender for Databases in episode five this season, Defender for Server in episode six, and then we did Security Explorer and Attack Paths in Defender for Cloud, which is part of CSPM in episode eight.
So now we've done Defender for Storage as well.
That's cool.
Yeah.
It's not a protective workload from the look of it in AWS and gcp, it was servers, databases, containers, I think were the mods that are currently.
Right.
Yeah.
I swear I was getting, I'm going to say confused, but where I thought it was storage.
So.
Yeah.
And I wonder if that's the complexity of running malware scanning off onto that side as well because without it there's not a lot there, is there?
No.
That you've got the.
I suppose the unused activity, etc.
Yeah.
I have to double check.
But I believed that they could do.
I have to double check.
I thought for the server plan, maybe they.
You could do vulnerable.
Sorry, agentless scanning for the other side.
Right.
For vulnerabilities, things like that.
I thought, I mean, I might be dreaming at this point, but I've not.
Not gone into it for a while to confirm any of that.
But.
But yeah.
So cool.
So next episode is the news for August.
So I think that's.
There'll be.
I think there's some interesting things that came up.
I think I started talking about them last time, didn't I?
So.
Yeah.
Cool.
So if you did enjoy this episode, please do consider leaving us a review on Apple, Spotify or YouTube.
It helps us reach out to more people like yourselves.
If any specific feedback for our episodes or got any suggestions, we have a link in our show notes.
Yeah.
If you've made it this far.
Thanks ever so much for listening.
We'll catch you on the next one.
Yeah, thanks.
All.