Microsoft Defender XDR Reviews

Our primary use of Microsoft Defender XDR is for threat hunting and monitoring potential threats entering through email and URLs. We use the full suite, including Defender for Endpoint, Defender for Office 365, and Defender for CloudOps, especially now that we have upgraded to M5.

Microsoft Defender XDR has significantly improved our operational security. We've observed a notable decrease in click rates since implementing attack simulations, and the overall response to these campaigns has been positive.

Since activating the M5 feature set, we have observed a decrease in malicious clicks and faster incident alerts.

The Email Explorer feature has proven invaluable, offering a broader perspective than automated alerts and incidents alone. Its comprehensive view has simplified the process of targeting and identifying specific threats, including those initially missed but subsequently flagged, enhancing our overall threat detection capabilities.

Microsoft Defender XDR could be improved in terms of speed, especially backend speed. Additionally, some of the automated workflows in Intune, particularly the zero-hour purge, do not always trigger promptly.

I have been using Microsoft Defender XDR for two years now.

Microsoft Defender XDR has maintained high stability despite various service alerts. These alerts are targeted and informative, clearly indicating any potential functionality issues. The service has remained consistently online, with any issues isolated to specific components, suggesting a well-designed and modular architecture.

Our company has not experienced any scalability issues. As a medium-sized XDR company, scaling has not presented any challenges.

The technical support from Microsoft Defender XDR has been disappointingly slow, to the point that I am considering not renewing my unified support contract. However, I have not yet made a final decision.

Negative

We previously used Mimecast for email and Cylance for endpoints. We did not have any solutions for cloud apps. We switched to Microsoft Defender XDR because we already had the licensing for it, and it did not make sense to pay twice for a similar product.

The initial setup of Microsoft Defender XDR was straightforward, and we have not encountered any deployment issues. It was easy to manage with the bundled features.

We did not use an integrator, reseller, or consultant for the deployment of Microsoft Defender XDR. Most of the deployment was done in-house.

Ever since we turned on the M5 feature set back in June, we have seen a reduced number of potentially malicious clicks and faster alerting when incidents occur. It has improved our security posture.

The bundling of software makes it easier to manage our setup, but Microsoft purposefully obfuscates this through marketing ploys to hide costs. Although this can be challenging, ultimately, it simplifies budgeting.

We evaluated several options before switching to Microsoft Defender XDR, but ultimately chose it due to cost-effectiveness, as its features were already included in our existing license, though previously unused.

I would rate Microsoft Defender XDR an eight out of ten. I believe it is underrated by many, and some companies miss out by not knowing how to configure it properly. Microsoft's pricing makes setups difficult to manage, but the overall value is significant.

At FileVine, we provide case management software for attorneys, so we have considerable SOC 2 compliance requirements. We need more than a firewall; we also need a solution that helps us upkeep and manage devices, laptops, etc. 365 Defender fulfills these requirements, and SOC 2 compliance is our primary use case.

We're a hybrid company using both Macs and Dells, deployed across multiple regions.

The solution helps us improve compliance regarding end users installing updates. It clarifies which users need to update and how they can go into Terminal or PowerShell to perform that process. We don't have to waste time looking for what needs to be done, which is a useful functionality. The product automatically informs us of high and low priorities, which is great; it allows us to deal with the most significant priorities first.

365 Defender helps us automate routine tasks, and we get updated daily. We can integrate Splunk to see what's going on and what needs to be updated. Automation significantly impacts our security operations; it feels like we have a vault around us that nobody can breach.  

The Endpoint Manager is incredible; it has a very straightforward interface and is exceedingly easy to use. Pulling out and deploying different tags or resources is a simple task across various departments with different levels of security. The notifications are also simple and satisfying; it's great to see the bubble informing us which devices are compliant and which are waiting to update.

The visibility into threats provided by the solution is excellent. When a threat triggers a response based on our set rules, it's stopped, and we are notified via email. We can then analyze the threat and make a decision; this entire process is straightforward and user-friendly. 

The product helps us prioritize threats across the enterprise, especially in the legal domain. It is very valuable, and one of the reasons we have been so successful at Filevine is the security measures we have in place. We use many tools, one of them being Microsoft 365 Defender, which significantly contributes to our IT team and company's success.   

Our integration of multiple solutions helps to deliver a coordinated detection and response in our environment. We integrate with Zscalar, which is very easy and manageable. We thought it might be difficult, but it works very well. Much like a car, our security system is composed of many moving parts working together, which helps us move forwards as a company and thrive in a relatively challenging economic time. 

The comprehensiveness of the threat protection provided by using multiple Microsoft security products is excellent. It's a simple system; we have incoming and outgoing traffic rules. When a rule is triggered, we are notified by email to look over the situation. For example, we can see viruses and malicious actors attempting to breach our security and respond by blacklisting the IP address. Sometimes, we gather information and pass it on to the FBI, as we have many SOC 2 clients.

365 Defender helped eliminate multiple dashboards, which is great because I like to be as minimalistic as possible regarding dashboards. Now, I only have to look at one or two at most, simplifying the security landscape, and I love that about the tool.  

The solution's threat intelligence helps us prepare for potential threats before they hit; most recently, we were protected from the August 2022 Apple hack. We had measures in place, so none of our devices were affected. We were spared any data compromise, and it's an excellent example of why we invest in security solutions. It builds our confidence and strengthens our case with the higher-ups for increasing and maintaining our cybersecurity budget. 

The product certainly saves us time. We trust in the protection and can focus on different projects, including automation, so we don't have to spend time dealing with issues and security breaches. I'd say we save four or five hours a week.  

365 Defender saves us a lot of money because we don't have to recover data or hire outside lawyers to help us with legal trouble. We don't need to invest in physical products or external security teams and solutions. We can keep our security operation within the company, so all our money is invested in people who care about our product and business.  

The solution quickly notifies us when a threat is detected, increasing our response speed. Other products I used in the past sometimes had significant delays with notifications, which is far from ideal when dealing with potential security threats. 

Correctly updated records are the most significant area for improvement. There have been times when we were notified of a required fix; we would carry out the fix and confirm it but still get the same notification a week later. This seems to be a delay in records being updated and leads to false reporting, which is something that needs to be fixed.

I have been using the solution for a few years. 

The solution is very stable with low latency. 

The product is highly scalable, which is fantastic because we have been expanding significantly. It's up and running and good to go very quickly, which has been excellent for our expansion in Florida, New York, Maine, and Canada.

I have yet to contact support. One thing that helps in this regard is that I have an AZ-900 handbook with Microsoft fundamentals. 

365 Defender was already in place when I was brought into the company, but they previously used Jamf Protect. They switched because it cost too much and wasn't fulfilling the requirements. It didn't perform as well as 365.

I can't speak to the setup as the solution was in place when I arrived at the company. However, 365 Defender is one of the most lightweight tools we use in terms of maintenance. We keep it up to date, and it works very well.

I would say the solution gives us a significant ROI, especially considering the issues in the industry recently. Russia and China hacked many companies, but we never had that problem, and that's a lot of money saved for us. That's not entirely because of 365 Defender, but also thanks to our excellent security team and the robust toolset at our disposal to protect our operation.

The solution is affordable, and we haven't been hit with any hidden costs. The subscription model is straightforward, and it's easy to understand how much additional features cost. If we need to cancel a license or feature, we do that well in advance to avoid being charged for it, but overall, the pricing and licensing are simple and easy.

I would rate the solution an eight out of ten. 

We use multiple Microsoft security products, including Defender for Endpoint, MFA as a standard on all work laptops and computers, and Endpoint Manager. We use additional tools to protect the Mac side of our operation. We use Microsoft Intune, some other MDMs, and some other assets from Defender for Cloud, and for cloud security, we use GCP, Azure, and AWS. 

Many of these products are integrated, and the integration was relatively straightforward. It was somewhat time-consuming as we previously used Jamf Protect for a long time, so switching our entire infrastructure over to the new products took some time.   

We offer an MDR service and use Microsoft Defender XDR with Defender for Endpoint, Defender for Cloud Apps, and Defender for Cloud.

Having Microsoft Defender XDR integrated into our ecosystem has helped provide a single pane of glass for identifying, monitoring, and responding to issues across multiple customers.

From an attack chain perspective, Defender XDR handles phishing and spam emails easily, while Defender for Endpoint manages endpoints effectively. We've drastically improved our user experience. Even though we have Check Point in place, without adding complexity, XDR helps manage a significant baseline, enhancing user productivity by reducing signals significantly. The ability to report phishing is more accessible with the add-on features in Outlook.

It would be beneficial to reduce the number of clicks required to navigate between blades, as the current navigation and breadcrumb system can be a bit confusing. Some inconsistencies exist between blades, which could be improved for a more seamless user and UI experience.

We have used Defender XDR for just over a year now.

The services within our ecosystem have been reliable, meeting their SLAs. However, sometimes the experience feels congested, likely due to increased usage, which indicates high adoption levels.

Microsoft Defender XDR shows tremendous scalability, much more so than on-premises solutions. Microsoft has ensured these capabilities are available for its customers.

Support has gotten better, but there is room for improvement. It's critical to escalate SEV B issues immediately to a domestic engineer. Having a CSAM makes a significant difference.

Positive

I have always worked with Microsoft solutions for the past twenty-five years, expanding my knowledge to include third-party solutions as Microsoft evolves rapidly.

The deployment wasn't intuitive,  but it was simple for me. The documentation helps despite a few gaps when they roll out new features. You need to understand the technology before you implement it. Read up as much as you can before establishing a dev tenant, implementing, testing, and then piloting in production.

I wasn't part of the M&A transition, so I'm unaware if a Microsoft partner was involved. I've served as a consultant with various Microsoft Gold partners, and without those partners, adoption would have been more challenging.

From a support desk perspective, there has been a decrease in support requests and an increase in user productivity. Although I don't have exact statistics, user experience has improved significantly, which is crucial for the company's progress.

Licensing is somewhat confusing, particularly when presenting our pitch decks to stakeholders and leveraging key features in premium SKUs, but we managed with some assistance from Microsoft.

I rate Microsoft Defender XDR 10 out of 10.

We use Microsoft 365 Defender to provide cybersecurity to our clients. Microsoft 365 Defender provides real-time alerts which I review and analyze for our clients.

We implemented Microsoft 365 Defender to mitigate the cybersecurity threats our clients were facing. 

Microsoft 365 Defender is a valuable tool for our daily security operations. It provides us with a clear picture of security threats through its alert system, which identifies the origin of the attacks and correlates them with the MITRE ATT&CK framework.

It is user-friendly, loaded with features, and priced cheaper than the competitors.

Microsoft 365 Defender thwarts advanced attacks from spreading within our client's networks by utilizing the MITRE ATT&CK framework to recognize and categorize threats, then automatically taking steps to neutralize them.

Microsoft 365 Defender earns a rating of eight out of ten for its effectiveness in stopping attacks, which has demonstrably improved our security operations.

While Microsoft 365 Defender effectively stops attacks and adapts to new threats, human intervention is necessary for entirely new attack patterns. This is because the system relies on machine learning to identify threats based on past data, and completely new attack patterns wouldn't be recognized yet.

Microsoft 365 Defender enabled us to discontinue the use of other security products and helped save our security team time.

The most valuable features are machine learning, AI, and auto-remediation of non-malicious alerts. The onboarding and offboarding of devices are also seamless and the Windows Autopilot is helpful for our users.

Troubleshooting in Microsoft 365 Defender can be inefficient. Onboarding new devices with communication issues, for instance, requires using Veeam for log investigation and contacting Microsoft support, making the process time-consuming.

The current number of indicators of compromise provided by Microsoft is 15,000, but increasing this number would be beneficial for improving detection capabilities.

I have been using Microsoft 365 Defender for one year.

I would rate the stability of Microsoft 365 Defender ten out of ten.

I would rate the scalability of Microsoft 365 Defender ten out of ten.

Microsoft 365 Defender's technical support team is responsive, offering timely solutions to help our clients resolve their security issues.

Positive

In the past, we relied on both McAfee for antivirus protection and Cybereason Endpoint Detection & Response for advanced threat hunting, but we have since streamlined our security posture by consolidating these functions under Microsoft 365 Defender.

Microsoft 365 Defender is more user-friendly and flexible than Cybereason Endpoint Detection & Response.

Deploying Microsoft 365 Defender is a manageable process for our team of three, who handle our roughly eight thousand servers on an ongoing basis.

Microsoft 365 Defender offers competitive pricing. While purchasing an Azure subscription includes it in a bundled model, the standalone subscription cost for cloud storage and Defender itself remains reasonable, making it an affordable option compared to other security services.

I would rate Microsoft 365 Defender nine out of ten.

It takes some time to see the benefits because it is a large tool with many features that keep changing.

Our clients are enterprise-level.

Maintenance is required.

I recommend Microsoft 365 Defender to others.

I'm managing the SIEM, but the SIEM is heavily integrated with 365 Defender and all the other components. Defender is a natural extension of Sentinel, and our entire SOC team leverages the solution. We utilize it daily for everything related to incident response from an advanced threat-hunting perspective.

We do some KQL-based threat hunting and have set up some custom detections built into the platform, so we can raise an alert about a threat when we see it. Right now, we're onboarding our server environment to push Defender for server agents to see what that looks like. 

Defender is used widely by our SOC for everyday investigations. Our attack surface reduction teams use it for vulnerability information. Other teams at the company use the telemetry data, but it's primarily our SOC using it for incident response. 

Defender XDR has simplified our security operations because we don't need to shift around various portals. If I respond to an initial access event involving phishing emails, I can go to the endpoint and the user's identity in one console instead of having four or five different tabs open for multiple products. 

Since adopting Defender XDR, we haven't consolidated anything because the corporate leadership purchased the E5 license with all of Microsoft's other security solutions. All of those are still in play, but some of Defender's features are creeping into other spaces where it could potentially replace some of their products. 

It allows things like indicator blocking. You can block file caches now. You can block URLs, domains, etc. We might have handled that somewhere else with DNS and stuff like that. We might be blocking domains or adding different intelligence to handle that from the endpoint perspective so the threats are stopped before they get to the network. There are certain functions that Defender might not necessarily take over, but it can augment the entire approach to that security design. It could replace those solutions, but I'm not one to have all my eggs in one basket. However, that's not my decision to make.

Having everything in a single pane of glass saves some time, but it's hard to quantify. It reduces the time needed to respond. It correlates the data in a certain way that probably decreases time spent on manual data aggregation by about 30 minutes per incident. We can aggregate the logs from third-party solutions in Sentinel, run KQL queries there, and look at them together to make some assumptions. That's a significant time saving, but I don't think we're tracking that. 

The way it gathers data is fundamentally different. It's all right here, and I don't need to do separate queries. I can look through the timeline and export the data to a CSV if I want to sift through the data. It likely reduces the time it takes to respond dramatically. One problem we have internally is that we can't deploy Defender for Endpoint on everything. I can't deploy it on a many legacy OS due to the compatibility. It's challenging to address those things when you get so used to having all of this telemetry. When working through that, the advantages of using the platform become clear. It incentivizes us to stop using some of those assets because we can't see anything on them the same way that it gets represented in the M365D. We don't have direct telemetry ingestion into the cloud portal where we can collect logs from all those assets.

The most valuable feature is probably the aggregation and correlation of the different telemetry points with Defender for Identity, Defender for Endpoint, and Defender for Cloud Apps. All of these various things are part of that portal. We've wanted that single pane of glass for years. 

We've become early adopters of almost all of the features that they offer through the portal, so we've become good at working through the leading-edge quality of the new features and deciding whether or not we want to implement something in production based on that. We have a close relationship with Microsoft's team, and they present us with opportunities to enable new features, but all of the training is done internally. We have a close-knit team structured between our level two, level three and engineering team. And so we'll come together and say, "Here's this new thing we can do with Defender for Identity. We can reset users' passwords on-prem through the portal." We'll discuss these things and whether to implement them, but it's just our team.  

Defender provides unified identity and access management. There's probably some more granularity that could happen within the existing access control model. You can apply default labels for security admin and this or that. It depends on how you design it. A lot of our security admins can do at-will actions. We want them to be able to do anything else requiring an elevated set of privileges that allow you to design roles or stuff related to assets or identities. 

You have an audit trail for who's doing what, which is great. I think they could make the roles more granular. That would be ideal. Integrated identity and access management capabilities are core to the solution because you don't want people to have too much access. You want to control it to a point. We need people to be able to do what they need to, but I don't want everyone to have domain privileges because they can log into a domain controller through the portal. 

These are the kinds of things the portal lets you do, like the interactive sessions with Defender for Endpoint. However, I would like to see a just-in-time access approach that allows me to do something, and once I'm done with the action, it shuts off that capability.

Defender feels restricted to Microsoft products, but if we augment its capabilities with Sentinel, you can pull all your third-party data sources and everything into the SIEM. That immediately adds a different value to the product. Having some level of normalization on the data helps, but the ability to take data from third-party sources and correlate it with Microsoft sources is beneficial.

The solution stops the lateral movement of advanced threats like ransomware if you set it up correctly and are willing to accept the possibility of false positives on automated isolation, app restriction, etc. It entirely depends on what your team can do with rule tuning and use case detection. 

Our team does customized detections entirely based on what's happening in our environment. We have direct tuning capabilities.  We don't have an automated isolation-based task applied to out-of-the-box rules. That would be scary. We do our best to ensure false positives don't happen. If they do, we can control the outcome and make sure it can tune out the false positives. 

Defender can stop attacks and evolving threats because it can correlate data and make assumptions based on it. If you feed it all of your data, it will do an incredible job. It's dependent on your environment, but I think it does an excellent job of detecting perceived threats. At the same time, you still need a human being to monitor and tune it. 

The advanced threat-hunting capabilities are phenomenal, and the security copilot enhances that, but some data elements could be better or have more context inside of the advanced tables themselves. The schemas feel a little limited to what they're building into the product. It's probably just a maturity thing. I imagine we'll see the features I want in the next year.

Once you've onboarded your servers to Defender, they're housed on Azure. When those things are brought into the 365 Defender portal, I can see clearly that some of those are Azure resources. There is a subscription and the resource group. That data doesn't exist in the tables. We don't want to run automated remediation against our domain controllers, but you can't exclude those using Azure resource tags. You can't tell it to exclude assets from this resource group. 

That data doesn't exist inside the tables you use to build your thresholds or custom protections. I could see where they could improve the data they present to you in the tables. I assume that it will come with time. There's so much happening. Every time I open the portal, there's a new feature. 

We have used Microsoft Defender XDR since earlier this year and prior to this the Microsoft 365 Defender solution. We were early adopters of the platform and changes to the different products being integrated.

I rate Microsoft support seven out of 10. Sometimes, the support teams are great. However, sometimes we know more about the tool in some cases than the people we're talking to. We use it so heavily that our internal team has a better understanding of the toolset than the average SME should. We use it every day, so we live in the portal. I can't comment negatively or positively on the support. It depends. Sometimes, you might get somebody who knows what's going on, but in other cases, we have to figure out the solution on our own. 

The worst thing I can think of is when we need to reclassify a domain that they've called incorrectly. In that situation, you send a request into the abyss. you never get a response, and it's like, okay. Do I have to keep checking back over and over again to see if this has been reclassified? 

Neutral

We've experimented with other providers at this point, like Carbon Black. I think Defender meets the enterprise-grade criteria for our needs, but there are some nuanced differences between the solutions. 

I think it's hard to compare due to the sheer volume of the E5 ecosystem in one location. No other tools have that. If you bundle all the Microsoft solutions, it doesn't make sense to compare them to third-party solutions. Defender stands out in terms of gathering data and the way it presents everything in the incident timeline. The only thing it could do better is the filtering capabilities when you're pulling back the data from the timeline. 

Data is expensive if we want to leverage the telemetry that exists within the 365 ecosystem and bring that into Sentinel. I can't pipe that data in without paying an ingestion cost. I know how much data exists in each one of the tables that are there, and it would cost a significant amount of money to bring that in. 

I rate Microsoft Defender XDR 10 out of 10. I don't know of anybody else that's even remotely close to doing what they're doing. It's reduced my work in terms of identifying things. I might be in a position where I'm engineering, but I'm still technically on the response team. I'm using the tool the same way, and it has gotten better and better every time they add something new.

We use it for endpoint protection, monitoring network traffic, and enabling automation of issues, we utilize Microsoft Defender XDR. If we are specifically referring to Defender for Endpoint, it is a perfect solution to monitor user behavior and activities across all of our web portals. This provides an easy way to analyze and generate reports about user online activities.

Microsoft Defender XDR's security extends beyond Microsoft technologies and that is crucial for us.

Defender 365 stops the lateral movement of advanced attacks. An attack disruption would cause a lack of availability of our systems and corruption of data if there is a breach.

Microsoft Defender's ability to stop attacks includes an ability to adapt to evolving threats which is extremely important.

Microsoft Defender has enabled us to discontinue the use of a few different products. We consolidated our antivirus, web filtering, and EDR, and we had an endpoint monitoring tool that we now use Defender for.

Reducing the number of solutions we use has significantly impacted how our security team operates. This is because everything is now managed under one control and one tenant. This unified approach facilitates a natural integration with the various Microsoft products we rely on for collaboration, data storage, email communication, and other critical resources essential to our company's operations.

The discontinuation of many of our security products has reduced manual correlation.

Microsoft Defender has saved our security teams 20 percent of their time by providing a single console to manage everything. 

It helps prioritize threats across our company. It is a product that I use every day. I go into the portal all the time. It is very crucial to my security strategy.

We use additional Microsoft solutions. Most of them are available with E3 or E5 packages, including governance and DLP tools. We have integrated most of the ones we are using. Doing so was not that easy but not that complicated. It requires a lot of knowledge. They work natively together for coordinated detection and response, which is a critical component of my endpoint strategy for security and control. Without that, I would have a huge gap and I would have to find a different product.

One of the aspects I use it most for is as a basic antivirus installed on endpoints.

One of the biggest downsides of Microsoft products, in general, is that the menus are often difficult to find, as they tend to move from place to place between versions. It's unclear who makes these decisions, but simplicity would be a highly welcome change. A great way to achieve this simplicity would be to have built-in wizards within the products to help users accomplish tasks. This would eliminate the need to guess where to find the necessary options to enable or disable features.

The features I would like to see added to Defender are improved web filtering capabilities and a WAF service. However, I may be mistaken, and Microsoft may already offer a similar solution. I understand that our finance department rejected most of the Defender for Azure services due to their cost, but I lack the information to judge their expense myself. I believe that, as with the Azure environment itself, which was initially considered expensive but became increasingly popular over time, the Defender for Azure solution will also gain traction if its price becomes slightly more competitive.

When it comes to visibility into threats, 365 Defender is slightly complicated, and much more complicated than competitors like CloudStrike. That's just the "Microsoft way" where everything is usually slightly more complicated. The interface is not clear.

Also, it is not clear when the system is offering a recommendation or just a way to validate something. It is not clear what will be automatically done and what you will have to do yourself.

I have been using Microsoft Defender XDR for almost five years.

Microsoft Defender XDR is stable.

Scaling it is not easy and not complex. It's in between. With Microsoft, sometimes it feels like they hide the menus and you need to search for them with a magnifying glass.

The quality of technical support I receive varies depending on the country from which it originates. Sometimes, I feel I possess greater technical knowledge than the support representative and find it more productive to research solutions online, such as through Google. Conversely, I find that teams based in Europe or the United States typically provide more professional and informative responses.

Neutral

Previously, we used ESET, Cisco Umbrella, and JumpCloud for endpoint security, along with Cisco web filtering. I found Defender convenient due to its integration within our existing Office 365 environment. Since Office 365 is built on the Azure platform and integrates seamlessly with other Microsoft services like email, SharePoint, and others, it was more natural to use everything under the Office 365 umbrella rather than navigate to third-party solutions.

Implementing Microsoft solutions has proven more complex than initially anticipated. Due to ongoing changes, the project remains in progress. Migrating from our previous third-party solutions and establishing full functionality required several weeks, potentially extending to three months.

We hired One Pass, an American consulting firm, for our project. However, I am dissatisfied with the work they delivered. One Pass is a large company with too many people communicating with us simultaneously. We had difficulty speaking to the appropriate person because individuals either transferred us to other employees or were unavailable due to vacation.

My advice is to read up on best practices so that you know what the best way to deploy it is. Otherwise, it will be a mess.

It is very effective as long as you don't need real-time information. For me, that's okay. When there is a need for real data, on the spot, which is not available from Defender, it is available CrowdStrike. But for the way I run my business, it is okay.

In terms of a best-of-breed strategy rather than a single vendor’s security suite, I would go with a single suite.

I would rate Microsoft Defender XDR an eight out of ten.

Microsoft Defender XDR is deployed across our organization, encompassing multiple locations, departments, and continents. With approximately 200 international users, we rely on a team of four in-house administrators for security management. Additionally, we utilize the services of external companies for first-line support, who also handle specific tasks within our Microsoft 365 environment.

My role is to monitor Microsoft 365 Defender. We investigate various alerts and incidents that occur there. We utilize the solution to block any malicious domains, URLs, or other harmful elements that could affect our environment. Microsoft 365 Defender is our tool of choice for this purpose, and it helps improve our secure score. We assess the available remediation options to determine if they are suitable for our enrollment. Additionally, we use it for email analysis and make use of all the features provided by Microsoft 365 Defender.

Microsoft 365 Defender offers excellent visibility into our environment. We have a dedicated team that focuses solely on handling threats. As for me, I mainly deal with the architectural aspects of the overall environment. However, we rely on Microsoft 365 Defender for threat detection, and in the future, we plan to implement Sentinel as well. The reason for choosing Sentinel is that its integration is much more compatible, as Microsoft does not send various logs for other third-party tools like QRadar or any other tool. Therefore, we have decided to move forward with Sentinel.

Microsoft 365 Defender assists in prioritizing threats across our organization by offering real-time threat analysis. However, it does not provide upcoming threat alerts, such as identifying vulnerable technologies for our environment. To secure them, we can access the security score and follow the recommended actions. The platform displays current metrics and trends.

We are currently in the process of integrating Microsoft Defender for cloud apps and Microsoft 365 Defender, with 80 percent completion. Both solutions work together to deliver coordinated detection and response across the environment. We have one unified dashboard to monitor and control both solutions from a single place.

To create a fully comprehensive threat protection environment, we will integrate Sentinel with Microsoft 365 Defender and Microsoft Defender for cloud apps. This integration will allow us to receive additional data related to threats that are currently not shared by Microsoft.

Microsoft 365 Defender is an excellent tool. It is compatible with Teams and Outlook, making it ideal for threat detection and mail security in a Windows environment, which is commonly used by many corporate entities.

Microsoft 365 Defender is helpful in automating routine tasks and identifying high-value alerts. The Microsoft dashboard facilitates the remediation of alerts by grouping alerts of the same kind, which is beneficial.

Microsoft 365 Defender helps reduce the number of dashboards we need to look at, but it does not completely eliminate them.

Microsoft 365 Defender has saved us time by consolidating many of our solutions into a single tool.

Microsoft 365 Defender helps reduce our MTTD, but Sentinel would help decrease our MTTD even further.

The 'Incidents and Alerts' tab is a valuable feature where we can find triggered alerts.

Microsoft Cloud App Security has now transitioned its alerts to 365 Defender. As a result, all alerts that were triggered in Microsoft Cloud App Security are now visible in Microsoft 365 Defender.

It is beneficial that we can search for any of the devices. If we choose any of the devices, it will display the alert, incident, and the entire timeline related to that particular device. These are the features covered, including the ability to run antivirus directly on the device, isolate the device, and apply restrictions. These are the positive aspects of the solution. The same applies to 'Identity' as well. 

We can also investigate that router using email. The image represents the user's complete inbox. We can find out who the main users are, what the titles of the emails are, and how much malware we have received, including the number of phishing emails. We can see all this information in that explorer. Additionally, that thing is also beneficial.

There is a section titled 'Action and Submission.' When we submit any kind of share value for evaluation to Microsoft, they take a significant amount of time for the process.

When discussing the secure score, which includes overviews and recommended actions, some of these recommended actions are not applicable to us, particularly those related to Microsoft Internet Explorer, which we do not use in any of our environments. Nevertheless, there are instances where options to disable macros and various configurations appear, even though they shouldn't be present.

I have been using Microsoft 365 Defender for two years.

Microsoft 365 Defender is stable.

Microsoft 365 Defender is scalable. The solution can handle numerous endpoints, and as our user base grows, the number of endpoints automatically increases.

Many times, the engineers assigned to our tickets are not very knowledgeable about the solutions and features.

Neutral

I would rate Microsoft 365 Defender an eight out of ten. There are many rapid and independent changes happening each month or every other month, making it difficult to keep track of them.

I prefer adopting a best-of-breed strategy instead of relying on a single-vendor security suite. I have observed this approach being implemented in numerous organizations.

Microsoft 365 Defender surpasses most platforms available in the market in terms of advancement and offers extensive integration with other Microsoft solutions. I highly recommend this solution.

We use Microsoft 365 Defender to protect our privacy.

Microsoft 365 Defender's XDR platform provides identity and access management which is important for our organization.

Microsoft 365 Defender's security extends beyond Microsoft technologies, which is important to our organization.

The multi-tenant management capabilities are easy and the support is 24/7.

It has helped save us approximately USD 1,000 per month.

Microsoft 365 Defender has helped save our security team time.

The most valuable feature is the network security.

Since all of our databases are updated and located in the cloud, I would like additional support for this.

I have been using Microsoft 365 Defender for almost four years.

Microsoft 365 Defender is stable. The only downtimes are scheduled by Microsoft and we are provided with advanced notification to prepare.

Microsoft 365 Defender is scalable.

Technical support is one of the reasons we chose Microsoft 365 Defender.

Positive

The initial deployment is easy. Microsoft 365 Defender is plug-and-play. The deployment takes a maximum of one day.

We also evaluated Kaspersky and Trellix XDR but found that Microsoft 365 Defender had additional features that met our needs and their support was better.

I would rate Microsoft 365 Defender nine out of ten.