We found that sometimes integrations work, but testing them can take some time. Sometimes, configurations take much longer than expected. We have a configuration in place that needs to be synchronized with another server. However, the servers are four hours apart, so this can cause delays. In general, I believe that the time it takes to configure and test a service should be shorter. Sometimes, it can take a couple of hours to test a single configuration setting. Other times, it is only ten or fifteen minutes, which is normal. However, sometimes, even immediate actions can be triggered by configuration changes, and some settings can take up to eight hours to complete. I believe that this time can be improved.

Microsoft is making a lot of improvements to its services in a short period of time. This is a good thing, as it means that the services are constantly being updated and improved. However, it can be challenging for customers to keep up with the changes. For example, a customer may read about an update, understand it, and share it with their colleagues and boss. However, it may take days or weeks to test the update and get the necessary approvals. This can be especially challenging for large customers with many users or machines. In some cases, Microsoft may change a service before the customer has had a chance to implement the previous update. This can be frustrating for customers, as it means that they have to constantly learn new things and adjust their workflows.
On the one hand, it is important for Microsoft to keep updating and improving its services. This helps to ensure that the services are meeting the customers' needs and that they are staying ahead of the competition. Microsoft should also be mindful of the challenges that these changes can create for customers. One way to address this challenge is to provide customers with more time to implement changes. Microsoft could also provide more information about upcoming changes so that customers can plan ahead. Ultimately, Microsoft needs to strike a balance between keeping its services up-to-date and providing customers with a smooth transition to new features.

One important point about the solution that is an area of concern where improvements are required is related to the control center it provides. Generally, antivirus products provide a central control to manage every device in terms of who is installing it or who is trying to disable it, but Microsoft doesn't have such a control center for the antivirus product it provides.

At times, there may be delays in the execution of certain actions and their effects. These delays are often related to Microsoft tasks that run in the background. For instance, when we perform an improvement action such as improving the secure score, it may take a few days before we see any changes. This delay can be frustrating, but it is still beneficial. We have also encountered issues with the secure score feedback when we set it up to work with third-party tools. We have reported these issues to Microsoft. To improve the situation, we need to fix this aspect of the solution so that we can receive secure score feedback closer to real-time or more promptly. This would be a significant improvement.

The advanced threat-hunting capabilities are phenomenal, and the security copilot enhances that, but some data elements could be better or have more context inside of the advanced tables themselves. The schemas feel a little limited to what they're building into the product. It's probably just a maturity thing. I imagine we'll see the features I want in the next year.

Once you've onboarded your servers to Defender, they're housed on Azure. When those things are brought into the 365 Defender portal, I can see clearly that some of those are Azure resources. There is a subscription and the resource group. That data doesn't exist in the tables. We don't want to run automated remediation against our domain controllers, but you can't exclude those using Azure resource tags. You can't tell it to exclude assets from this resource group. 

That data doesn't exist inside the tables you use to build your thresholds or custom protections. I could see where they could improve the data they present to you in the tables. I assume that it will come with time. There's so much happening. Every time I open the portal, there's a new feature. 

In the Microsoft Azure Portal, in Active Directory, if there is anything on the user it will provide you with the information, but you still have to go through it a bit. And sometimes, I have experienced difficulties in understanding the information, especially because the synchronization between Microsoft Intune and the devices that are connected to the user in Azure Active Directory takes a lot of time. 

In addition, device compliance policies can take a day to be deployed. There are some delays and that can cause some misunderstandings, although they are not huge if you have experience working on Microsoft products.

It already integrates natively with the Microsoft ecosystem, but there is still room for a minor improvement in third-party integration. Another issue is that the portal is sometimes less intuitive than you would like. That's probably because they're consolidating various security products, and there are a few legacy things left over that complicate matters in some cases. 

Still, if you gave someone who works in security access for the first time, that person would be impressed and wouldn't have any specific complaints. You only start to notice a few small things once you used them for a while, but nothing is significant. 

My suggestion would be for Microsoft to continue aligning all components within this ecosystem. This consolidation is beneficial as we strive for a more unified and comprehensive view, essentially a single pane of glass, which is highly valued. In the future, I hope for increased third-party integration. While Microsoft plays a role, it's equally important for third-party providers to step up. In our organization, the information security team has endorsed a specific set of products. Integrating the telemetry from these approved products into our systems would be immensely beneficial, providing a more comprehensive view and enhancing our overall security posture. Extending security coverage is of paramount importance. Integrating telemetry could bridge these gaps, fostering greater cooperation among individual teams within the organization. Having teams collectively examine the same information might contribute to advancing collaboration and overall security efforts. The capability to not only thwart attacks but also to adapt to evolving threats is crucial.

It provides good visibility of Microsoft products but not for third-party products. It's a good product if we have Microsoft product lines to protect or defend, but it lags when it comes to a mixed environment or non-Microsoft products. The Defender agent itself is more compatible with Windows 10 and Windows 11. Other than these two lines, there are so many compatibility issues. Security is not only about Microsoft. The core technical aspects of it are quite good, but it would be good if they can better support non-Microsoft solutions in terms of putting the agents directly into VMware and other virtualization solutions. There should be more emphasis on RHEL and other operating systems that we use, other than Windows, in the server category.

On the Defender side, for custom detection queries, KQL and the dashboard are not that great, but we are not doing automation directly from the Defender side. We leave Defender intelligence as it is, and we collect everything from Defender to Sentinel and handle the response from the Sentinel side. So, all our automation is happening through Sentinel only. We don't have any extra customization on top of Defender.

The maturity of the portal or dashboard is missing. The dashboard is something that Microsoft is changing every month, and we are seriously not liking it. As a management person, I am not bothered about it, but my team is suffering because there are many versions. You are working on a version and then a new version comes and then the preview toggle button comes. Now, they are combining all the parts into a single console. It confuses technical teams a lot. I'm not happy with their approach or experiments when it comes to the Defender portal. They shouldn't change it again and again.

The SOAR side of Sentinel is zero. If any subscriber subscribes to Azure Sentinel, SOAR is zero. Microsoft says that Sentinel is a SOAR solution, but I don't agree because they are only exposing the existing Azure automation engine towards Sentinel. My automation ask is that when there are already so many detection rules and connectors, why is the SOAR capability not in-built? Why can't they make the Azure functions behind it available in a template form and let us modify and use them? It will save my team's time in preparing the automation of the response. If my team has to create the logic, they have to invest a lot of time.

Their support needs to be improved. I'm not happy with their support.

Overall, the unified dashboard is a great step forward. However, for new users unfamiliar with Microsoft and these products, it can be overwhelming. The abundance of sub-dashboards and sub-areas within the main dashboard can be confusing, even if it all technically makes sense. While it's great for our technical teams and C-Suite to have access to a centralized risk dashboard, it needs to be simplified for less tech-savvy users. The numerous dashboards and interfaces, despite being unified, can be daunting for new users. Ideally, Microsoft could streamline the interface and consolidate information to improve accessibility. When incidents occur, the action center for response actions can be unclear, especially for users unfamiliar with the platform. It can be difficult to find out where, when, and how remediation actions took place. A more intuitive and transparent action center would be helpful.

One of the biggest downsides of Microsoft products, in general, is that the menus are often difficult to find, as they tend to move from place to place between versions. It's unclear who makes these decisions, but simplicity would be a highly welcome change. A great way to achieve this simplicity would be to have built-in wizards within the products to help users accomplish tasks. This would eliminate the need to guess where to find the necessary options to enable or disable features.

The features I would like to see added to Defender are improved web filtering capabilities and a WAF service. However, I may be mistaken, and Microsoft may already offer a similar solution. I understand that our finance department rejected most of the Defender for Azure services due to their cost, but I lack the information to judge their expense myself. I believe that, as with the Azure environment itself, which was initially considered expensive but became increasingly popular over time, the Defender for Azure solution will also gain traction if its price becomes slightly more competitive.

When it comes to visibility into threats, 365 Defender is slightly complicated, and much more complicated than competitors like CloudStrike. That's just the "Microsoft way" where everything is usually slightly more complicated. The interface is not clear.

Also, it is not clear when the system is offering a recommendation or just a way to validate something. It is not clear what will be automatically done and what you will have to do yourself.

Additional visibility into log analytics would be beneficial. For instance, if an attachment was affected by malware, it would be helpful if Microsoft 365 Defender could provide more specific details about the origin of that particular malware, such as where it originated from. Any additional information in this regard would be greatly appreciated.

The integration of Microsoft 365 Defender with Sentinel is a bit complex when integrating custom connectors.

The cost of using Microsoft Sentinel is dependent on the size of the data the solution will ingest. I would like Microsoft to provide proper guidance on the sizing so we know what we will be spending.

Technical support has a lot of room for improvement. The support team is not competent or responsive.

There are two areas where I feel there is no Microsoft solution. One is vulnerability management, where Microsoft is partnered with Qualys. The other is a penetration testing tool on the preventive side. That would be more for an ad hoc request and not for everyday functions. Apart from these, all the other areas can be covered with Microsoft solutions.

There is definitely scope for improvement in the automation area. Because the solution is a SaaS platform, we don't have the overall ability to automate stuff. By integrating Microsoft 365 Defender with Sentinel, we can definitely automate things. We can leverage playbooks, and execute Terraform scripts. But directly automating tasks in the 365 Defender is something we have to do with PowerShell, which is then connected to Exchange Online. There is no direct way to go ahead because it's a SaaS platform. But if you integrate it with Sentinel, where all the alerts are created and action needs to be taken, it is pretty comfortable for automation.

Also, I would like to see it be a lot less policy driven. On the M365 side, there are a lot of policies that we need to enable to achieve a certain task. There is no direct solution; rather, there are a lot of workarounds.

I understand that Microsoft is dealing with a lot of tools at once and having a direct solution is not viable. But I would hope that Microsoft can improve that side of it.

Correctly updated records are the most significant area for improvement. There have been times when we were notified of a required fix; we would carry out the fix and confirm it but still get the same notification a week later. This seems to be a delay in records being updated and leads to false reporting, which is something that needs to be fixed.

For some scenarios, it provides good visibility into threats, and for some scenarios, it doesn't. For example, sometimes the URLs within the emails have destinations, and you do get a screenshot and all further details, but it's not always the case. It would be good if they did a better job of enabling that for all the emails that they identified as malicious. When you get an email threat, you can go into the email and see more details, but the URL destination feature doesn't always show you a screenshot of the URL in that email. It also doesn't always give you the characteristics relating to that URL. It would be quite good if the information is complete where it says that we identified this URL, and this is what it looks like. There should be some threat intel about it. It should give you more details.

One other limitation is with cloud-based events. Sometimes, you don't get enough details in the alert. You have to go to other portals to then complete the story or do your own research, ask the user, etc. 

The other one is that with Defender for Endpoint, the attack story is quite good in terms of queries and things like that, but sometimes, multiple events for the same thing are captured, and it's not summarized in a good way. You have to open each entry to see what that partial syntax is. It'll be good if it said that this specific partial syntax was seen fifteen times, and maybe it's something to pay attention to. They could also do some sort of pattern matching. There could be some sort of pattern matching where it says that this is the attack trying to do some enumeration or reconnaissance activities. 

365 Defender's attack surface reduction rules could be more customizable. Microsoft has its own pre-defined rules that can be adapted to every organization, but Defender should support the ability to create custom rules from scratch.

Defender also lacks automated detection and response. You need to resolve issues manually. You can manage multiple Microsoft security products from a single portal, and all your security recommendations are in one place. It's easy to understand and manage. However, I wouldn't say Defender is a single pane of glass. You still need to switch between all of the available Microsoft tools. You can see all the alerts in one panel, but you can't automate remediation. 

Automated remediation can be improved. I'm currently creating a remediation structure there and pushing it to my vendor, but the vendor should have their own way of resolving things. It only alerts you that something is happening. The security administrator needs to take action because Defender's automated capabilities aren't up to par. 

Since all of our databases are updated and located in the cloud, I would like additional support for this.

I would like more of the features in Defender for 365 to be included in the smaller licenses. Even if I buy a small license and don't need everything, security shouldn't be a question. Security is one of the main aspects of all projects from our side, so it would be nice to have more features in the smaller licenses.

I would also like a more aesthetically pleasing dashboard. For German customers, it's important that the solution is in German. Multi-language support should be in all the features if possible. In many projects, we want to use digital signatures on emails. It would be perfect to have better integration of digital signing in a standard way.

In the last few months, the dashboard changed very often. When they restructure it, it's a little bit painful. Otherwise, the technology is very helpful.

The visibility into threats could be better. For the last six months, getting information from the access points has been difficult. However, the newest version fits very well. It's easy if you've found the right spot to view what's happening.

For legacy organizations or legacy customers, I would say it's possible to save time, but time-saving isn't always the best with security because it needs to be deployed and managed.

It can be installed quickly, but it takes time to check out false positives, have everything in place, and train each end user.

Customers say they want absolutely seamless integration between other Microsoft solutions and Defender XDR, including the ability to change device settings within the Defender portal. They need to contact the IT team responsible for the device management tools to change some settings. They would prefer that those changes be initiated directly from the Defender portal or applied from Intune without involving the IT operations team.

It is fair to acknowledge that Microsoft 365 Defender, like any software product, is not without its imperfections. There are instances where it may incorrectly flag legitimate emails from trusted senders as spam or exhibit inadequate performance in accurately classifying certain emails.

Aside from that, it's a pretty good solution, and that is for the emails.

However, the main point I want to convey is that for someone who is new to it, using Microsoft 365 Defender will demand a significant amount of effort and a willingness to learn about the product in order to maximize its benefits. It deals with technical aspects and encompasses a broad range of features beyond just the mentioned warranty, such as online exchanges. To effectively utilize Microsoft 365 Defender, it is important to have a thorough understanding of its functionalities.

It may be too complex for beginners to grasp.

In the future, it would be beneficial for Microsoft to consider making the product more user-friendly or simplified for those who are interested in using it. Currently, it requires a high level of technical expertise, making it challenging for beginners or less experienced individuals. 

Breaking it down into smaller components or enhancing its comprehensibility for end users would serve as a valuable advantage. In fact, it would not only impress others but also motivate them to understand the significance of utilizing I Defender in their specific situations.

At the moment, I have limited knowledge about TripAdvisor and its offerings, so I'm unable to provide comprehensive information. However, based on my current understanding, I believe it would greatly benefit from being more user-friendly and simplifying its features. This would enable users to easily navigate the platform and maximize their experience with it.

The web filtering solution needs to be improved because currently, it is very simple. It is very important.

Integrations with Linux should be done in a better way. With the AI world and the security part, things are going to be much simpler and easier to set up, configure, deploy, and maintain. I am looking forward to new releases of Microsoft Defender XDR to have better integrations, but the web filtering solution is the main pain point.

Because of the training model, Defender XDR's automatic response sometimes blocks legitimate users and activities. Also, the UI sometimes responds slowly. 

Microsoft Defender XDR is not a full-fledged EDR or XDR. Any true XDR should be more powerful than what Microsoft is currently providing. For some public-facing companies, computers, and endpoint computers, we need additional security from CrowdStrike or other third-party XDR.

Microsoft Defender XDR does not stop 100 percent of the lateral movement or advanced attacks. Our machines use both Microsoft Defender XDR and Crowdstrike and we have had instances where attacks were missed by Microsoft Defender XDR but caught by Crowdstrike.

Advanced attacks could use an improvement.

I'd like to see a wider solution that includes not only desktop devices but also other devices, such as servers, storage cabinets, switching equipment, et cetera. That is where they should put in more effort. I don't have a global risk solution coming from Microsoft, one that could help me in all these different IT areas.

The management features could be improved, particularly in terms of better integration with Intune, Microsoft's cloud-based management solution. Enhanced integration would contribute to a smoother user experience, and ease of use is a key aspect that could benefit from such improvements.

From an integration standpoint, it is always improving overall. With Security Copilot coming out, as partners, we are waiting for the GDAP support so that we can actually see Security Copilot on behalf of customers if they subscribe to it. I assume that will happen in the next couple of months, but there have been smaller improvements like that. I started with the Defender ATP product back in 2019. In terms of where it started versus where it is now, it is very different. A lot of the automated defense capabilities for auto-remediation and the threat and vulnerability management features that are coming out are the most exciting because they answer that CISO question, which is, "How covered am I for ransomware?" Most of the time when people answer that question, it is a very generic answer. They can look at the top twenty methods that most ransomware groups are going to use to see how protected they are, but they are probably not going to do that well, or they are pretty secure, and they are probably going to do pretty well. It gives more of that real-world experience that most people do not have. 

The console is missing some features that would be helpful for a managed services provider, like device and user management. 

I'd like to see more integration with various components. While the ecosystem is quite impressive, there's a noticeable back-and-forth between the Defender console and the Exchange console. It would be beneficial to have a more seamless experience with everything consolidated in one place, particularly when dealing with aspects related to the Exchange console. Currently, we rely on a third-party service for the majority of our IAM needs. The data center extension of security coverage has proven to be highly significant for us. Given our extensive use of Linux and third-party applications, having the capability to monitor these aspects within the Defender console would be immensely valuable.

There is a section titled 'Action and Submission.' When we submit any kind of share value for evaluation to Microsoft, they take a significant amount of time for the process.

When discussing the secure score, which includes overviews and recommended actions, some of these recommended actions are not applicable to us, particularly those related to Microsoft Internet Explorer, which we do not use in any of our environments. Nevertheless, there are instances where options to disable macros and various configurations appear, even though they shouldn't be present.

The dashboard should be easier to use. There is also improvement needed in the reporting when it comes to exporting or scheduling reports.

I don't know if that is Defender's feature, but more active monitoring for data breaches would be beneficial. There could be a way to proactively monitor unusual activity versus just depending on viruses and malware. If the traffic seems unusual, it could detect anomalies and update us. It would help us stop malware attacks ahead of time.

It doesn't work in Word, Excel, and PowerPoint consistently. We find it full of bugs. It doesn't work properly. The tool gives inconsistent answers and crashes a lot. I spoke with the Microsoft team regarding these issues. The person I spoke to said that our expectation was too high and that we should have expected that it would only operate at 70% accuracy, which was a bit of a shock.

The visibility into threats is not as good as other products in the market such as CrowdStrike, but if you know where to look, you can gain access to what is going on. The way the dashboard is designed is not as great as other products.

It helps to prioritize threats across the enterprise, but a lot of administrative overload is involved in determining which threats to prioritize. As compared to other products, it is a bit lacking.

Similarly, it helps to automate routine tasks and finds high-value alerts, but a little bit more automation would be appreciated.

Automated playbooks and automated dashboards would be preferable to the way the data is currently being presented. That is because a lot of organizations that I have worked with over the past years do not have full-on SOC or threat detection services. They should put in more automated response capabilities and dashboards for smaller organizations.

Intrusion detection and prevention would be great to have with 365 Defender.

There should be better information for experts on features in the solution. What I see when reading about features in Microsoft 365 Defender is that it is always general information.

If Microsoft could go deeper into details for the experts about how to use the tools, usage of it would be more familiar and it would be easier to use. Right now, I need to spend a lot of time using Defender to check the possibilities and how to connect them together to see things better. If I could read a more detailed article about it and see some use cases and how some threats are remediated, that would be great. Maybe I'm not looking deep enough or maybe there is some room for them to improve in this area.

And I would really like to see new features.

The cost can be high if you want to build custom license packages. Another area for improvement is the policies. In Azure, we need to implement policies in JSON format, but in 365 Defender 365, it would be helpful to use a different format so we can customize the platform.

When changes are done within either the admin or security and compliance portals, there should be a real-time update to administrators about the changes. Many times I'm supporting a case where someone says, "I used to do this like this, but I'm unable to do it that way anymore. What happened?" And I will have to say, "Oh, sorry. That doesn't work like that anymore. It's now done this way." So there should be a way to notify people about changes like that, and prompt information when changes are done within a portal.

I would also like to see regular updates about new features in the Knowledge Base. There are cases where I'm using a Knowledge Base article to try to educate a customer, but when I check the feature on the admin portal, and in the article, they don't look alike. For instance, it's saying, "Go to settings. From settings, go to options." Meanwhile, on the portal itself, I'm seeing "Settings, go to more settings, then go to options." It would help a whole lot if feature updates were updated in real-time in the documentation.

Also, the message trace feature for investigating mail flow issues should add more detailed information to the summary report. The summary report is what the administrators are able to understand. The extended reports are a very deep dive and the administrators will only understand them if they reach out to support engineers. But if they could extend the summary report a little bit, and make it more descriptive, ordinary administrators could understand what happened and that the emails failed at this or that point. That way they would know the location to go to try to correct it and prevent it from occurring again. Making that summary report more extensive and detailed would be of great help.

The naming convention keeps changing and has room for improvement.

The licensing is a nightmare and has room for improvement.

In the beginning, it's difficult to navigate the system because it is quite large. Just trying to find your way and understand how the system works can be hard. After spending quite a lot of time searching it's a lot easier, but I wish it were a bit more user-friendly when you're trying to find things.

The information it provides is great, but for a newcomer, it is quite tedious and takes a long time to load. Here in South Africa, when you click, oftentimes you have to wait quite some time before you get to the next page. It's not necessarily internet-related. I think it's just that the service is a bit slow.

Also, while the solution does help to prioritize threats, unfortunately, it doesn't do so for the entire environment. The reason is that it only supports full integration from Windows 10 and up. It provides you certain information from your server environment, but when you start going with legacy services, it is a bit lacking.

Another issue that is sometimes a headache is that they constantly make changes. Things will be merged, they will get different names, or be moved around. Things will be added and other things go somewhere else. They do a lot of development to make the product better, but it's very frustrating having to search for stuff after they've moved it, because you don't always know that they have moved things. They might have little banners, but if you're just working and don't read them, you don't know where things have gone. 

I would also really like to see better integration with the server platforms for managing your server environment. That's something it currently doesn't do. For all the server environments, you either need to make use of group policies or SCCM to manage that independently. It can provide you information on the system, but it doesn't have control over your server line.

Also, I make use of 365 Defender on a business level and on a personal level. On the personal level, there is a lot less functionality. Something that would be very nice is that, for the level you are on, you would only see the product you are subscribed to. For instance, if you log on via the business, you have all your action areas, anything you can do and see, on the left. Because you're using it at a corporate level, you can see and do everything. On the personal level, or in a small business where you're only using some of the features, you still have all the same options, but when you click on them, it tells you that you need to upgrade or subscribe. They should only show you what you have access to, and not all the tabs and then say, "You need to subscribe to get access to this." It just clutters the whole area.

365 Defender has multiple subsets, including Defender for Cloud Apps. When integrating Defender for Cloud Apps with apps on third-party cloud platforms like AWS or GCP, there are limitations on our ability to control user activities. If Microsoft added more control over third-party products, that would be a game-changer and help us quite a lot.

The documentation on their website is somewhat outdated and doesn't show properly. I wanted to try a query in Microsoft Defender 365. When I opened the related documentation from the security blog on the Microsoft website, the figures were not showing. It was difficult to understand the article without having the figures. The figures were there in the article, but they were not getting loaded, which made the article obsolete. They should refresh all their articles and see that the steps and figures aren't missing. They can also provide more documentation.

Offboarding latency should be reduced. Even after a device has been successfully offboarded using a particular offboarding script, it still shows up as onboarded.

Licensing is also confusing, particularly with regard to Microsoft Defender for Endpoint.

A good feature to add would be automatic patch deployment. Currently, the vulnerability management feature shows all of the vulnerabilities present in different devices that have been onboarded. It shows what manual actions can be taken or what patches can be deployed, but automatic patch deployment is not an option. It would be great if a patch can also be deployed right from the tool.

While the XDR platform offers valuable functionalities, it falls short of other solutions in its ability to deliver a cohesive identity experience. To address this limitation, integrating MDR as part of the XDR experience and incorporating the latest advancements into Microsoft Defender XDR are crucial steps.

It would be highly beneficial if CoPilot could identify anomalies within the network and notify the IT team. For instance, if a user typically accesses around a hundred megabytes of data daily from familiar files and locations but suddenly diverges to an uncommon destination, uploading ten gigabytes of data to an unfamiliar website, that would be a significant anomaly. Pausing such activity and alerting the IT team for a human assessment would be a valuable feature to ensure security.

There are still some components, such as vulnerability management within the vendor product, where improved integration would be beneficial. Currently, it's not visible in the same interface, requiring us to search elsewhere to access that information. While it has streamlined data collection and retrieval, there's still room for improvement in terms of user-friendliness for certain individuals. While the ultimate goal is to enhance security, there's room for improvement in terms of pricing.

The only problem I find is that the use cases are built-in. There is no template available that you can modify according to your organization's standards. What they give is very generic, the market standard, but that might not be applicable to every organization. For example, an organization might look into an alert in a different way, not in the way Microsoft provides. There is no way to modify a template according to your needs, and that is something that I really don't like.

Those kinds of alerts are generating too many false positives for us, creating additional overhead. For example, part of the identity and access management is called "impossible travel activity." It generates false positives for us but there is no way I can modify the rule they have given that causes alerts. I cannot use that template or create a new one using that template, which I then modify to fit my organization's standards.

When we raised the issue with Microsoft, they said, "It's a product feature. What you are requesting is a product enhancement. We can take your request, but we are not sure when it's going to happen."

Microsoft tends to provide too many features, which makes the solution prone to bugs.

Also, 365 Defender needs to be more flexible during deployment. When it comes to causal admittance, at times it seems slow.

My client would like the solution to be more customizable without using code. You can only build on the default console, but we're not allowed to change it. 

We have a similar tool to Defender's file integrity monitoring. Under the VMware VM properties, there is a change-checking tool, and it will tell us if the extension is in a different location. You can configure checking and do the monitoring. When I log into Defender's file integrity portal, I cannot see that this machine was enabled.  It's the same agent and extension. 

It's confusing because I don't know how to tell the customer they don't need to pay $15 per month because you already can enable the extension in VMware. Under the Defender account, it all seems like it's high code, and we cannot change it. Every customer has requirements for us to customize those things. 

The interface could be improved. For example, if you want to do a phishing simulation for your employees, it can take a while to figure out what to do. The interface is a bit messy and could be updated. It isn't too bad, but doing some things can be a long process. 

A simple dashboard without having to use MS Sentinel would be a welcome improvement. 

We sometimes get false alerts, and Microsoft told us the issue was with them and that they were aware of it. They were supposed to remediate it, but we had to do much ourselves. The false positives need to be reduced. 

This solution could be improved if it included features such as those offered by Malwarebytes. 

There are a few technical issues with Defender XDR that can be improved. Sometimes, the endpoint devices are not reporting properly to the Defender 365 portal. When you're getting all the information from the Microsoft portal, the devices are sometimes not in sync. We have hundreds of endpoint devices, some needing to be onboarded again. 

Perhaps there's room for visual enhancements to make the platform more appealing. Stability could be improved by avoiding frequent changes to the interface.

Defender XDR has good threat visibility, but it could be better in some areas, like when we are hunting for a specific host. For example, let's say we are investigating email services, and want to trace an email account to its host PCs and investigate the emails in its inbox. We want more visibility into the email side of investigations. It would be better if these features could be more integrated into the console like you could have a tab for Cloud Apps to see the cloud applications a user had communicated with. 

Microsoft's threat analytics are somewhat helpful for anything related to Microsoft products. For instance, it can update us about any single sign-on vulnerabilities or something along those lines. However, Microsoft was very late in terms of the recent LockBit attacks. LockBit compromised some significant organizations, and Microsoft didn't provide the report fast enough. It was reported on my normal cybersecurity information websites first. The site analytics are a bit weak when it comes to non-Microsoft clouds.

Defender XDR is capable of providing intelligence reports about threats specific to Microsoft components, but if we are implementing a Microsoft solution across an organization, many other products and side factors must be considered. I feel like Microsoft falls behind some other vendors in threat intelligence.

When we do investigations, it would be better if Microsoft could populate the host dashboard more. When we open any host for investigation, we want the entire timeline of what is happening on the host, including all the users logging in, their hardware, Windows version, etc. 

The onboarding and offboarding need improvement. I work with other vendors as well, and they have an option to add a device or remove a device from the portal, whereas with Microsoft 365 Defender, we need to do that manually. However, once you do that, everything can be controlled through the portal, but getting the device onboarded and offboarded is currently manual. If we have an option to simply remove a device from the portal or get a device added from the portal, it would be more convenient. The rest of the features are similar. This is the only area where I found it different from others. I would also like to be able to simply filter with a few of the queries that are already there. 

There is no common area where we can manage all the policies for the EDR, third-party solutions, devices, servers, Windows, Mac, etc., but it's on the roadmap, and we were waiting for that feature. 

There are other SIEM solutions that are easier to use, mainly based on the creation of rules, use cases, and groups.

There could also be an improvement on the customization part. Sometimes we need to customize a few configurations but we can't.

The solution does not offer a unified response and standard data. 

The only issue I've had is, when it comes to deployment, the steps I must take around policy setup. That is challenging. We're working on the onboarding and configuration policies. We're collecting feedback from customers and partners in hopes of refining the future design for deployment.

It protects from phishing emails, but sometimes, some of the emails are not detected. They are getting delivered into the inbox, not in a junk folder or spam folder. Users are reporting them as phishing emails.

At times, when we have an incident email and we click on the link for that incident, it opens a pop-up, but there is nothing. It has happened a couple of times. 

In terms of additional features, it is too early for me. I am still learning all the parts. I am just scratching the surface of the tool. One year is not enough to get every detail of it.

Microsoft frequently changes the names of its products, sometimes even renaming entire portals or features. This can make it difficult for users to keep track of the latest changes and find the information they need. For example, every month, Microsoft might rename a product, change a portal, or update a feature. This can lead to confusion and frustration for users.

We should be able to use the product on devices like Apple, Linux, etc. 

What could be improved in Microsoft 365 Defender is its licensing. It needs to be more consolidated, because there are so many plans for Microsoft 365 Defender, and every other year, there will be new licensing options, e.g. plan one, plan two, etc., that become more and more different from each other. The most valuable product would be the most expensive product, and customers usually say: "We really need the last version, but that's really expensive for us, because we are in Turkey and the currency is very, very high now." Three years ago, this wasn't a problem, because $1 was three or four Turkish liras, but now it's 15.

In the licensing options, it would also be better if there can be some optimizations, similar to what Power BI Pro offers. There are two options in Power BI: user-based and capacity-based. It would be good if there can be another option for one consolidated product for the whole company with a higher price, but you cannot depend on user count.

What I'd like to see in the next release of Microsoft 365 Defender is for them to provide more details in the alerts and notifications they send out.

These days, in the security industry, there is a buzzword called zero trust. I personally have not seen much evidence of how Defender can enhance the story of Zero Trust for enterprises. Microsoft needs to offer more features here or spread awareness in the industry and the market about how Defender addresses Zero Trust issues.  

The design of the user interface could use some work. Sometimes it's hard to find the exact information you need.

The support could be more knowledgable to improve their offering.

The mobile app support for Android and iOS is difficult and needs improvement. 

The user interface of Microsoft 365 Defender could improve. They could make it simpler.

The price could be better. It'll also help if they can continuously update and upgrade the solution. Every day there's a new virus uploaded into the network, and we have to keep updating it to identify all these things.

The dashboards could be improved. They have to improve something about the dashboard. It is good, however, they need to provide some more information under each account.

The logs could be better.

The solution could improve by having better machine learning and AI. Additionally, the interface, documentation, and integration could be better.

The data recovery and backup could be improved.

It would be helpful if the solution could scan faster when it comes to scanning attachments to emails.

Microsoft 365 Defender  offers emerging endpoint security technologies, such as EDR and XDR and Zero trust approach