Microsoft Defender for Endpoint Reviews

We use Microsoft Defender for Endpoint to protect our devices from virus and malware attacks.

Microsoft Defender for Endpoint provides visibility into threats. Using the solution we can see threats easily and address them in order to protect our devices.

The solution provides an overview and we can configure it to have a higher queue, to take action against any risks.

The prioritization of threats is very important to us. With Defender, we can prevent attacks in a number of ways. When we are alerted about a potential threat, it is important to prioritize and take action quickly. We can check the type of incident and confirm the threat level.

We also use Microsoft Sentinel. The solution enables us to investigate threats and respond holistically from one place. Our success is also a result of our four-year investment. I have invested a lot of time in studying Microsoft products and technical subjects such as firewalls.

Microsoft Defender is a good tool. As an anti-virus solution, it helps monitor for any attacks. The solution works similarly to an alarm and is very important. Microsoft Defender is the best protection solution for me, it's safe to use, and I can see the alerts in real-time.

The benefits of Microsoft Defender for Endpoint are immediately clear when implementing it across the enterprise. Within a week the entire enterprise noticed the benefits. The solution communicates with all employees through all devices across the organization. For me, Microsoft Defender for Endpoint is the best.

Microsoft Defender for Endpoint has saved us around two months a year of time.

The solution significantly reduced our detection and response time because it is integrated with all the devices across the enterprise. All the devices are constantly being analyzed and monitored so in the instance there is an anomaly detected we are notified and able to respond quickly.

Microsoft Defender for Endpoint is different from other security tools because we can configure it to use multiple types of scanning or archiving. Microsoft Defender is an important tool for our security arsenal. We can also use the solution to perform many tasks.

Integrating Microsoft Defender for Endpoint with other Microsoft solutions is easy as long as the organization has a proper implementation process. The devices and materials need to be organized and connected in a way that is efficient for the organization, and the implementation process must be considered.

Our integrated solutions work natively together with Microsoft Defender for Endpoint to deliver coordinated detection and response across our environment which is very important.

Sometimes the software doesn't work the way we expect it to, and in those cases, we can't communicate with a device because it may be infected. When this happens we can't access the device directly or implement the interface.

I have been using the solution for three years.

The solution is stable.

The solution is very scalable.

I give the solution a nine out of ten.

The comprehensiveness of Sentinel's security protection is linked to identity management and is very easy.

We want to find a solution that fits businesses of every size and type, but we primarily target small and medium-sized enterprises. 

Defender helps us prioritize threats across the organization. When we needed to update the patches on our endpoints, we could look at all the patches and see what still needed to be fixed. We could decide whether it's necessary to address something urgently or deploy it as part of routine monthly maintenance. It's crucial to have the insights and a report that I can show to an executive to demonstrate that we need to act fast. This is less common because most people accept your hotfixes and patches when they come out, especially monthly security updates. However, some older shops might be like, "I'm running Windows 10. No one's touching this." We still need to service and support those machines, too. 

The solution helps us automate routine tasks and alerts. There's a dashboard where I can see the statuses of my machines in the environment. It helps us breathe a little bit easier. We're responding to businesses that had shifting needs during COVID. How can we be more proactive and help them to be more proactive? We shifted from traditional PC antivirus software to stuff that's totally different. I can't say it's "set it and forget it" because that implies a lazy mentality. However, I know I have a level of protection that I can have faith in. 

Defender helps us be more proactive. I find value in the zero-day threats that get fixed from Microsoft bug fixes or security updates. I can read and research about those zero-day threats from Microsoft's public site without digging too deeply into the Defender side of things. 

We've saved some time with Defender for Endpoint because we were doing a lot of unnecessary remediation with the other products. We had a series of servers that our previous product was installed on. It would blue-screen the server at random, and you can't have that. I'm not worried about Defender impacting my system stability. We put a lot of high-performance systems out there, including PCs and backend compute. I want to ensure we won't be overburdened by unnecessary security software that may not be giving me the protection I want.

Defender's reporting saves us four hours to eight hours each month. It has many of the standard reports we need built in, so it's effortless to generate and pull from. The time we save in other areas isn't as easy to quantify. I don't have to worry about the stability of a box or a computer cluster. 

It has decreased my detection time. On Wednesday, I got emails notifying me that new vulnerabilities were detected. They weren't new, but they were newly disclosed because patches came out for them. It has enabled us to react much quicker. 

I like Defender's reporting and logging features. The email alerts are also helpful. It's hard sometimes to sift through the email, especially if you're an IT firm managing hundreds if not thousands of endpoints, but we find email reporting useful. For example, last Tuesday, we learned of new vulnerabilities that were discovered as a result of the previous patches. The endpoints without those patches triggered alerts in Defender.

Defender ties into the Microsoft 365 portal where many shops spend a lot of their time doing password resets or other tasks. There is much more in the Azure portal too, but the 365 portal has a list of open issues, bugs, and necessary remediation steps. If I'm working on my security score, I have all of those on an active list, which is nice.

Defender should be more accessible for small and medium-sized businesses. You have some organizations that maybe have a hundred employees, and they're focused on making their widgets. That's their nine-to-five every day. They're not thinking about that security side, but maybe they're already invested in 365 or the Azure ecosystem and having Defender as an add-on makes sense from a price perspective. It's easy to deploy, but it could be easier for some of those smaller businesses to onboard endpoints.

The onboarding and deployment could be more user-friendly, and there is room to grow in some of the reports. I don't want them to be oversimplified or overly complex, but there is room for improvement in the reporting it can do. It's relatively minor.

We have used Defender for Endpoint for the last 18 months or so. 

Defender's stability is one of the things I love most about the solution. 

There are no limitations on Defender's scalability. I get the impression that it's designed to cater to massive enterprises with 20,000 or more endpoints, but I think there's a market for a simpler deployment, like 100 PCs, 10 servers, etc. Give me a deployment option that's simple. 

I rate Microsoft support eight out of 10. It's good overall, but it can be hit or miss depending on your issue, and sometimes you don't get the right level or technician. All of my 2023 support experiences have been stellar, but 2022 was a little inconsistent. 

Positive

The company evaluated other solutions in parallel and in tandem with it. Our trajectory shifted slightly during COVID-19, so we explored that more. We tried ESET and SentinelOne for a while. But those are apples-to-oranges comparisons. Defender for Endpoint is geared toward common reporting,  notifications, and backend stuff, whereas SentinelOne is designed to lock machines down. It has many more tendrils deep within, so they're not great comparisons. 

We decided to go with Defender because we're pretty heavily invested in the rest of the Microsoft Stack, so it made sense. However, we wanted to do our due diligence because we're already using other products. We wanted to ensure we were picking the best of breed for our customers fair enough.

We were having issues with other products like ESET, SentinelOne, and Symantec. SentinelOne is just too deep and heavy. It's like trying to shoot a fence post with a missile. It was too much. We rely on the product and trust it. It takes a little while to get there, but once you trust a product, you can move on to the next thing and know you're protected.

The onboarding process could be more straightforward. I wish the onboarding were simpler. It seems a little more ethereal than, "Hey, here's your executable, put this on every machine." That would be easier for a small shop. We're still deploying into a lot of our sites. It didn't take long at all, but it takes a while to get fully ready to deploy, 

Defender's pricing is competitive. There are ways to negotiate a better price with Microsoft or your reseller as your business grows. You can say, "Hey, I bought 365 Business, then E3, and E5. Now, I'm buying Defender, so give me bulk pricing."  There are opportunities to save as you grow that wouldn't exist if you picked a different vendor.

I rate Microsoft Defender for Endpoint eight out of 10. 

We are a Microsoft-heavy organization, so we use Microsoft Defender for Endpoint because of its compatibility with our environment and its reports, which provide good visibility into our environment and send telemetry logs to the server.

Microsoft Defender for Endpoint collects all system logs, activity logs, and threats. It then sends this data to the Office 365 security portal, where we can view all logs and use various analytics tools to forecast average bandwidth usage, identify programs used by users, and view which apps are running in our environment, including unauthorized apps. All of these insights are easily accessible if we have a complete Microsoft solution.

Microsoft Defender for Endpoint helps us prioritize threats across our enterprise. We have configured the standard settings and are using many Microsoft solutions, so we receive direct support from Microsoft. We have created many policies, including a standard policy for all apps and programs used in our organization. We have a list of these programs, and any that are in the Defender for Endpoint exclusion list, such as DLP software or trusted software, are excluded so that they do not slow down the process. We then prioritize the apps according to standard cybersecurity priorities. For example, if an application is vulnerable and not from a renowned vendor, it should be blocked.

We have integrated Sentinel with Defender for Endpoint. The integration was a few simple clicks.

Our integrated solutions work together seamlessly to provide coordinated detection and response across our environment. We like Microsoft's Advanced Threat Protection solution, which uses EDR and AI to protect endpoints. Recently, a user downloaded an unknown file, and ATP immediately flagged it. ATP then ran an automatic investigation and provided us with the results in the portal. We can then decide whether to quarantine, delete, or report the file to Microsoft Defender for Endpoint.

Microsoft provides comprehensive security products that have fulfilled all of our security needs and assured us that we have enterprise-grade security and do not need any other solutions. We have received positive results.

We use the cloud's bidirectional synchronization capabilities to synchronize our on-premises Sentinel agents with the Azure Monitor agents.

It is our requirement to have bi-directional synchronization between the cloud and on-premises environments because we now have users in both locations. This means that if a user changes their password in the cloud, it will also be updated in the local Active Directory. Additionally, we have some on-premises servers that require our SQL databases in Azure, so they communicate with the cloud bi-directionally.

Microsoft Sentinel enables us to ingest data from our entire ecosystem. The whole point of Sentinel is to collect logs and notify us, showing us our cybersecurity posture and where we stand. It also advises us on the policies we define for our system and whether the system in our environment matches those policies, identifying any applications that are not fulfilling those policies.

Sentinel provides visibility into our environment and we can investigate and respond to threats through Defender.

In the context of user and entity behavior analytics, Sentinel is very effective. It can identify high- and low-risk users by analyzing their daily usage activities, such as the applications they access, the websites they visit, and how they handle data. Sentinel then segregates users into high-risk and low-risk groups based on this analysis. This gives us good visibility into user behavior, which is essential for protecting our organization. While Sentinel has other capabilities, we are currently using it for UEBA.

Microsoft security has helped us save about 30 hours per month, reducing our workload.

Microsoft security has helped us save costs. In our company, we have different Office 365 licenses, including E5, E3, and F5. Some of the security add-ins are free with these subscriptions. For example, the E5 license includes SIEM, Office 365, Defender for Endpoint, and an Active Directory P1 subscription. This means that we do not have to purchase these add-ins separately, as they are included in our licensing.

Defender for Endpoint has reduced our time to detect and respond. Once an incident has occurred the AI automatically takes action and provides us with a detailed report of the investigation. It takes five to ten minutes to resolve an incident.

To have full visibility, we must access multiple dashboards, which is a problem because they change frequently, with daily updates to naming conventions. A single dashboard would be a significant improvement.

I have been using Microsoft Defender for Endpoint for seven months.

Microsoft Defender for Endpoint is extremely stable.

Microsoft Defender for Endpoint is easily scalable because it is compatible with a variety of Windows and Linux machines.

Technical support is good. We usually receive a response with a solution within 24 hours.

Neutral

We are currently evaluating CrowdStrike and a few other solutions.

I would rate Microsoft Defender for Endpoint eight out of ten.

Microsoft-heavy organizations should avoid using third-party SIEM solutions, as the compatibility issues would require significant effort from the IT department to configure them with Microsoft applications.

Microsoft Defender for Endpoint is a detection system, not a prevention system. We receive alerts after a threat has occurred.

It is better to choose a single company security solution because it will free up time to focus on the environment and identify loopholes. Rather than using three or four third-party software programs, which would require us to spend more time learning about them and resolving compatibility issues, a single solution would provide a better view of the environment.

We use Microsoft Defender for Endpoint to protect our work environment.

The endpoint provides good visibility into threats. However, working with Microsoft Defender for Endpoint and its control panel can be challenging, especially when dealing with features such as compliance and cloud app security details. Nevertheless, with enough experience, it becomes a useful tool for threat detection. Although it may be difficult to work with initially, it is an essential instrument for information security.

Microsoft Defender for Endpoint helps us prioritize threats across our enterprise.

The integration of Microsoft Defender for Endpoint with other Microsoft solutions is easy. The integrated Microsoft solutions work natively with each other.

The level of comprehensiveness provided by all of the integrated solutions is satisfactory.

Microsoft Sentinel allows us to investigate and respond to threats from one place.

Microsoft Defender for Endpoint helps automate routine tasks and find high-value alerts. The solution has a powerful advanced query that we can schedule to run automatically.

Microsoft Defender for Endpoint simplifies the use of multiple dashboards by providing a single XDR feature. This is a beneficial feature, but my reliance is on the 50 automated rules that run on a schedule to keep me informed of any incidents.

The automatic rules and policies that we apply using Microsoft Defender for Endpoint save us around four hours per day.

Microsoft Defender for Endpoint has saved our organization money by protecting the environment from threats.

Microsoft Defender for Endpoint has reduced our time to detect and respond to security threats by consolidating all relevant information in a single panel within a web portal. This enables us to quickly review and respond to potential threats, thus improving our ability to mitigate risks effectively.

Microsoft Defender for Endpoint has helped our organization by working to identify threats quickly before they become a problem. 

The integration with all variations of Microsoft Defender, for Endpoint, 365, and Cloud is valuable.

The time it takes to implement policies has room for improvement. When we create policies or configure file profiles and assign them to specific groups, Microsoft Defender for Endpoint will apply these rules accordingly. If we need to make changes to the policy, it can take up to thirty minutes or even two to three hours for the changes to take effect on Microsoft Defender for Endpoint. This waiting period can be a significant amount of time to implement changes. It is at times quicker to create new policies than to make changes to existing policies.

We are experiencing problems with certain Samsung Android mobile devices that have Microsoft Defender for Endpoint installed. Specifically, when attempting to log into the corporate profile, users are prompted multiple times to enter their credentials.

I have been using Microsoft Defender for Endpoint for two years.

Microsoft Defender for Endpoint is extremely stable.

Microsoft Defender for Endpoint is scalable.

The technical support team is professional.

Positive

We previously used a separate antivirus and endpoint solution called Cynet but it was not very useful. Our organization moved into the Cloud so we decided to use Microsoft Defender for Endpoint.

We deployed Microsoft Defender for Endpoint across multiple locations in our organization.

We evaluated Splunk and Microsoft 365 before the head of our company chose Microsoft Defender for Endpoint.

I give Microsoft Defender for Endpoint an eight out of ten.

No maintenance is required on our end for Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint is a powerful tool and I recommend it.

Using a single vendor security suite carries inherent risks, but with a well-established company like Microsoft, those risks are significantly reduced, and it's more cost-effective than using multiple best-of-breed solutions to achieve the same level of security.

We use Microsoft Defender for Endpoint to manage the firewall and provide endpoint security, such as antivirus protection, on the endpoint.

The visibility of threats is excellent. The most difficult aspect of Microsoft Defender for Endpoint, especially for a small MSP, is the amount of information that needs to be filtered through. There is a lot that can be done in the portal, so it requires someone to spend a lot of time going through all the settings and making sure any issues are resolved. This is why we added Huntress to it, as it helps with the identification of other issues.

Microsoft Defender for Endpoint helps prioritize threats across the enterprise. The great thing about the Defender portal is that if there is a new issue, it highlights the issue for us in the portal, enabling us to easily check the CVE report to see which devices are affected, and make the necessary changes.

The major advantage of Microsoft Defender for Endpoint for us is that we receive a great deal of information. Initially, when we encountered the solution, the most difficult thing was that there was a lot more detail to go through, a lot more logs, and settings that we had to configure. However, once we had everything in place, as we are covering so many devices using the same solution, we were able to make a significant impact on our security.

The solution helps automate the high-value alerts to identify the devices that are at high risk of attack, but we still have to remediate ourselves.

We still enjoy jumping between Defender and Huntress' portals. Microsoft has removed the need for a large number of solutions as the Defender portal itself encompasses a great deal. This is both good and bad as they continue to add to the Defender portal. For a small team, it can be quite overwhelming to have to go through the one Defender portal. However, if the team was larger and we had more dedicated staff, it would be great as everything would be in one place.

Microsoft Defender for Endpoint's threat intelligence helps us prepare for potential threats before they occur and take proactive steps based on the CVE reports, which advise us which devices have higher threat issues.

Being aware of the issues is a good thing, and with solutions like Webroot Business Endpoint Protection, we may think everything is fine as long as the antivirus is installed. However, with Microsoft Defender for Endpoint, we are given a lot of information and become more aware of the issues. This helps us strive to reach the 100 mark on the security score.

Microsoft Defender for Endpoint has saved time by preventing attacks from occurring, and I have been able to rely on it. In contrast, when we used Webroot Business Endpoint Protection, we installed it and then largely forgot about it, assuming it would take care of itself. Webroot rarely gave us any warnings, which may have been due to the product not knowing what to do or not having anything to alert us about. On the other hand, Defender is constantly active and provides us with updates about the endpoints. This may take up more time, as it is making us aware of a lot of other things.

Microsoft Defender for Endpoint is more expensive than Webroot Business Endpoint Protection. However, the value is there in terms of the product we are getting. The cost savings with Microsoft Defender for Endpoint come from being aware of the issues and taking steps to prevent them from occurring. The savings come from avoiding the issues.

Microsoft Defender for Endpoints has a quick response time when it detects a threat. From what I've seen, the system is quite fast. It's not instantaneous when changes are made in the portal and sent to the endpoint, but it is still quick.

The most valuable feature of Microsoft Defender for Endpoint is its ability to bring together all the data, providing more information than just antivirus hits. Additionally, it has a useful security score that is tied into the Defender platform, giving us a better understanding of what is happening at the endpoint.

Microsoft often changes the names of its products, the design of its portals, and what is included in them. This can be confusing for people who are not using them regularly. There is a lot of information to take in, and the portals tend to change quickly due to the fast-paced nature of the industry. This can be frustrating when something that was there one day is gone the next.

I would like to see when NDR solutions become more widespread in other regions. It would be amazing to observe how that progresses. It is something that we are considering, having Microsoft do part of the work using the dependent portal instead of having engineers from our own company do it. Therefore, I am eager to see where that goes.

The stability has room for improvement.

I have been using the solution for over one year.

When testing to see if the antivirus solution is working properly with a lot of different events occurring on the device, we found that the Defender interface can become cluttered. The solution does not always give us a real-time view of what is happening, making it difficult to navigate the user interface. Therefore, there is potential for improvement in terms of stability.

We've deployed the solution in small environments and larger ones. So we haven't had any issues going between the two. Microsoft Defender for Endpoint is scalable.

We have encountered two technical issues in the past. The support team was very competent, and when I contacted Microsoft support, they were extremely helpful.

Positive

We had previously used Webroot Business Endpoint Protection, Bitdefender GravityZone, CrowdStrike Falcon, and Cortex XDR by Palo Alto Networks. Microsoft Defender for Endpoint is now included in our licenses, making it an easy addition for many of our clients since some of them already had the licenses that included the solution. Moreover, since many of us already use Microsoft products and portals daily, we were comfortable with Microsoft and the solution did not require a lot of retraining. Additionally, the price was another factor that made the solution attractive; CrowdStrike and the requirements associated with it are too costly for some of our clients.

The initial setup is not complex. It is more cumbersome than Huntress because it is not just an installer. We have a package that needs to be deployed to a few machines. We can run a script, or use a GPO package to distribute it. Although it is not as easy as some of the other smaller solutions, it is still quite simple. We can roll out a group policy. The deployment didn't take long at all. We had already set people up with licenses to access a Hive with Microsoft, so the deployment solution was straightforward. Most of our clients also have directories managed through Azure, which made the rollout easy.

The deployment process requiring engineering numbers or similar is very minimal as it can be done through a single group policy.

The implementations are completed in-house for our clients.

The licensing costs for Microsoft Defender for Endpoint are reasonable.

I give the solution an eight out of ten. When discussing Microsoft Defender with other engineers, we agree that it can be challenging to become accustomed to and comprehend the UI at first. Once we have a grasp on the UI, it is excellent; however, initially, it is difficult to learn.

Microsoft Defender for Endpoint is deployed in systems located in data centers and on-premises, providing a wide range of devices. Approximately two thousand endpoint devices are in use.

Since the solution is a Windows subsystem, it is not difficult to maintain. We utilize a management solution to run many of those updates regularly, ensuring that they are completed regularly.

No single solution or vendor has all the answers, and it can be risky to rely on just one source. If an attack occurs and we are only using one form of security, if it is breached, the attackers will have unfettered access. Therefore, I believe it is beneficial to have a multi-layered approach, utilizing multiple solutions and vendors with different technologies that can work together.

I suggest people do some Microsoft training regarding the Defender platform to become comfortable with it before deploying it to understand exactly what is necessary to make it work.

Initially, I was running a different endpoint security program but it did not have a dashboard that met my needs. It would only do on-premises. If laptops, desktops, or VDIs were remote, such as people working from home or in a different office, my VDIs—which are really just on-premises but they're in a separate subnet in VMware, Windows 10, Windows 7, Windows 11, 2008, all the way up to 2022—I could only get the servers that were on-prem. That solution had a management console but there was no integrated console within Microsoft so that I could cover all bases. I deployed Defender for Endpoint and now I'm able to see them in there. For some, I've still got the old AMP on them, but Defender will run in passive mode and let AMP run and report to its own console.

The reason I don't want to run AMP, primarily, is that it's a resource hog. Defender for Endpoint integrates it and automatically comes with the Windows operating system or Windows Server Desktop. Plus I can use Defender for IoT and see, on my network—which is a home lab company—my routers, my switches, and, believe it or not, my televisions and refrigerators; the IoT devices that I might have on my network. And that integrates into Defender for Endpoint.

And with Sentinel, I'm hoping to pull that into logs that I have for my cloud-based and on-premises-based servers so I have one pane of glass that will alert me if something is going on. It will correlate those logs from Defender on every endpoint and put them into one incident if there are alerts to be had.

It probably could help me prepare for potential threats before they hit. The nice thing about it is that it has filtering. I can filter on different logs and say, "I'm looking for this user and every place he ever logged into. I can filter on his name and the scope of the machines I'm looking at. If there's a bad actor, a different version of software, I can pull that up. It has simple filtering and advanced filters, which really help out a lot. It does speed things up.

I rely a lot on Defender for Endpoint to find a lot of stuff for me. With Microsoft knowing about a threat in the wild, something that hasn't hit me yet but it's out there and I'm vulnerable to it, it will detect those vulnerable systems for me. I rely on that to patch or update that operating system.

When you install an OS, it could be a year old, it could be brand-new, or it could be five years old and it's not patched and updated. Sometimes there are apps on it, from Google or Adobe for example. This will tell me that my Adobe Acrobat has so many vulnerabilities and that I need to bring it up to this date because I've got 13 vulnerabilities that could be hacked. I rely on it quite a bit to pull those notices together and alert me on what needs to be updated. I don't have to actually hunt for a lot of it. It does the hunting for me automatically.

The features I found to be most valuable in Defender for Endpoint are its alerting, policies, and threat-hunting.

For threat-hunting, I'll put some threats in a test scenario. I've downloaded known viruses that are out in the public for testing. They're not really a virus but they've got a signature. Defender for Endpoint will automatically find those, quarantine them for me, and alert me to what it did. It gives me "automated eyes."

A lot of it is hands-off. It just deploys and it updates by itself. With other applications, like McAfee or AMP, I'll have to download a new version and make sure that the signatures were applied. With Defender, one of the things I like is that it has automatic updates.

And Defender has other integrations with Microsoft that are of benefit. It will tell me that certificates are out of date for my certificate server; I've deployed certificates to my laptops or VDIs or servers or switches. There's an automation routine that I can kick in using KQL—Kustom Query Language—so that it automatically remediates the issues that it finds.

And the visibility into threats that Defender for Endpoint provides is fantastic. Since it is a Microsoft product, and they have it deployed worldwide, they pull over a couple of trillion data points a day from other companies and countries. They've got teams of security analysts or researchers who are constantly updating these and they feed me that information. I'll know about a threat that might be down the road or I might be susceptible to, something that I could patch. It tells me if there is a known fix or if there isn't, in which case I might have to go in a different direction. It's the might behind Microsoft. It pulls in all that information so everybody else can see it.

In addition, with the data connectors for Azure or containers or even M365, threats are automatically classified as high, medium, low, or informational. If they're not classified, I can classify them myself or set a priority on them as to whether they need to be looked at right away, whether they're active or in process or resolved.

Microsoft security products provide a little more comprehensive protection than some of the other offerings. One great thing about it is that it's part of the operating system and it's already turned on when you deploy the OS.

But if you do have a third party, like AMP or McAfee for example, Defender will run in passive mode. That means it's not constantly doing a scan, virus check, or malware check. Still, if you open an email, write a document, or load a USB key to copy files, it would scan in all those situations. But in passive mode, it scans once a day, I believe. It does a device discovery and it will tell you, "We found this software, we found these documents, you did have malware or a virus and it has been quarantined." And that's in passive mode.

If you put it in active mode, without the third-party virus and malware checkers, Defender for Endpoint will give you a software inventory and a timeline of every key that was clicked in case you had a bad actor that infiltrated your network or your machine. If an employee went to a rogue support site and downloaded some software, and let somebody in, it would alert me through UEBA: "There is unique behavior that we don't normally see from this person. They don't normally access this site. The alert would tell me which site had been accessed and that software had been downloaded. It would tell me the time it was installed and what it did—every keystroke. That's with Defender for Endpoint being active.

In active mode, it's great that it gives you so much information, but it does record every keystroke so you have a lot of logs. For my home business, I had to turn off quite a bit because the data that it does gather is every event and activity that happens on a server or laptop. For my little testing scenario, it was overwhelming.

I know what I have on my machines so that amount of data logging started to add up in the cost. That's the only downside to Sentinel and Defender that I can see so far: You have to log and store that data somewhere, and it normally stores it in the cloud, unless you have an on-premises SIEM that you can download those logs into directly and store things on your own hard drives.

I had a $200 credit with Microsoft Azure and I didn't pay attention to it and it ate up $179 of that credit in the first two days because I had Defender for Endpoint check DNS to make sure that I wasn't getting spoofed or targeted.

You have to keep an eye on the Sentinel and Defender for Endpoint storage.

I have been using Defender for Endpoint since about November, so about three months.

It's pretty stable.

With a browser or web-based system, it might confuse things, saying, "You don't have access," because you should have logged in with your admin credentials but you logged in with your standard user credentials because you are on the same desktop.

For my home business I just have basic support. I submit a ticket and they get back to me in a couple of days.

Positive

My company isn't off the ground yet, it's basically going to be a family medical practice run by my wife and me. I'm an IT guy and she's a nurse practitioner and, eventually, she wants to work for herself. I'm doing the background and since I do use it for my regular job, I'm doing this on my own labs as well with trial software or things I've bought subscriptions for. I've bought Microsoft E5 so a lot of it is out-of-pocket and on a shoestring budget.

The nice thing about Defender and Sentinel is that the cost is based on the data logs that you ingest from the Defender endpoints and data connectors. I don't have to buy a 25- or 50- or 1,000-user or enterprise license. I can buy one license at a time. For small mom-and-pop shops, that's very important. A lot of startups don't have that kind of budget for enterprise-wide scalability, especially when they don't have many devices in the first place.

Defender for IoT is an add-on to Defender for Endpoint. It's there, but you have to onboard it. I don't really have enough devices, other than my home base, but in a regular business it would find all the switches, routers, security cameras, monitors, printers, modems, and anything else you have attached. With Defender for Endpoint, you need to have an operating system—Linux, Windows, et cetera—to deploy it.

A refrigerator or a camera or a security device doesn't really have a Windows-based operating system on which to deploy the agent. So IoT, within Defender, will scan those devices, find them, and let you know that it found them. It does that out-of-the-box with Defender for Endpoint. If you want to see the actual operating system of IoT devices and get alerts that something is out of date or has vulnerabilities, you have to get a subscription to IoT, which I hope to do.

There's a lot to learn when it comes to using Defender for Endpoint to automate routine tasks and find high-value alerts. KQL is a structured query language for hunting. If I have data ingestion from M365 logs, Defender for Containers, Defender for Storage, and AWS, Defender for Endpoint or Sentinel will allow me to hook up connectors to pull all of those logs into a "master database" with different tables that contain those logs. There are routines that are already written that say, "If you're looking for this type of an event that started with this application that went to a SQL server that was stored on this server that was accessed from a laptop where the guy went through a browser and went to this particular rogue network," and they access all those tables in that master database.

KQL allows me to tap into each of those different tables and correlate like events or like data, and pull it all into an alert or a threat hunt. It's something to master. It's sort of like regular SQL, but there are a lot of tables and schemas and you have to know what the tables and headers and columns and fields are, and then the syntax. It does threat-hunting really well with the canned queries that it has. But if you're looking for something in particular, you need to learn KQL. A SQL Server database admin would know SQL and how to pull data out of tables and do joins, commits, and transaction rollbacks. KQL is on that same level where you have to be an expert in KQL to actually pull all that stuff together. It's quite the learning curve, but there are courses out there that teach you.

I've been doing systems administration and engineering server admin things for quite some time, a couple of decades since Windows came out, and a little bit before that. But jumping over into the security space for my home business, and putting all these things together with Defender and Sentinel, has been a learning curve. It has slowed me down a little bit. A while back, security was always an issue for security teams. Now that I'm working on my own company, I'm a one-man show. But at the same time, I know there are a lot of bad actors out there.

We primarily use the solution for security. For most clients, we deploy the solution for security purposes. Some clients just deploy it as part of Microsoft. Some haven't fully set it up even though they've paid for it. Some may be deployed and set it up and then have it disabled. 

They've grown the solution into an XDR EDR type of solution. It's nice. Everyone is going in the same direction. There are good process flows and features that make permissions and setup easier if clients are all under Microsoft.

If you get it set up correctly, it just works. 

It does help us prioritize issues. It depends on how the user has it set up, however. You can make a very nice pane of glass. It depends on who it's set up for and what they are doing with it. Some people throw the Windows Defender EDR solution out there and walk away. It does you no good if you're not sitting there watching it, monitoring and setting it up to get the feeds and the alerts and everything else.

It integrates really well with other security tools. That's something they've done very well. Integration between Microsoft products is very easy. It also works well with API plugins, etc. It works natively with detection and response across the whole environment. There may be pieces that may be tuned or integrated correctly. However, it's all pretty seamless.

The threat protection is pretty comprehensive.  

Defender helps automate routine tasks and find high-value alerts. It's a one-stop shop. You can do integration, for example, with Microsoft Teams. It depends on the business you want to run. A mom-and-pop shop may not need so many tasks sent to very specific people. For larger enterprises, having the same tool across the board makes it very easy.

Defender Endpoint does help prepare for potential threats before they hit. When you're looking at signature-based AV, Defender, just like everyone else, will pick up something known. However, when it comes to user behavior analysis, that's a bit more complicated. 

We've saved five hours or less per month in terms of saving time.

I might help clients save money, depending on the size of the organization. With Defender, you are just paying for licensing. It's all moved to the cloud. 

If a threat actor comes in, and creates a global administrative account, they can gain access to everything and whitelist then block everything else. Having everything, including Defender, under one brand is like having all of your eggs in one basket.

Since they are linked to the operating system, they should have good visibility on what is malicious and what is not. They should be at the forefront in that area. However, they are doing what everyone is doing - especially in threat sharing. Pretty much any EDR solution has the same intelligence. Microsoft should go further since they do develop so much underlying infrastructure since they've "built the house" they should know everything about it. They should be more intuitive.

I haven't been using the solution for too long. I've started using it recently. However, Defender has been around for years.

Technical support is always good. There are different levels you can pay for. I personally have never had to use support for the Defender product. Getting really good technical support depends on what partner level you are. 

I'm also familiar with Sentinel and CrowdStrike. I do move my clients towards third parties and don't necessarily try to set them up under just Microsoft.

Inherently, everyone is using the trend intel. They share and ingest threat information. The intel is there. Some organizations may do it a bit better if you were ranking them. However, Microsoft's job isn't necessarily security. They have cloud infrastructure, et cetera. Unlike CrowdStrike, where security is their bread and butter. For Microsoft, Defender has always been the last on their list in terms of priorities.

Calculating ROI would depend on what your overall security posture is for your entire organization. If you are just trying to do PCI compliance, you may be opening yourself up to threats down the line. Also, if you are never updating, et cetera, you might be a target for ransomware. However, if you take the time to diversify and watch your systems regularly, you will see more ROI.

The solution is cost-effective as it is on-cloud. You don't need to accrue costs related to hosting. 

The pricing is fair. However, it depends on what you are trying to buy and what size your organization is. 

I'm a Microsoft partner. 

This solution does not make my top five.

As far as relatively decent, I'd say they are okay. I'd rate it seven out of ten. However, it's always the number one thing threat actors are targeting. 

The solution is used as an endpoint solution to provide a 360-degree portfolio around an endpoint. It acts as a next-gen antivirus. 

It’s included with the Microsoft licensing, so we don't need multiple licenses.

Microsoft is very effective in device control. If there is malware that is coming in, It is very quick to remove it. It doesn't let it gain a footprint on your drive, so that prevents further damage from happening to the endpoint.

This solution helps us prioritize threats across our enterprise. When we are looking at our current scenario, post-COVID, most of the employees of the clients that we are dealing with are remote. When it comes to remote, you can make sure that they're logging in to VPN, however, most of their time is online and we need a product that is actively protecting them even if a user is not on a VPN or a company network. This product integrates very well with Windows due to the fact that it's a Microsoft product. It's giving users the protection that they need while ensuring businesses don’t have to spend extra on licenses.

We are using other Microsoft products. Including CASB integrated with our endpoint. We’re also using Azure, for example, and Microsoft Defender for Cloud as well as Sentinel (although a different team manages it). We have seen a very hybrid kind of environment with one of our clients where they were using an on-prem solution throughout, and they were aiming to move to the cloud. It becomes very easy to integrate everything and move most of their infrastructure to the cloud. It does take time and effort, however, with everything integrated, you can get it done. Microsoft solutions also work natively together. That’s a big strength. Everything communicates seamlessly.

We have very good visibility on our endpoints. The level of information it throws back is helpful.

How long it takes to see the level of benefits will depend on the deployment. Our deployment took two months for one client. Within a month’s time, they started seeing the benefits. We had a substantial number of endpoints to roll out, however, we began to note benefits pretty fast.

Microsoft Defender for Endpoint helps automate the finding of high-value alerts. It still needs to mature a little bit. Overall, we are seeing very security-intensive products and Microsoft still has a lot to learn.

It helped eliminate having to worry about multiple dashboards. Now, we have one single dashboard where our team takes care of everything. That has been very helpful. It makes the team focus on one single product. That helps prepare us for potential threats before they hit. We get fairly decent visibility into what's happening. Since we have one single dashboard that is giving us all the information, it becomes very easy for the team to react to incidents as well.

Overall, the solution has saved time. Previously, while we were doing deployment, most of our time was spent figuring out how to handle the products that are not natively from Microsoft. We had to figure out how we could integrate to get the most out of our products. Now, with Microsoft, we have all the integrations present in one place.

On average, we’ve likely saved nine to 12 hours weekly just by having one single Microsoft dashboard.

We’ve saved money, too. Considering it comes under one existing license, we don’t have to spend money separately or buy another license to get all the features we need.

The solution decreased our time to detection and time to respond. Our turnaround is better. From the moment we receive an alert to the moment we close the case, we’ve seen a reduction of 18% to 20% overall.

The visibility of threats needs to improve a bit. It still has to learn a lot. Where we stand right now, compared to other products that are there in the market, they still have to work on their threat intelligence and the overall maturity of detecting the malware. Sometimes we have seen instances where they have wrongly identified the malware. That is something that we would really hope that Microsoft works on.

Microsoft has to improve the efficacy of the product further. When we are talking about a security product, there are minor frameworks and there are close to 145 different techniques that we are talking about. It broadly categorizes into types yet it doesn't drill it down to techniques, which gives us a very specific idea of what they are aiming for. 

I've been using the solution for the past one and a half years as a solution architect to design and deliver EDR solutions. 

The product is fairly stable. 

The solution can scale. We scaled up initially from 500 to 32,00 endpoints and it was fine. 

We've had to contact support in the past and found them to be very effective. They are knowledgeable in their approach. However, the tasks can be a bit time-consuming.

Positive

We are using CrowdStrike, Palo Alto XDR, and a lot of different products. The client using CrowdStrike may have moved to Defender based on the cost.

The initial setup was simple. 

There is a bit of maintenance required around data retention. It has a data retention period of 80 or 90 days depending on the configuration. We make it a habit of filing data for compliance purposes. Two to three people are normally involved with the maintenance aspect. It's not resource-intensive. 

We are the third party. We help clients implement the solution. 

We have witnessed an ROI. 

The product is very cheap compared to other options. It's very affordable, which is why Microsoft is gaining a foothold in terms of client acquisition.

We're a Microsoft partner. 

I'd rate the product seven out of ten. 

You can spend a lot of money to get a very specific security tool, however, if you don't have the money, Defender does a pretty good job for you.