Cloud Security & Governance at a financial services firm with 10,001+ employees
Jun 15, 2021
The feature that helps us in detecting the sensitive information being shared has been very useful. In addition, the feature that allows MCAS to apply policies with SharePoint, Teams, and OneDrive is being used predominantly.
On-demand scanning is the most valuable feature. In addition, it's a fairly fluid product. It syncs back to the cloud and provides metrics. It's pretty intelligent.
Learn what your peers think about Microsoft Defender for Cloud Apps. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
In Microsoft Defender for Cloud Apps, there is an option to enable files. Once you enable that, it will give you all the files in your organization and where they are located in the cloud... That feature is very useful for investigation purposes.
Threat detection is its key feature, and that's why we use this tool. It gives an alert if a PC is attacked or there is any kind of anomaly, such as there is a spike in sending emails or we see an unauthorized website being accessed. So, it keeps us on our toes. We get to know that there is something wrong, and we can isolate the user and find any issues with it. So, threat detection is very robust in this tool.
One of the most valuable features is auditing. Some of the other protection services have issues with auditing. Microsoft Defender for Cloud has an excellent auditing technique that helps us avoid the risk of filtering or information loss. You can use different tools to guarantee these things. It allows you to conduct an in-depth exploration of applications, users, and files that are harmful or suspicious. You can also enhance your security setup by creating personalized rules or policies that help you better control traffic in the cloud.
There are a lot of features with benefits, including discovery, investigation, and putting controls around things. You can't say that you like the investigation part but not the discovery. Everything is correlated; that's how the tool works.
Modern Workplace Solution Architect at a tech consulting company with 11-50 employees
Sep 4, 2022
I like the alert policies because they are quite robust. It has some built-in templates that we can easily pick up. One of them is the alert for mass downloads, when a particular user is running a massive download on your SharePoint site.
Everything from Microsoft is integrated. You receive regular reports on them all. You can push your reports, logs, and security alerts, which are all integrated. It is crucial that these solutions work natively together to deliver coordinated detection and response across our environment.
Cloud Security & Governance at a financial services firm with 10,001+ employees
Jun 15, 2021
It takes some time to scan and apply the policies when there is some sensitive information. After it applies the policies, it works, but there is a delay. This is something for which we are working with Microsoft.
They need to improve the attack surface reduction (ASR) rules. In the latest version, you can implement ASR rules, which are quite useful, but you have to enable those because if they're not enabled, they flag false positives. In the Defender portal, it logs a block for WMI processes and PowerShell. Apparently, it's because ASR rules are not configured. So, you generally have to enable them to exclude, for example, WMI queries or PowerShell because they have a habit of blocking your security scanners. It's a bit weird that they have to be enabled to be configured, and it's not the other way around.
Learn what your peers think about Microsoft Defender for Cloud Apps. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
Sometimes, we'll get false positive alarms. For example, when a SharePoint path has no file sharing, but there is an external user, it will trigger an alarm that the file has been shared with an external user... the alerting mechanism should be more precise when giving you an alert about what activity has been done with the file...
The response time could be better. It will be helpful if the alerts are even more proactive and we can see more data. Currently, the data is a little bit weak. It is not complete. I can't just see it and completely know which user or which device it is. It takes some effort and time on my part to investigate and isolate a user. It would be great if it is more user-friendly or easy for people to understand.
We sometimes get errors when we create policies, which is somewhat annoying because some policies stop working due to misconfigurations. We find this challenging because it limits our options for troubleshooting an issue.
Currently, reporting is not very straightforward and it needs to be enhanced. Specific reports are not included and you need to run a query, drill down, and then export it and share it. I would love to have reports with more fine-tuning or granularity, and more predefined reports.
Modern Workplace Solution Architect at a tech consulting company with 11-50 employees
Sep 4, 2022
It doesn't actually decrease the time to respond. This has been an issue with Microsoft recently. Sometimes, there is a delay when it comes to getting an alert policy email... Sometimes it takes two or three hours for that email to be sent.
We would like to get more information from the endpoint. I don't get enough detailed information right now on why something failed. There is not enough visibility.
