Microsoft Defender XDR Reviews

We are using Microsoft Defender for Office 365 for identity and email security, safe links, etc.

It works as an antivirus, and it also works for any behavioral issues in a particular machine. It protects all the applications from any vulnerability. It works in both ways. It works for vulnerability management and also for the EDR part. Earlier, we had Qualys for vulnerability management, but Microsoft Defender takes care of both. It provides information about how vulnerable a machine is, and it also takes care of the antivirus and behavioral issues in a particular machine due to some threats or any unwanted applications installed.

It helps us manage vulnerabilities. If there are any vulnerabilities in a machine due to a lack of patches or end-of-life software installed on the machine, it gives us the report. After seeing the report, we can fix those vulnerabilities by uninstalling the vulnerable applications or by patching them.

It takes care of the antivirus part. The signatures are constantly getting updated related to new viruses. It covers any identity-related issues or device-specific issues. It covers the MITRE framework. If any threat or risk is present in our environment, it takes care of that and then tells us that these are the issues that we need to work on. After we get the alerts, we do the investigation and remediation.

It provides unified identity and access management. You can create role-based access. You can create policies based on different risk levels. You can also trigger password resets. There are a lot of capabilities that are built in. You can also create conditional access (CA) policies. If any vulnerable application is installed on a device, you do not want that device to be connected to your network, you can create conditional access policies. It will first check whether the integrity of the device is as per your organization's requirements. If it is compliant, then only that device will be allowed to connect to your network. The same goes for identity. If MFA is enabled in your environment, the users will be allowed to connect only if their accounts have MFA enabled. Otherwise, the access is blocked. You can automate such things.

It is important that identity and access management are included in Microsoft Defender rather than needing an additional solution. Nowadays, you see a lot of phishing emails and unsecure links being forwarded to user accounts. In Microsoft Defender, we have secure links and safe links. Once enabled, if any malicious link is sent to a user account, when the user clicks on a link, it immediately checks whether it is safe to access. If it is found to be malicious, it is immediately blocked. If a user mistakenly clicks on a link, the risk state is changed automatically in the web portal. If you have a conditional policy in place, the access is blocked for that user. Even if the attackers have access, they will not be able to do anything. In today's scenario, it is pretty important to have these in place.

As of now, the integration part is pretty limited to Microsoft products. However, by using Sentinel, which is a SIEM solution, you can integrate other products.

It stops the lateral movement of advanced attacks like ransomware or business email compromise. You can create lateral movement policies, and you also can create high-risk users or high-risk devices. You can have customized policies for them. You can create different policies, and the alerts triggered from those devices or users are put into high severity so that you can take immediate action.

You get the telemetry of any attack observed by Microsoft Defender. You can see everything from the starting point till the remediation steps automatically taken by Microsoft Defender. The investigations can be found easily. They are pretty detailed. Everything is there in the portal.

It has the ability to adapt to evolving threats. Threat intelligence is embedded in the portal itself for new threats, technologies, ransomware, or malware. All the latest threats are automatically handled by Microsoft Defender. Remediation is also automatically available.

It saves time. There is automatic remediation, and there are playbooks that you can configure. You can automate the remediation steps that you have already tried on a particular machine. If you want to suppress some of the alerts, you can create suppression rules so that your team does not spend time investigating them. Playbooks, automatic remediation, and suppression of similar alerts save a lot of time.

Vulnerability management is valuable. We had a different product for vulnerability management. We were using Qualys for that, but after we got Microsoft Defender, we also got the vulnerability management part. It is embedded in the portal itself. We do not have to look into another solution or tool. We did not have to install any additional sensor which reduces the overhead and does not affect the machine's capability. With the same sensor, we get the vulnerability report and threat report. We also get to know any risks and issues related to malware and other things.

The portal is quite user-friendly. There is integration with Office, Intune, and other products from the same portal. From there, we can see which policies are installed on a particular machine. We also can manage devices, groups, and tagging. For a different set of teams or departments, we can create different device groups. Based on the teams and their work portfolio, we can create different policies. It is quite handy, whereas with the Qualys solution, the portal was quite cluttered. To find a particular option, we had to look at many options, whereas Microsoft Defender is quite user-friendly.

We are also getting all the reports by using the same sensor. It is light on the machines as well. It consumes less resources than other solutions available in the market.

It is evolving. We are seeing new advancements and integrations. They have integrated Copilot, so going forward, we can take the AI advantage. It will be quite easy for us to run any queries. These are the advantages that I see in Microsoft Defender in comparison to others.

The patching capability should be there. Patching is something that you cannot do even though you see the vulnerabilities present in your environment. For patching, you have to depend on another solution.

Other than that, there are still limitations in creating device groups. You can create tags, but these tags are based on limited options. There are only a few categories based on which you can create a tag or device group. If there are other conditions that you want to put, such as creating a group based on the application installed on a particular machine, you cannot do that. There are some shortcomings. Also, if you want to whitelist a particular application for a set of groups, you cannot do that. We had an incident where we wanted to whitelist a particular application that was getting blocked by Microsoft Defender, but we were not able to create those groups. We were not able to whitelist the application for some of the devices. We had to whitelist it for the whole environment, which we did not want to do.

It only has pre-built dashboards. You cannot create customized dashboards. They have a set of dashboards, but they are not customizable.

We can create reports using KQL, but it is hard to create customized reports using KQL. You get a CSV, but you need to use Power BI or another reporting product to create the report. The other products available in the market give you customized dashboards, customized reporting, and customized workflows. This is pending in Microsoft Defender.

I have been working with this solution for 1.5 years.

It is a Microsoft product. It is similar to any other Microsoft product in terms of stability. They do change the name and other functionalities, but it is pretty much similar to any other Microsoft product.

It is pretty scalable. It does not stop you anywhere.

I am working in an MNC. We have more than 6,000 people.

It depends upon the license that you have. They have a different set of licenses based on which you get support. It depends on the support packages you have purchased.

It is very easy to raise a request. They have a portal. From there, you can create a ticket by email or by chat. The response is based on the support package that you have. If you have premium support, you can get a response in minutes. 

In my previous organization, I worked with Palo Alto XDR. In this organization, we had McAfee, which is a signature-based solution. Microsoft Defender is more advanced than McAfee. It is EDR-based, whereas McAfree was signature-based. It was based on the signatures related to a particular threat or virus. It was handling threat prevention, but behavioral analysis and other functionalities that you see in EDRs were not there. We wanted to move to a behavioral-based antivirus solution. That is why we opted for Microsoft Defender.

Microsoft Defender also enabled us to discontinue the Qualys solution. It has many capabilities related to vulnerability management. They are available out of the box, but patching is something that is missing. For patching, you need to use Intune, whereas, in Qualys, you can also do patching, so patching is something that is missing in Microsoft Defender. However, Microsoft Defender is very good for the assessment of vulnerabilities.

You also get visibility of the devices that are still not onboarded to Microsoft Defender. You have something called Device Discovery in Microsoft Defender. Once enabled, you can get details of all the machines that still do not have Defender, whereas, in Qualys, you have to create customized or scheduled scans of your network. They then run on a periodic basis, but that is not the case with Microsoft Defender. It is on a real-time basis. The Microsoft Defender client continuously does the scanning, and you get visibility into all the machines on your network that still do not have Microsoft Defender onboarded. However, you cannot do patching with Microsoft Defender.

Microsoft Defender can save costs. Qualys is pretty expensive. Microsoft Defender does vulnerability management out of the box, so if you do not want to do patching and you have another solution for patching, you can save costs. It also has out-of-the-box functionality for identity protection.

It is deployed on a public cloud. If you do not have people in your team who know about this product, Microsoft can give you a vendor to help with deployment, creating the policies, etc.

Overall, it is pretty straightforward because Microsoft Defender is enabled on all Windows machines. All you need to do is to activate the sensor that is already installed. The installation process is not much, but if you want somebody to help you, Microsoft can help you with a list of vendors at a particular location. The vendor can help you with configuring the policies and activating different licenses.

Documentation is available on the Microsoft portal to help you create policies and go forward as per your environment.

We took help from somebody for implementation.

It does not require a lot of people because it is a cloud solution and the sensor is already available in the machine itself. It does not require a lot of manpower to get started with Microsoft Defender and do a migration. However, it also depends on how big your organization is. If it is an MNC with a presence in multiple countries, you might need at least one person per region. If any hands-on support is required on a client machine, you can do troubleshooting remotely or provide on-site support. If you have only one site, you do not need much manpower. A single person can do it.

Its maintenance is similar to any other solution. If you are changing any policy, you have to test them before putting them into production. Apart from that, it does not require anything. The Defender updates are automatically available. You can push them through your patching solution. Its maintenance is not hard.

Every organization has different requirements. In my previous organization, we opted for Palo Alto even though we had Defender and CrowdStrike. CrowdStrike is also a best-in-class solution, but we opted for Palo Alto because it was giving something that was a requirement. In that organization, we also wanted to do some management. We wanted to run some scripts through our XDR solution. CrowdStrike had some limitations. We also wanted to do a console login for a particular machine. CrowdStrike gave that functionality, but it was pretty limited, whereas, in Palo Alto, it was limitless. We could straightaway see the files present on a machine by using the console view. We could run a different set of queries. It did not matter whether we were running a PowerShell script, a Python script, or any other language script because the compiler was embedded in the sensor. Palo Alto met the needs of that company. For the use cases, it was the best fit.

In my current organization, the use cases are different. We only wanted an EDR solution. Also, because most of the products in our environment are from Microsoft, the integration with them was pretty easy. That is why we opted for Microsoft Defender. An organization should look at its use cases and then decide on an EDR/XDR solution.

Comparing Microsoft Defender's EDR capabilities with other solutions, I would recommend going for another solution available in the market. I would rate it a 6 out of 10 because there are a lot of things that are available in other solutions, such as doing a remote of a particular machine and running other language scripts. Other solutions are also better in terms of the isolation of a particular device, removal from the isolation, and granularity of security control. I am not comparing it with others for vulnerability management because Palo Alto or CrowdStrike do not do that. If there are any vulnerabilities and you want to fix them, you have to do all the work.

We use Microsoft 365 Defender to provide cybersecurity to our clients. Microsoft 365 Defender provides real-time alerts which I review and analyze for our clients.

We implemented Microsoft 365 Defender to mitigate the cybersecurity threats our clients were facing. 

Microsoft 365 Defender is a valuable tool for our daily security operations. It provides us with a clear picture of security threats through its alert system, which identifies the origin of the attacks and correlates them with the MITRE ATT&CK framework.

It is user-friendly, loaded with features, and priced cheaper than the competitors.

Microsoft 365 Defender thwarts advanced attacks from spreading within our client's networks by utilizing the MITRE ATT&CK framework to recognize and categorize threats, then automatically taking steps to neutralize them.

Microsoft 365 Defender earns a rating of eight out of ten for its effectiveness in stopping attacks, which has demonstrably improved our security operations.

While Microsoft 365 Defender effectively stops attacks and adapts to new threats, human intervention is necessary for entirely new attack patterns. This is because the system relies on machine learning to identify threats based on past data, and completely new attack patterns wouldn't be recognized yet.

Microsoft 365 Defender enabled us to discontinue the use of other security products and helped save our security team time.

The most valuable features are machine learning, AI, and auto-remediation of non-malicious alerts. The onboarding and offboarding of devices are also seamless and the Windows Autopilot is helpful for our users.

Troubleshooting in Microsoft 365 Defender can be inefficient. Onboarding new devices with communication issues, for instance, requires using Veeam for log investigation and contacting Microsoft support, making the process time-consuming.

The current number of indicators of compromise provided by Microsoft is 15,000, but increasing this number would be beneficial for improving detection capabilities.

I have been using Microsoft 365 Defender for one year.

I would rate the stability of Microsoft 365 Defender ten out of ten.

I would rate the scalability of Microsoft 365 Defender ten out of ten.

Microsoft 365 Defender's technical support team is responsive, offering timely solutions to help our clients resolve their security issues.

Positive

In the past, we relied on both McAfee for antivirus protection and Cybereason Endpoint Detection & Response for advanced threat hunting, but we have since streamlined our security posture by consolidating these functions under Microsoft 365 Defender.

Microsoft 365 Defender is more user-friendly and flexible than Cybereason Endpoint Detection & Response.

Deploying Microsoft 365 Defender is a manageable process for our team of three, who handle our roughly eight thousand servers on an ongoing basis.

Microsoft 365 Defender offers competitive pricing. While purchasing an Azure subscription includes it in a bundled model, the standalone subscription cost for cloud storage and Defender itself remains reasonable, making it an affordable option compared to other security services.

I would rate Microsoft 365 Defender nine out of ten.

It takes some time to see the benefits because it is a large tool with many features that keep changing.

Our clients are enterprise-level.

Maintenance is required.

I recommend Microsoft 365 Defender to others.

Microsoft Defender XDR is our antivirus solution.

Microsoft Defender XDR provides a unified identity and access management platform.

It does a good job with identity protection.

Including identity and access management within Defender XDR is valuable because it streamlines our organization's security by consolidating multiple tools into one. This eliminates the need to manage and pay for separate solutions and licenses, simplifying our security posture.

Microsoft Defender XDR has improved our visibility, making us more efficient by providing threat details and remediation steps as well as improving our security posture.

It safeguards our organization by preventing advanced threats like ransomware and business email compromise, along with stopping lateral movement within our network that could enable attackers to spread and gain wider access.

It includes the ability to stop attacks and adapt to evolving threats. This is an important feature for us.

We have been enabled to discontinue using Microsoft Sentinel.

Microsoft Defender XDR helps save costs through the licensing for businesses which is around $20 each and helps save time for our security team.

The ability to isolate and address viruses is the most valuable feature of Microsoft Defender XDR.

Just like in any solution, the price can always be cheaper.

I have been using Microsoft Defender XDR for three months.

Microsoft Defender XDR is stable. It has been running smoothly for us.

The support has been perfect.

Positive

To consolidate our security tools and avoid additional costs for a separate EDR solution, we leveraged our existing Microsoft Sentinel license to migrate to Microsoft Defender XDR, which already includes EDR capabilities.

Our initial deployment of Defender XDR onto machines was simple. Onboarding a machine involves configuring settings within Intune for our tenant, allowing Defender XDR to communicate and collect data. The entire deployment process took only two hours and required just one person.

The implementation was completed in-house.

I would rate Microsoft Defender XDR ten out of ten.

No maintenance is required.

I recommend Microsoft Defender XDR for small businesses like ours.

Microsoft 365 Defender is used for our threat policies, configuration, and security protection.

The current level of threat visibility is good.

Microsoft 365 Defender helps prioritize threats across our enterprise which is important for our organization.

The mail component within our organization is the most critical part and Microsoft 365 Defender plays a big part in protecting that component. 

We have integrated Microsoft 365 Defender with Defender for Cloud, and Sentinel. Integrating the solution with Defender for Cloud is easy. 

The integrated solutions work natively together to deliver a coordinated detection and response across our environment which is important for our organization.

The comprehensiveness of the threat-protection that Microsoft products provide is good.

The bidirectional sync capability of Defender for Cloud is important for our organization.

The bidirectional sync of Defender for Cloud helps us secure our network.

Microsoft Sentinel allows us to investigate data from our entire ecosystem.

The ingestion of data to our security operations is critical and Sentinel does a better job than the other solutions we tried.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place which is important for us.

The built-in UEBA and threat intelligence capabilities are good.

Microsoft 365 Defender helps our organization by detecting false positives.

Our Microsoft security solutions help automated to retain tasks and help automate the finding of high-value alerts.

The automation has helped us with our playbook.

The solution has helped eliminate multiple dashboards by providing one XDR dashboard.

Having one XDR dashboard allows us to react to threats faster.

Microsoft 365 Defender's threat intelligence helps us prepare proactively for potential threats before they hit.

Microsoft 365 Defender has saved us between one and three months of time.

Microsoft 365 Defender has saved us time to detect and respond.

We have saved a significant amount of money with the implementation of Microsoft 365 Defender. Prior to using this solution, we encountered costly incidents.

All of the security components are valuable including, antiphishing, antispam, and stage three antivirus.

Additional visibility into log analytics would be beneficial. For instance, if an attachment was affected by malware, it would be helpful if Microsoft 365 Defender could provide more specific details about the origin of that particular malware, such as where it originated from. Any additional information in this regard would be greatly appreciated.

The integration of Microsoft 365 Defender with Sentinel is a bit complex when integrating custom connectors.

The cost of using Microsoft Sentinel is dependent on the size of the data the solution will ingest. I would like Microsoft to provide proper guidance on the sizing so we know what we will be spending.

Technical support has a lot of room for improvement. The support team is not competent or responsive.

I have been using the solution for one year.

Microsoft 365 Defender is stable.

Microsoft 365 Defender is scalable.

The quality of technical support we receive is poor. We encounter difficulties while dealing with the support team, even for critical incidents. Moreover, we always receive a response from the same engineer. However, they are not cooperative in using Microsoft Teams or joining a call with our clients.

Negative

The initial setup is straightforward. The deployment was completed by two people and required seven to eight days.

The implementation was completed in-house.

The licensing fee for Microsoft 365 Defender is fair.

I give the solution a seven out of ten.

The solution is deployed across multiple locations.

We have 5,000 users.

We have three administrators for the solution.

When an organization is already using other Microsoft solutions it is best to use Microsoft 365 Defender because of the seamless integration.

Microsoft 365 Defender is not difficult to implement and can be utilized by anyone.

At FileVine, we provide case management software for attorneys, so we have considerable SOC 2 compliance requirements. We need more than a firewall; we also need a solution that helps us upkeep and manage devices, laptops, etc. 365 Defender fulfills these requirements, and SOC 2 compliance is our primary use case.

We're a hybrid company using both Macs and Dells, deployed across multiple regions.

The solution helps us improve compliance regarding end users installing updates. It clarifies which users need to update and how they can go into Terminal or PowerShell to perform that process. We don't have to waste time looking for what needs to be done, which is a useful functionality. The product automatically informs us of high and low priorities, which is great; it allows us to deal with the most significant priorities first.

365 Defender helps us automate routine tasks, and we get updated daily. We can integrate Splunk to see what's going on and what needs to be updated. Automation significantly impacts our security operations; it feels like we have a vault around us that nobody can breach.  

The Endpoint Manager is incredible; it has a very straightforward interface and is exceedingly easy to use. Pulling out and deploying different tags or resources is a simple task across various departments with different levels of security. The notifications are also simple and satisfying; it's great to see the bubble informing us which devices are compliant and which are waiting to update.

The visibility into threats provided by the solution is excellent. When a threat triggers a response based on our set rules, it's stopped, and we are notified via email. We can then analyze the threat and make a decision; this entire process is straightforward and user-friendly. 

The product helps us prioritize threats across the enterprise, especially in the legal domain. It is very valuable, and one of the reasons we have been so successful at Filevine is the security measures we have in place. We use many tools, one of them being Microsoft 365 Defender, which significantly contributes to our IT team and company's success.   

Our integration of multiple solutions helps to deliver a coordinated detection and response in our environment. We integrate with Zscalar, which is very easy and manageable. We thought it might be difficult, but it works very well. Much like a car, our security system is composed of many moving parts working together, which helps us move forwards as a company and thrive in a relatively challenging economic time. 

The comprehensiveness of the threat protection provided by using multiple Microsoft security products is excellent. It's a simple system; we have incoming and outgoing traffic rules. When a rule is triggered, we are notified by email to look over the situation. For example, we can see viruses and malicious actors attempting to breach our security and respond by blacklisting the IP address. Sometimes, we gather information and pass it on to the FBI, as we have many SOC 2 clients.

365 Defender helped eliminate multiple dashboards, which is great because I like to be as minimalistic as possible regarding dashboards. Now, I only have to look at one or two at most, simplifying the security landscape, and I love that about the tool.  

The solution's threat intelligence helps us prepare for potential threats before they hit; most recently, we were protected from the August 2022 Apple hack. We had measures in place, so none of our devices were affected. We were spared any data compromise, and it's an excellent example of why we invest in security solutions. It builds our confidence and strengthens our case with the higher-ups for increasing and maintaining our cybersecurity budget. 

The product certainly saves us time. We trust in the protection and can focus on different projects, including automation, so we don't have to spend time dealing with issues and security breaches. I'd say we save four or five hours a week.  

365 Defender saves us a lot of money because we don't have to recover data or hire outside lawyers to help us with legal trouble. We don't need to invest in physical products or external security teams and solutions. We can keep our security operation within the company, so all our money is invested in people who care about our product and business.  

The solution quickly notifies us when a threat is detected, increasing our response speed. Other products I used in the past sometimes had significant delays with notifications, which is far from ideal when dealing with potential security threats. 

Correctly updated records are the most significant area for improvement. There have been times when we were notified of a required fix; we would carry out the fix and confirm it but still get the same notification a week later. This seems to be a delay in records being updated and leads to false reporting, which is something that needs to be fixed.

I have been using the solution for a few years. 

The solution is very stable with low latency. 

The product is highly scalable, which is fantastic because we have been expanding significantly. It's up and running and good to go very quickly, which has been excellent for our expansion in Florida, New York, Maine, and Canada.

I have yet to contact support. One thing that helps in this regard is that I have an AZ-900 handbook with Microsoft fundamentals. 

365 Defender was already in place when I was brought into the company, but they previously used Jamf Protect. They switched because it cost too much and wasn't fulfilling the requirements. It didn't perform as well as 365.

I can't speak to the setup as the solution was in place when I arrived at the company. However, 365 Defender is one of the most lightweight tools we use in terms of maintenance. We keep it up to date, and it works very well.

I would say the solution gives us a significant ROI, especially considering the issues in the industry recently. Russia and China hacked many companies, but we never had that problem, and that's a lot of money saved for us. That's not entirely because of 365 Defender, but also thanks to our excellent security team and the robust toolset at our disposal to protect our operation.

The solution is affordable, and we haven't been hit with any hidden costs. The subscription model is straightforward, and it's easy to understand how much additional features cost. If we need to cancel a license or feature, we do that well in advance to avoid being charged for it, but overall, the pricing and licensing are simple and easy.

I would rate the solution an eight out of ten. 

We use multiple Microsoft security products, including Defender for Endpoint, MFA as a standard on all work laptops and computers, and Endpoint Manager. We use additional tools to protect the Mac side of our operation. We use Microsoft Intune, some other MDMs, and some other assets from Defender for Cloud, and for cloud security, we use GCP, Azure, and AWS. 

Many of these products are integrated, and the integration was relatively straightforward. It was somewhat time-consuming as we previously used Jamf Protect for a long time, so switching our entire infrastructure over to the new products took some time.   

I've mainly used the EDR component within 365 Defender, which is Microsoft Defender for Endpoint. It does a good job of bringing the whole attack story together, so you can see email activity, endpoint activity, cloud app activity, and some sort of sign-in activity as well relating to Azure AD, but I've mainly dealt with it from the EDR aspect.

It definitely improved visibility when I dealt with this solution, but the main benefit is the advanced hunting because it allows you to uncover threats that you didn't realize were there, or they weren't alerted because you were looking for specific behavior. The custom detection and linking to that is something quite cool because if you know there's a behavior, you want to keep an eye out for it. For example, it might be linked to a recent threat, so you can set up that detection query, and as soon as it finds a result, it will flag an alert. That has definitely helped to be more proactive and a bit more ahead of the curve with attacks. So, it improves visibility and also helps with being proactive.

It helps to prioritize threats across the enterprise. It does assign severity to a threat, but it also gives you an overview at a glance. If you know that your organization is susceptible to certain major threats, those are the ones you probably want to pick up on. With the severity and alerts, it gives you an idea of which is the most pressing incident. If you've got one with just one alert, that's a medium, but if you've got one with five highs. You're probably going to focus on the high one. That helps to prioritize.

It helps automate routine tasks and the finding of high-value alerts to a degree. You can have certain actions where if an event starts on the endpoint, it automatically isolates that. If it occurs, for example, on the email, then you can automatically purge it. It helps with the routine tasks that people would have to manually do in the portal. With automation, it takes care of it automatically if an alert fires. It improves efficiency because, after hours, there might be no one there available to isolate a machine. This way, as soon as the alert fires, that machine is isolated, and the next morning or the next working day, an analyst can go in and see that this alert fired and the endpoint has been isolated. That definitely helps from a coverage perspective when people are unavailable because those actions occur without anyone being present.

It has absolutely helped eliminate having to look at multiple dashboards and have one XDR dashboard. I've got three years of experience. At the start, we had all the individual portals for cloud app security, endpoints, Office, etc. The whole point of 365 is to unify, and they've done a good job. The different components are broken out into sections on the left-hand side, and you can very easily click through them and navigate them. It eliminates the need for multiple tabs and dashboards. It has definitely helped with what they were aiming for, which is to have a single pane of glass view.

It has saved us time by not having multiple dashboards. We don't need to open multiple portals and sign in to them. It definitely saves time there and also in understanding the true story of an attack. It has definitely helped in terms of efficiency. It's hard to quantify the time savings because I'm not using it now, but from what I remember, it saved at least 20% to 25% time just because it does a good job of giving you the information. You can glance at the key information that you need, and then it gives some details, and then you go to other places externally to investigate further.

The threat analytics give you a report on what Microsoft has seen in the world. What I like about those is that they will show you if that's actively impacting your environment at the moment or likely to. For example, if there are vulnerabilities that are being exposed, it tells you whether you're vulnerable or not, so you can protect against them before they are here. One thing I do like is that they also give you advanced hunting queries, so you can look for the behavior associated with those threats and make sure that you've got your coverage in place. I wouldn't necessarily call it threat intelligence. It's more of threat analytics and reporting that they provide.

I'm not aware of whether it saved any money in any of my previous roles, but a lot of organizations have the E5 security license, and they don't realize it. They have third-party vendors doing their email security, endpoint security, and so on, but holistically, Microsoft's E5 license gives you all of those capabilities, and it would also be cheaper than paying multiple vendors.

It decreases your time to detect and time to respond. It does a good job. It has the auto investigation ability so it can automatically detect threats. When you build custom detections, you can have automated response actions. Those two together help you with the mean time to remediate and the mean time to resolve. The information at a glance easily lets you see if it's a false positive or something that you know in your environment, and it's gonna be non-malicious. You can glance over and dismiss those alerts, and you could potentially be setting up suppression so that you don't get notified about them in the future. All in all, it helps you to improve your remediation. The time reduction depends on the scenario. Sometimes, you can instantly see false positives that would decrease your time by 85%. On the whole, there is about 35% to 40% time savings because of the way it correlates with the signals and gives you quick ways to remediate them.

For me, the advanced hunting capabilities have been really great. It allowed querying the dataset with their own language, which is KQL or Kusto Query Language. That has allowed me to get much more insight into the events that have occurred. The whole power of 365 Defender is that you can get the whole story. It allows you to query an email-based activity and then correlate it with an endpoint-based activity. The advanced hunting capabilities have definitely been one of my favorite features.

The way the incidents are put together is also good. It can intelligently correlate activities from email to endpoint, and then you can visually see it in the timeline view or graph view. It does a good job of presenting that incident to you, and it's easy to navigate between it and then pivot to some actions as well.

For some scenarios, it provides good visibility into threats, and for some scenarios, it doesn't. For example, sometimes the URLs within the emails have destinations, and you do get a screenshot and all further details, but it's not always the case. It would be good if they did a better job of enabling that for all the emails that they identified as malicious. When you get an email threat, you can go into the email and see more details, but the URL destination feature doesn't always show you a screenshot of the URL in that email. It also doesn't always give you the characteristics relating to that URL. It would be quite good if the information is complete where it says that we identified this URL, and this is what it looks like. There should be some threat intel about it. It should give you more details.

One other limitation is with cloud-based events. Sometimes, you don't get enough details in the alert. You have to go to other portals to then complete the story or do your own research, ask the user, etc. 

The other one is that with Defender for Endpoint, the attack story is quite good in terms of queries and things like that, but sometimes, multiple events for the same thing are captured, and it's not summarized in a good way. You have to open each entry to see what that partial syntax is. It'll be good if it said that this specific partial syntax was seen fifteen times, and maybe it's something to pay attention to. They could also do some sort of pattern matching. There could be some sort of pattern matching where it says that this is the attack trying to do some enumeration or reconnaissance activities. 

I've been using it for over three years.

There are some times when it does have downtime or service outages. They do a good job of updating the service status page to let you know about that, but there have also been misclassifications, for example, for Chrome updates, generating malicious alerts and things like that. On the whole, it's quite stable.

There are sometimes when it can freeze up or not present the data that you want. It gives you data unavailable or other errors, but, usually, these are quite quickly resolved. Sometimes, it's just to do with a particular instance, but sometimes, there can be wider outages. You just have to pay attention to the service status page or raise a support case and then be notified when that's resolved. On the whole, it's fairly stable.

Because it's built on the cloud and for the cloud, it does scale quite well. However, one area where it can be a challenge is when you use the Kusto Query Language for event hunting. Sometimes, if you do quite a generic search across, for example, thirty days of data, it gives you processing errors and limitations. I guess Microsoft does that for two reasons. One, to keep the cost down on their side, and two, from a performance standpoint. That is a bit of a limitation of scaling because if you want to do generic sessions across thirty days, you're not able to, but the idea is that you should be able to filter and granularly restrict conditions to get exactly the events you want. However, it would be nice if you were able to search more widely and if the solution could scale to support that, whereas, currently, it doesn't seem to, but that's not the use case they might have had in mind.

It depends. With some clients, we've had the fast-track option, whereas, with some clients, we just had to raise support cases. Usually, when you raise support cases, you're not going through an SME, so there is a bit of basic troubleshooting and things like that. With the fast-track option, you directly get through to someone who understands security, and you can explain the issue. They understand the issue, and you can get a much quicker response. So, the fast-track option is the one where I've had better success. The normal support can sometimes be a bit drawn. There could be a lot of back and forth about not relevant things just because they're not security trained, so they're trying to understand and then help you. 

It has been a mixed experience. Overall, I would rate them a seven out of ten because there have been some gaps, and there have been some successes, especially through the fast-track program.

Neutral

We didn't have anything that was overarching and correlated all the different signals. We had different products. We had a different product for email security or a different product for the endpoint. I might be wrong here, but I don't think there's another tool that brings those aspects together as well as 365 Defender does.

From what I went through in various roles, it was mostly in the cloud. Defender for Endpoint is a cloud-based solution. In fact, most Defender solutions are now based on the cloud. The only exception is if you've got Defender for Identity. For one of our engagements, I did deal with that, so it was a mixture. Apart from Defender for Identity, all the other solutions have been on the cloud.

In one of my roles prior to my current one, I was doing onboarding for a client with Defender for Endpoint. I was getting them onto it and migrating from McAfee. I was involved in the setup, coordinating the groups and the roles, and things like that. In all the other roles, the tool was already in place. It was just about maturing it and getting hands-on.

The setup was quite complex. Microsoft Docs guide you, but there were a few gaps that I had to fill in. One example is onboarding with group policy. Microsoft does lay all the steps on the docs page, but it doesn't give you screenshots. It doesn't give you things to look out for. It doesn't give you logs that would correlate to those events and things like that. I had to put things together using external sources, such as YouTube or just Google search. On the whole, it was very okay to follow, but it just didn't have that depth. What I produced for that client was a step-by-step coding guide with screenshots that they could give to the infrastructure team to get them on board. We had a good success rate that way, whereas if I had just sent them the Microsoft Docs link, I'm sure they would have had a few more questions.

That was the only use case I had experienced initial-setup-wise. The onboarding for group policy took maybe a month or two just because we had quite a big setup. We had different groups to roll it out to. We rolled it out to pilot devices, then 10 or 20 devices, then 100, and so on. It took about a month or two.

In terms of maintenance, from the service side, you rely on Microsoft to make sure it's available, secure, and things like that. Sometimes, you get downtime, and sometimes, you get bugs. For example, last year, a Chrome update was misclassified as malicious, which caused all the alerts. You then have to raise support cases to find out what happened. Eventually, Microsoft releases a fix, so in terms of maintenance, it's more on them. The only thing from your side is making sure, for example, the roles are still relevant. If someone who has access leaves, you need to make sure that their role is revoked. You need to make sure that you've got your role set up for the least privilege and things like that on an ongoing basis because there may be certain new features in the portal that have a corresponding role assignment. If you don't have that enabled or configured, then you're not going to get that benefit. That's the only thing needed from the maintenance perspective. You just need to make sure your roles are regularly reviewed and optimized when needed.

All I can say again is the E5 gives you all the capabilities that it offers. It also gives Office 365 and one terabyte of storage. All in all, the E5 license model makes sense. There are some people who say it's quite costly, but rather than paying different vendors, it makes sense to go all in with Microsoft if you've got that licensing. From that perspective, it's cost-effective, but I can't comment much on that.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that I'm slightly biased because I'm such a fan of the Microsoft suite. Some people do say that you shouldn't put eggs into one basket, and you're giving a lot of control to Microsoft and things like that. I would advise evaluating based on your needs. For example, for your endpoints, you might see much better value in CrowdStrike, Tanium, or something like that as compared to Defender for Endpoint.

You can do PoCs. Microsoft makes it quite easy. You can have the trials and things like that. You can play around and see which one supports your environment. I wouldn't say Microsoft is necessarily the option for all organizations, but I do think it's a very compelling offer. They're constantly evolving the product. They pay a lot of attention to consumer feedback. They've enterprise feedback as well to improve the product. I wouldn't completely rule out either option. If you've got one that's tried and tested for your enterprise, and that's a third party, you can see what Microsoft can offer. If it just doesn't match up, then stick to what you have even if it costs more because all in all, you may have tried and tested processes. You may have an investment in that product, and it may just have capabilities that the Microsoft one doesn't have. I would also encourage you to add a feature request for the Microsoft one, and then they'll be more on the equal side.

I would advise doing a PoC. If you are using Carbon Black, CrowdStrike, or Titanium, evaluate it. Have a sample host or spin up some VMs or onboard them to Defender. Do some simulations and do some attacks that you think are likely going to be. See how the logs look, see the investigation processes, and do a gap analysis with your current solution. If it brings you any value, then potentially look to deploy it further. Don't just go all in without understanding what it does. If you don't have any security solution right now, and you are a small business or a local business, it's worth doing the trial and seeing what value you get from the trial because, in that situation, you don't have anything to compare to. You are an easy customer to onboard from Microsoft's perspective because you wouldn't be that complex. So, do a trial and then go from there.

I would rate it an eight out of ten overall. I do really like the product. I do like the fact that it combines all the alerts into one. I remember when I was a security analyst back in 2019, I had to open multiple tabs and close alerts in one portal and then the other portal. They've done a good job of bi-directional syncing of alerts. If you're closing in 365 Defender, it'll close in the MCAS portal or cloud apps. Overall, the biggest thing for me was just advanced hunting capability because previously, it wasn't possible to get those cloud app events or Defender for Office events to do hunting. Endpoint was the first one to have that hunting capability, and I'm glad that they've extended that to the other stacks. So, overall, I would give it an eight, and I'm really impressed.

We implement it on client endpoints and server endpoints. We also integrate it with Microsoft Entra ID for the identity part because the security part of Microsoft Defender is completely correlated to user activity.

Microsoft Defender XDR is important for the mitigation of threats, visibility of vulnerabilities, and identification of issues within the environment. It has been a leader in the market for consecutive years.

We have a single pane of glass for servers, endpoints, and mobile devices. It makes it very easy to identify which devices are at risk when you go to the vulnerability part. There are also recommendations. Especially for me, these recommendations are gold. You see exactly what you need. Microsoft Defender XDR is completely different from your antivirus solution. It detects based not only on signatures but also on the policies, so you are forced to harden your servers or client endpoints, which makes a much stronger solution.

Being a Microsoft solution, it integrates well with other Microsoft systems. The majority of the systems are Microsoft-based. This integration comes without the need to install a client on the local machine. It makes the life of the operators and whoever implements it way easier.

Microsoft has a range of Defender products. There is Defender XDR, Defender for Endpoint for clients and servers, and Defender for Office 365 which protects mailboxes, SharePoint, and OneDrive. Then you have Defender for Identity, which is integrated with Defender XDR. You also have Defender for Cloud Apps that is connected to Defender XDR. When integrated, you can get sources of threats, for example, from Defender for Identity connected directly on the endpoint. Defender for XDR protects the endpoint devices against ransomware and different threats. We need to see more holistically at all the Defender solutions instead of isolating them. There is an element of correlation of identity. For me, nowadays, it is much more important to protect the identity than the endpoint device itself because the majority of the vectors are coming from identity attacks. They are more than the viruses attacking the endpoints.

I do not have much experience with Linux as such. I am very focused on Microsoft solutions. I never focused on Linux, but I have worked with my peers, for example, on projects to enroll Linux devices. We needed to prepare simple scripts or puppet scripts to automate the process of pushing policies and automate the update of the antivirus. It is trickier. It is more complex to manage because of the nature of Linux itself. It is not as straightforward or integrated as Microsoft solutions, such as Microsoft Windows 11 or Windows Server, but Microsoft Defender still covers everything. There are some limitations regarding Linux servers and endpoints because you need to have the version of Linux that is supported by Defender, but at the same time, with whatever is supported, Microsoft Defender does the job. Linux and Windows operating systems work in different ways, and the way that antivirus interacts with the operating system is completely different. There is role-based access control in Windows. You have local administrators and domain administrators. On Azure, you define roles for users to access certain environments. On Linux, you have the root user, and as a core front operation system embedded in it, you do not have the least privileged access management solution. This comes with a price because you need to control much better to whom you give access. SSH keys, for example, are very important to be protected, which is a different protocol than the Remote Desktop Protocol (RDP). You need to protect Linux servers in different ways, which is very different from Windows. Defender or Defender XDR extends the protection, especially when you need to connect with Azure Ark, which is part of Microsoft services.

Microsoft Defender XDR has consolidated security solutions. Previously, you had an antivirus, and you had a different type of endpoint protection for servers, and then you had a web content filtering solution, which is part of Microsoft Defender XDR. It consolidates all the extra products that you require, but it does not give all the elements. It is not a firewall. It is not a web application firewall (WAF). It does not give you everything required as a security solution, but as an extended detection and response system, it gives a lot of leeway for you to meet your security objectives. If we compare it with other products, Defender XDR is much more complete than the competition.

The integration, visibility, vulnerability management, and device identification are valuable. You can automatically deploy the clients depending on how you are implementing the solution. 

The web filtering solution needs to be improved because currently, it is very simple. It is very important.

Integrations with Linux should be done in a better way. With the AI world and the security part, things are going to be much simpler and easier to set up, configure, deploy, and maintain. I am looking forward to new releases of Microsoft Defender XDR to have better integrations, but the web filtering solution is the main pain point.

I have been working with Microsoft Defender since it was released. It has been about four years. I started working with it when it was not even called Defender. It was Advanced Threat Protection. It then changed to Defender for Endpoints and then to Defender XDR.

I have not experienced many bugs or issues. Sometimes, you have delays in the response, but that is due to connectivity issues. It is a cloud-based solution, so you cannot expect to have a real-time response, but this can be improved by Microsoft. I know that they are trying to improve. I would rate it a nine out of ten for stability.

It is ultra-scalable. I would rate it a ten out of ten for scalability. 

I love Microsoft, but due to its growth, the overall support quality has decreased a lot. My recent experience with support was not that good. For the Defender part, it was not that bad. I would rate their support a six out of ten. Their response time and knowledge could be better.

Neutral

I work with Trend Micro. I work with Kaspersky. Trend Micro has its own cloud-based solution similar to Microsoft Defender XDR, but it is not the same. It has some problems. It is not as effective as Microsoft Defender XDR. Especially whenever it comes to vulnerabilities and recommendations, Microsoft Defender XDR is amazing because of its integration with Microsoft operating systems. Microsoft is much ahead of the competition.

I would never touch Kaspersky again. It is not because it is a bad product. It has been a very good product for several years, but because of the Russia and Ukraine war, it has become a prohibitive product at least in Malta to use. A lot of customers moved from Kaspersky immediately to different products. The majority of them went to Microsoft Defender XDR, especially because it also comes integrated with some products. Microsoft is bundling its own products, and Microsoft Defender XDR is very attractive to implement as a cloud solution. It is a no-brainer for the customer. That is where Microsoft has an advantage over Trend Micro, Kaspersky, and other vendors.

With Cloud servers, it is easy and very straightforward. You can almost do it automated, but in a hybrid environment, you have the element of the on-prem servers, which becomes a little bit more complex. You also have the element of Azure that simplifies the deployment process.

It can be difficult to deploy in the beginning because you need to consider different products and elements, but the deployment is the simplest part of the onboarding process. The configuration process is much more difficult, especially because on servers, you need to deploy group policy objects (GPOs) and set all the policy options to protect from the vulnerabilities. You need to configure the antivirus to protect from exploits. There are so many features and configuration possibilities that it becomes more complex to implement on server endpoints. On the client side, it is easy, especially when you implement Defender through Intune, which is the mobile device management solution of Microsoft. With a platform like Intune, it becomes easy because you have policies that assist you already out of the box, such as security baseline policies. With Intune, it is much easier to set a policy. It is way less complex to implement. When you have a hybrid environment with endpoints joined on a local active directory, the complexity increases because you need to deploy GPOs as well if you do not have Intune involved. It is complex to implement.

The deployment takes a few weeks, but it also depends on the size of the customer. If you have just Windows 11 client endpoints, it is easier to implement. Client endpoints are easy to implement because you do not need to test that much. You configure the policies. The policies are all known because of our experience. When it comes to servers, it depends on the server's workload. It depends on what type of service you have installed on the server side. If it is the IIS web server, you need to test certain policies that can block that service. You cannot simply go and implement the best practices of the policies because then you are going to make the server unusable. You are going to generate downtime, which is not ideal and also not the objective, so you need to be very knowledgeable on the infrastructure side and the security side of all applications. You need to study. You need to create a test environment and start implementing server by server. You require details, and it is complex to implement because of this reason.

I am currently doing an implementation for a company with 300 people, and it would take around two months to implement because of the number of servers and endpoints. You need to go into each and every device and analyze the environment. It takes a while. In smaller companies, it is very quick. Within a week or two, you can manage to implement it.

In terms of maintenance, there is no maintenance of the product, but there is maintenance of the environment. Microsoft releases frequent recommendations, and they detect new vulnerabilities very frequently, which requires constant maintenance of policies.

I usually allocate two people. There is one person more focused on the client endpoints, and the other one is more focused on the servers because of his expertise. We split the roles and responsibilities within the team.

It has not saved us costs, but we have invested in a proper solution. We have a better return on investment. We now have better visibility. We are investing in a product that gives what we need instead of a product that does not fulfill our requirements and our customers' requirements.

As a service provider, it is very hard to calculate an ROI. For customers, it is more of a return on value rather than a return on investment. If you have not been under any threat after implementing the solution, it provides the value you need. This is my point of view on security because there is no perfect solution, but there is a solution that works better than the others where you have much more control. With Microsoft Defender XDR, in my experience, we have managed to give that to our customers. Our customers are satisfied with the product, and none of them have replaced or changed Microsoft Defender XDR.

There is the cost of the license, and there is the cost of implementation services. Only by enabling a license for your user, all the features are not going to be enabled and the policies are not going to be configured. It does not work like this. You need specialized people to implement, monitor, and maintain the systems. It comes as a package.

I would rate Microsoft Defender XDR a seven out of ten for pricing. It is costly, especially on the cloud part. There is also Defender for Cloud, which is part of Microsoft Defender XDR. It is 15 dollars per server per month. It is worth it, but it can be costly. It depends on the company's size. That is the big issue.

If you have a company with ten employees and ten servers because you have your own infrastructure hosted within virtual machines, you need to protect ten client endpoints. It is cheap if you get a business premium license. It costs around 17 euros per user. To protect the servers, you need to pay an extra 14 euros per server per month. For ten servers, it is 140 euros per month. Per year, it is around 1600 euros. Small companies or companies with a small budget would not go for it because they do not want to invest in IT. They do not see this value. In my opinion, big companies can justify this cost.

In the countryside of Malta, it is tricky to sell the solution. I have to give them all the advantages. I always have a test environment, so I show them how it works, how the automated detection works, how it behaves, and how it acts on the threats. I give them an overview, and they get amazed. When it comes to the pricing, they get a little bit scared, but ultimately, they go because they see value in it. Everything depends on the value that a product gives and how you sell a product as a solution provider. An XDR solution provides value because it protects your assets. Your data is your major asset. If you do not have it protected, you can get hacked or have a ransomware attack. Companies are now starting to understand the importance of it, and they are starting to invest more. It is still a long way for us to have the mindset where they say that it does not matter how much it costs, we need to invest in security.

I would recommend Microsoft Defender XDR. It is the best solution in the market.

For me, Microsoft Defender brought a career change. It made me go deeper into the security products. Previously, I was more of an infrastructure guy. I was more focused on on-prem and Windows servers, but then I moved away from infrastructure. I work for a data center company, and I am a presales solutions architect designing solutions for financial companies, banks, and gaming companies or companies with online casinos.

A lot of people did not like Microsoft Defender because Microsoft was not known as a security company, but Microsoft has been investing billions of dollars every year in security, and now, they provide cutting-edge technology, especially with AI.

I have been following Microsoft, and I go to Microsoft events. There is a new product called Security Copilot that is going to be completely connected to Defender XDR. It will give much faster feedback and response to threats by issuing reports. Today, a security analyst takes four to five hours to prepare a report. With Microsoft Security Copilot and Defender, it is going to change massively. Within five to ten minutes, you can prepare a report with the Security Copilot solution. It is going to be released very soon, and I am looking forward to it.

Overall, I would rate Microsoft Defender XDR a ten out of ten.

I work at a SOC, and we use Microsoft XDR to provide 24/7 monitoring for our clients. We use it to monitor all types of incidents, including attacks on endpoints and email-related threats. It's integrated with other Microsoft solutions.

I like how Microsoft XDR and the other Microsoft products are integrated into a single unified security stack covering identity access management, endpoint protection, email, cloud applications, etc. The Kubernetes security feature hasn't been released yet, but we're looking forward to that. I'm just focusing on that because it will be a game-changer.

The integrated identity and access management is helpful because sometimes you don't have the information you need inside XDR, so you can go to Entra for more details.

XDR can stop advanced attacks like ransomware and BEC attacks. It also has an AI-assisted automated feature that cuts off access to persistent attacks. This feature disrupts the attack by disabling user access. A person needs to analyze if the response is correct and reject or approve. 

Through integration with Microsoft Lighthouse, we can manage multiple tenants on one screen, and prioritize which areas of the environment to address first. Sometimes, one tenant may be inaccessible to you. It will show an error, but then it will start working again automatically. 

Because of the training model, Defender XDR's automatic response sometimes blocks legitimate users and activities. Also, the UI sometimes responds slowly. 

I've been working with Defender XDR for the last six months.

I rate Defender XDR 8 out of 10 for stability. 

Defender XDR is scalable. 

We had a problem once getting a feature to work correctly after an update. We contacted Microsoft, and it took about 2 or 3 days to resolve.

I previously used QRadar and Splunk

Deployment is easy. It requires some maintenance on the Microsoft side. 

I rate Defender XDR 9 out of 10. I would recommend Defender. It's easier to use than other products I've worked with, such as Splunk and QRadar.