MicrosoftDocs
diff --git a/‎articles/defender-for-cloud/TOC.yml
Lines changed: 1 addition & 1 deletion b/‎articles/defender-for-cloud/TOC.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/defender-for-cloud/defender-for-storage-exclude.md
Lines changed: 4 additions & 4 deletions b/‎articles/defender-for-cloud/defender-for-storage-exclude.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/defender-for-cloud/defender-for-storage-introduction.md
Lines changed: 21 additions & 2 deletions b/‎articles/defender-for-cloud/defender-for-storage-introduction.md
Lines changed: 21 additions & 2 deletions
diff --git a/‎articles/defender-for-cloud/defender-for-storage-test.md
Lines changed: 2 additions & 2 deletions b/‎articles/defender-for-cloud/defender-for-storage-test.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/defender-for-cloud/media/defender-for-storage-introduction/storage-advanced-threat-protection-alert-email.png
230 KB b/‎articles/defender-for-cloud/media/defender-for-storage-introduction/storage-advanced-threat-protection-alert-email.png
230 KB
diff --git a/‎articles/defender-for-cloud/media/defender-for-storage-introduction/storage-advanced-threat-protection-alert.png
835 KB b/‎articles/defender-for-cloud/media/defender-for-storage-introduction/storage-advanced-threat-protection-alert.png
835 KB
diff --git a/‎articles/defender-for-cloud/media/enable-data-collection/defender-plans.png
223 KB b/‎articles/defender-for-cloud/media/enable-data-collection/defender-plans.png
223 KB
diff --git a/‎articles/defender-for-cloud/media/enable-enhanced-security/enable-all-defender-plans.png
-120 KB b/‎articles/defender-for-cloud/media/enable-enhanced-security/enable-all-defender-plans.png
-120 KB
diff --git a/‎articles/defender-for-cloud/media/enable-enhanced-security/enable-all-plans.png
4.52 KB b/‎articles/defender-for-cloud/media/enable-enhanced-security/enable-all-plans.png
4.52 KB
@@ -396,7 +396,7 @@
       displayName: blob, adls, files, Microsoft Defender for Storage, Defender for Storage, storage, Azure-native security, automated response, alerts, security, hash reputation analysis
       href: defender-for-storage-introduction.md
     - name: Enable Defender for Storage
-      href: ../storage/common/azure-defender-storage-configure.md?toc=/azure/defender-for-cloud/toc.json#set-up-microsoft-defender-for-cloud
+      href: ../storage/common/azure-defender-storage-configure.md?toc=/azure/defender-for-cloud/toc.json
     - name: Exclude a storage account
       displayName: blob, adls, files, Microsoft Defender for Storage, Defender for Storage
       href: defender-for-storage-exclude.md
 
@@ -7,13 +7,13 @@ ms.author: benmansheim
 author: bmansheim
 ---
 
-# Exclude a storage account from Microsoft Defender for Storage protections
+# Exclude a storage account from per-transaction Microsoft Defender for Storage protections
 
-When you [enable Microsoft Defender for Storage](../storage/common/azure-defender-storage-configure.md#set-up-microsoft-defender-for-cloud) on a subscription, all current and future Azure Storage accounts in that subscription are protected. If you have specific accounts that you want to exclude from the Defender for Storage protections, you can exclude them using the Azure portal, PowerShell, or the Azure CLI.
+When you [enable Microsoft Defender for Storage](../storage/common/azure-defender-storage-configure.md) on a subscription for the per-transaction pricing, all current and future Azure Storage accounts in that subscription are protected. You can exclude specific storage accounts from the Defender for Storage protections using the Azure portal, PowerShell, or the Azure CLI.
 
 We don't recommend that you exclude storage accounts from Defender for Storage because attackers can use any opening in order to compromise your environment. If you want to optimize your Azure costs and remove storage accounts that you feel are low risk from Defender for Storage, you can use the [Price Estimation Workbook](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/28) in the Azure portal to evaluate the cost savings.
 
-## Exclude an Azure Storage account
+## Exclude an Azure Storage account protection on a subscription with per-transaction pricing
 
 To exclude an Azure Storage account from Microsoft Defender for Storage:
 
@@ -68,7 +68,7 @@ To exclude an Azure Storage account from Microsoft Defender for Storage:
     > [!TIP]
     > Learn more about tags in [az tag](/cli/azure/tag).
 
-1. Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the ``security atp storage`` command (using the same resource ID): 
+1. Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the `security atp storage` command (using the same resource ID):
 
     ```azurecli    
     az security atp storage update --resource-group MyResourceGroup  --storage-account MyStorageAccount --is-enabled false 
 
@@ -9,7 +9,7 @@ ms.topic: overview
 
 **Microsoft Defender for Storage** is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage accounts. It uses advanced threat detection capabilities and [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684) data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks.
 
-You can [enable Microsoft Defender for Storage](../storage/common/azure-defender-storage-configure.md#set-up-microsoft-defender-for-cloud) at either the subscription level (recommended) or the resource level.
+You can [enable Microsoft Defender for Storage](../storage/common/azure-defender-storage-configure.md) at either the subscription level (recommended) or the resource level.
 
 Defender for Storage continually analyzes the telemetry stream generated by the [Azure Blob Storage](https://azure.microsoft.com/services/storage/blobs/) and Azure Files services. When potentially malicious activities are detected, security alerts are generated. These alerts are displayed in Microsoft Defender for Cloud, together with the details of the suspicious activity along with the relevant investigation steps, remediation actions, and security recommendations. 
 
@@ -70,8 +70,27 @@ Alerts include details of the incident that triggered them, and recommendations
 > [!TIP]
 > For a comprehensive list of all Defender for Storage alerts, see the [alerts reference page](alerts-reference.md#alerts-azurestorage). This is useful for workload owners who want to know what threats can be detected and help SOC teams gain familiarity with detections before investigating them. Learn more about what's in a Defender for Cloud security alert, and how to manage your alerts in [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.md).
 
+## Explore security anomalies
 
-### Limitations of hash reputation analysis
+When storage activity anomalies occur, you receive an email notification with information about the suspicious security event. Details of the event include:
+
+- The nature of the anomaly
+- The storage account name
+- The event time
+- The storage type
+- The potential causes
+- The investigation steps
+- The remediation steps
+
+The email also includes details on possible causes and recommended actions to investigate and mitigate the potential threat.
+
+:::image type="content" source="media/defender-for-storage-introduction/storage-advanced-threat-protection-alert-email.png" alt-text="Screenshot of Microsoft Defender for Storage alert email.":::
+
+You can review and manage your current security alerts from Microsoft Defender for Cloud's [Security alerts tile](managing-and-responding-alerts.md). Select an alert for details and actions for investigating the current threat and addressing future threats.
+
+:::image type="content" source="media/defender-for-storage-introduction/storage-advanced-threat-protection-alert.png" alt-text="Screenshot of a Microsoft Defender for Storage alert." lightbox="media/defender-for-storage-introduction/storage-advanced-threat-protection-alert.png":::
+
+## Limitations of hash reputation analysis
 
 - **Hash reputation isn't deep file inspection** - Microsoft Defender for Storage uses hash reputation analysis supported by [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684) to determine whether an uploaded file is suspicious. The threat protection tools don’t scan the uploaded files; rather they analyze the telemetry generated from the Blobs Storage and Files services. Defender for Storage then compares the hashes of newly uploaded files with hashes of known viruses, trojans, spyware, and ransomware.
 
 
@@ -9,13 +9,13 @@ ms.topic: how-to
 
 # Trigger a test alert for Microsoft Defender for Storage
 
-After you enable Defender for Storage, you can create a test alert to demonstrate how Defender for Storage recognizes and alerts on security risks.
+After you enable Defender for Storage, you can create a test alert to demonstrate how Defender for Storage recognizes and triggers alerts on security risks.
 
 ## Demonstrate Defender for Storage alerts
 
 To test the security alerts from Microsoft Defender for Storage in your environment, generate the alert "Access from a Tor exit node to a storage account" with the following steps:
 
-1. Open a storage account with [Microsoft Defender for Storage enabled](../storage/common/azure-defender-storage-configure.md#set-up-microsoft-defender-for-cloud).
+1. Open a storage account with [Microsoft Defender for Storage enabled](../storage/common/azure-defender-storage-configure.md).
 1. From the sidebar, select “Containers” and open an existing container or create a new one.
 
     :::image type="content" source="media/defender-for-storage-introduction/opening-storage-container.png" alt-text="Opening a blob container from an Azure Storage account." lightbox="media/defender-for-storage-introduction/opening-storage-container.png":::