Hi Tom,
When you delete a storage account, associated resources like EventGrid subscriptions not be immediately or fully cleaned up. These subscriptions are often created by services like Microsoft Defender for Cloud to monitor storage accounts for threats.In your case, the Microsoft Defender for Cloud Scanner Resource Provider deleted an EventGrid subscription. This action might have triggered a scan or cleanup process that surfaced lingering metadata or references to the deleted storage accounts.
Azure Storage supports soft delete for blobs and containers, but not for storage accounts themselves, metadata about deleted resources can persist in:
Activity logs, Security recommendations, Monitoring configurations
These remnants can cause Defender for Cloud to continue referencing the deleted accounts until its internal cache or configuration is refreshed.
The deletion of the Event Grid subscription likely prompted a rescan or re-evaluation of storage-related configurations. If Defender for Cloud had cached references to the deleted accounts, this action might have caused those references to resurface temporarily in the portal or recommendations.
To fully clean up:
Check Defender for Cloud settings for lingering references to the deleted accounts. Review Event Grid and other monitoring configurations to ensure no orphaned subscriptions or policies remain. And Use Azure Resource Graph Explorer to query for any ghost resources or metadata.
Please upvote if the information helps and let me know if you have any other queries. I am glad to assist.