Reference: https://learn.microsoft.com/ja-jp/microsoft-365/security/defender-business/compare-mdb-m365-plans?view=o365-worldwide 
However, the description on the support site does not tell us what exactly is not available. Therefore, we actually compared the manual action items. 
What is MDB
MDB is designed for small and medium-sized businesses (SMB), focusing on essential security features at an affordable price. MDE P1 and MDE P2, on the other hand, are license plan designs that can cover a wide range of customers from SMBs to enterprises. The same UI management console is used with any of the licenses listed below, so there is no difference in operation, etc. However, there are differences in the functions available for each license.Number of users covered
The most typical difference is the number of users in a company. MDB is a license for companies with less than 300 users, and cannot be used by companies with more than 300 users. Please note that if your company is using MDB and is likely to have more than 300 employees, you will need to coordinate with Microsoft.
Endpoint Detection and Response (EDR)
MDE P2 includes Endpoint Detection and Response (EDR). This function allows for automatic investigation, quarantine, and device detachment when suspicious files are detected. The support site describes this function as follows, which reads as if some functions are restricted in MDB.
The result was that there were no functional differences regarding manual actions except for "Ask Defender Experts" and "Go hunt (Advanced Hunting)" as described below.
I also contacted MS support and were told that there is no functional difference between MDE P2 and MDB with regard to actions performed automatically.
The author expects that this is because MDB is optimized for SMEs and has a different architecture behind the scenes than MDE, which may result in different performance. However, we could not find any public information to support this, so we would appreciate it if you could keep this information for your reference. (It is also possible that differences may have arisen due to unrecognized differences in verification conditions.)
Advanced Hunting
Advanced Hunting is a threat hunting tool that can explore up to 30 days of raw data collected by Microsoft Defender. It can be used for in-depth investigation at the time of an incident or for activities that uncover activity that could lead to an incident. Custom Detection Rules can also be used to periodically run specified queries and raise alerts when there is a hit event.
On the other hand, MDB does not offer Advanced Hunting. As a result, various investigations (hunting activities) may become one-sided. If you have requirements such as detailed investigation when an incident occurs or proactive monitoring of activities leading to incidents in normal times, you may want to use MDE P2.
Web Content Filtering
MDE has a Web content filtering function; MDE is not a specialized Web filtering product and is not suited for detailed control, but it can be set to block adult-oriented content, for example. Please note that MDE supports only Windows operating systems.
This function can be used with both MDE P2 and MDB, but MDB does not allow setting the scope (applicable targets).
Since the same policy is applied to all users, MDB is not suitable for customers who want to separate policies by user or group.
Device Control
MDE has a feature called "Device Control" that provides control over removable disk disks (USB, etc.) and printers. According to Microsoft's support site, the scope of support for "Device Control" is listed as MDE P1 and P2 only, so MDB must give up this one.
Evaluation lab
MDE P2 has an "evaluation lab" function that allows users to practice MDE's response by infecting virtual terminals (limited number and time) with ransomware, which is provided free of charge. We recommend that customers new to MDE use this evaluation lab to become proficient in MDE response.
On the other hand, MDB does not provide such functionality, and test terminals must be prepared in-house. However, MDB also provides a test detection file from the management console, so we believe that this test detection file and a VM set up in Azure, etc. can substitute for an "evaluation lab", but it is a bit of a hassle.
Defender Experts
Defender Experts is a service that allows you to request assistance from Microsoft experts. It has a SOC-like function that notifies you of attacks on your endpoints and allows you to consult with experts when an incident occurs. This function is a separately licensed service from MDE P2 and MDB, but one of the conditions for using this service is that you have an MDE P2 license. If you are considering using "Defender Experts", please use MDE P2.
Attention
There are many other conditions of use (number of licenses purchased, etc.) in addition to having MDE P2. Please contact Microsoft or your distributor for details.
Comments
Post a Comment