Microsoft Defender XDR Reviews

In our organization, we are mainly using it for email security and SharePoint security.

It has been great for us. Previously, we didn't have a solution to protect us, especially from malware, whereas now, we are getting protection up front, especially from the malware attacks coming through emails or endpoints.

It helps us to prioritize threats across our enterprise, which is very important. It has sorted many things.

We use Defender for Endpoint, and we also use Sentinel. In my organization, they are all integrated. Sentinel pulls the data from M365 Defender via connectors. The integration is very easy. There are no problems. These solutions work natively together to deliver coordinated detection and response across our environment, which is good. We rely a lot on Microsoft products. Together Defender for Endpoint and Sentinel give me a clear picture to defend against threats and investigate the threats.

Sentinel enables us to ingest data from our entire ecosystem. It's always good to get a centralized, holistic view of our security operations. We are using centralized Sentinel dashboards mainly to get all the threats and information in one place. It's good.

Microsoft security products provide comprehensive and deep threat protection. I'm pretty satisfied with that.

It has saved us time. It has saved more than 50% of our time. 

It has decreased our time to detect and time to respond. It has been helpful, and the time to detect is really fast. We don't have to do anything. We just have to rely on it. In terms of the time to respond, if something is under the radar or intelligence of Defender, the tool itself responds and gives us what happened. When it comes to something that is not on Defender's radar, Sentinel is generally where we go. So, it saved more than 50% time in terms of detection and response.

Email security and endpoint security are valuable.

It provides good visibility of Microsoft products but not for third-party products. It's a good product if we have Microsoft product lines to protect or defend, but it lags when it comes to a mixed environment or non-Microsoft products. The Defender agent itself is more compatible with Windows 10 and Windows 11. Other than these two lines, there are so many compatibility issues. Security is not only about Microsoft. The core technical aspects of it are quite good, but it would be good if they can better support non-Microsoft solutions in terms of putting the agents directly into VMware and other virtualization solutions. There should be more emphasis on RHEL and other operating systems that we use, other than Windows, in the server category.

On the Defender side, for custom detection queries, KQL and the dashboard are not that great, but we are not doing automation directly from the Defender side. We leave Defender intelligence as it is, and we collect everything from Defender to Sentinel and handle the response from the Sentinel side. So, all our automation is happening through Sentinel only. We don't have any extra customization on top of Defender.

The maturity of the portal or dashboard is missing. The dashboard is something that Microsoft is changing every month, and we are seriously not liking it. As a management person, I am not bothered about it, but my team is suffering because there are many versions. You are working on a version and then a new version comes and then the preview toggle button comes. Now, they are combining all the parts into a single console. It confuses technical teams a lot. I'm not happy with their approach or experiments when it comes to the Defender portal. They shouldn't change it again and again.

The SOAR side of Sentinel is zero. If any subscriber subscribes to Azure Sentinel, SOAR is zero. Microsoft says that Sentinel is a SOAR solution, but I don't agree because they are only exposing the existing Azure automation engine towards Sentinel. My automation ask is that when there are already so many detection rules and connectors, why is the SOAR capability not in-built? Why can't they make the Azure functions behind it available in a template form and let us modify and use them? It will save my team's time in preparing the automation of the response. If my team has to create the logic, they have to invest a lot of time.

Their support needs to be improved. I'm not happy with their support.

I have been using this solution for more than a year.

For stability, the product must be mature enough. It should not keep on changing every month.

It's scalable. Target points are in my capacity, and I can scale it without any problems. There is no limit to the agents for Defender, but on the server side, Microsoft would have the answer. 

Location-wise, we are spread in five locations within one country, and department-wise, we have around 11 departments.

Their support is bad. They weren't at all able to solve my problems. They buy the time but never get back. I have to follow up with them again and again. They just take the logs and sleep on them. I'm not happy with their support. I would rate them one out of ten.

Negative

We were using another solution. Our organization at the time was too much dependent on the on-premises infrastructure. We were using Symantec, but it was a very quick shift within one quarter or two toward the cloud products and services. We are now heavily reliant on Microsoft Cloud products. We have the Azure environment and a lot of cloud applications, and we have shifted to M365 and Sentinel.

We have a hybrid deployment. Within the cloud, it's straightforward, and when it comes to the target points, it's doable. 

Our biggest challenge was removing the old Symantec signatures from the registries, devices, and servers. That was what we mainly struggled with a lot. Otherwise, deployment was going very smoothly. We had around 46 virtual machines or servers. The problem was that the MDATP agent was not ready to protect them. We struggled a lot there. We went to Microsoft, and Microsoft said to go back to Symantec, and when we went to Symantec, they asked us to go back to Microsoft. That took a long time for us. Everything else was smooth. When the target point is Windows, it's very smooth.

It took around 20 to 25 working days. In terms of the staff, other than the infrastructure team, there were five people including me.

In terms of maintenance, we have to just work on the detection rules and nothing else. There is no other maintenance. It's a complete cloud solution.

It's quite hard to measure the money saved from using this solution because we have not got any attacks that have resulted in any kind of ransom or monetary loss. It's defending us, and as of now, as per my report, there are no financial losses due to any attacks.

Microsoft's pricing differs geographically. We are based in India, and we have India-based licenses. Money-wise, it varies from product to product or OEM to OEM. We pay less for some, and we pay more for some. 

Microsoft has a lot of CSPs, indirect partners, and direct partners to deal with customers. There is so much difference in the price, which is something we are a little confused about. For Defender, they have Endpoint Plan 1 and Endpoint Plan 2, but I don't know on what basis they have classified Endpoint Plan 1 and Plan 2, but it has given me enough pain to pick and design Endpoint Plan 1 or Endpoint Plan 2 for my organization. In fact, we are still struggling with it. Too many SKUs are confusing. There should not be too many SKUs, and they shouldn't charge for every new feature.

We evaluated Okta products and QRadar.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single vendor security suite is always better. It's simple. It saves the time to detect and respond and administer.

This product is best if you have mostly Microsoft solutions in your ecosystem. If more than 20% of your solutions are third-party solutions, you can also look at and compare other products.

Sentinel enables us to investigate threats from one place, but when it comes to response, we have to put a lot of effort into it because Microsoft is not giving anything ready-made on the SOAR side. We have to put a lot of effort into orchestration and automation. The SIEM of it in terms of the collection of security events and information is wonderful, but when it comes to the SOAR capabilities, there is nothing in-built. They are just the analytical rules for the detection purpose, not for the response. The response is something we have to sit and design. So, the defending capabilities of Defender are good. It has some intelligence, but on the response side, Sentinel is blank. We have to start from scratch. It's a circle, and we have to keep on evolving. When comparing the cost, I am not that exposed to other products' costs, but as per my understanding, the cost of Sentinel is a little bit on the higher side because Microsoft generally charges on a log ingestion basis. It also depends on the amount of log data we are ingesting in Sentinel.

Its threat intelligence hasn't helped to prepare us for potential threats before they hit and to take proactive steps because it depends on the type of attack, the type of payload exploits, and other things. However, as per my previous report, in the last six months especially, there have been quite impressive preventive features, especially related to the process memory injection attacks or attacks coming from emails and links. It's very good for those.

Overall, I would rate this solution a seven out of ten.

The primary use case involves using Microsoft Defender XDR as a comprehensive security solution. This includes securing endpoints, user devices, SQL databases, containers, and third-party cloud solutions such as AWS and Google Cloud.

Microsoft Defender XDR is a complete package of different Defender solutions, including Defender for Endpoint, Defender for Office 365, Defender for Cloud, and Sentinel SIEM, among others. With Microsoft threat intelligence information, it detects various types of threats, including insider attacks, malicious content, and data exfiltration.

There is no comprehensive visibility, making it less user-friendly. The visibility of different types of threats should be improved. This aspect is not as developed compared to third-party vendors. Improvements are needed in automated response capabilities.

I have been working with Defender XDR for around two years now.

I would rate the stability of the solution as seven out of ten due to compatibility issues across different devices.

The scalability would also be rated as seven out of ten. It is suitable for enterprise-level deployment but has room for improvement.

For technical support, I would definitely give a rating of nine out of ten.

Positive

The setup process is simple; enabling features just requires the right licenses and is essentially an on-off switch on the portal.

I would rate the pricing as eight out of ten, indicating it is a reasonable cost for the product.

Overall, I would give Defender XDR an eight out of ten. While it is a good enterprise solution, there is room for improvement in different areas.

I've mainly used the EDR component within 365 Defender, which is Microsoft Defender for Endpoint. It does a good job of bringing the whole attack story together, so you can see email activity, endpoint activity, cloud app activity, and some sort of sign-in activity as well relating to Azure AD, but I've mainly dealt with it from the EDR aspect.

It definitely improved visibility when I dealt with this solution, but the main benefit is the advanced hunting because it allows you to uncover threats that you didn't realize were there, or they weren't alerted because you were looking for specific behavior. The custom detection and linking to that is something quite cool because if you know there's a behavior, you want to keep an eye out for it. For example, it might be linked to a recent threat, so you can set up that detection query, and as soon as it finds a result, it will flag an alert. That has definitely helped to be more proactive and a bit more ahead of the curve with attacks. So, it improves visibility and also helps with being proactive.

It helps to prioritize threats across the enterprise. It does assign severity to a threat, but it also gives you an overview at a glance. If you know that your organization is susceptible to certain major threats, those are the ones you probably want to pick up on. With the severity and alerts, it gives you an idea of which is the most pressing incident. If you've got one with just one alert, that's a medium, but if you've got one with five highs. You're probably going to focus on the high one. That helps to prioritize.

It helps automate routine tasks and the finding of high-value alerts to a degree. You can have certain actions where if an event starts on the endpoint, it automatically isolates that. If it occurs, for example, on the email, then you can automatically purge it. It helps with the routine tasks that people would have to manually do in the portal. With automation, it takes care of it automatically if an alert fires. It improves efficiency because, after hours, there might be no one there available to isolate a machine. This way, as soon as the alert fires, that machine is isolated, and the next morning or the next working day, an analyst can go in and see that this alert fired and the endpoint has been isolated. That definitely helps from a coverage perspective when people are unavailable because those actions occur without anyone being present.

It has absolutely helped eliminate having to look at multiple dashboards and have one XDR dashboard. I've got three years of experience. At the start, we had all the individual portals for cloud app security, endpoints, Office, etc. The whole point of 365 is to unify, and they've done a good job. The different components are broken out into sections on the left-hand side, and you can very easily click through them and navigate them. It eliminates the need for multiple tabs and dashboards. It has definitely helped with what they were aiming for, which is to have a single pane of glass view.

It has saved us time by not having multiple dashboards. We don't need to open multiple portals and sign in to them. It definitely saves time there and also in understanding the true story of an attack. It has definitely helped in terms of efficiency. It's hard to quantify the time savings because I'm not using it now, but from what I remember, it saved at least 20% to 25% time just because it does a good job of giving you the information. You can glance at the key information that you need, and then it gives some details, and then you go to other places externally to investigate further.

The threat analytics give you a report on what Microsoft has seen in the world. What I like about those is that they will show you if that's actively impacting your environment at the moment or likely to. For example, if there are vulnerabilities that are being exposed, it tells you whether you're vulnerable or not, so you can protect against them before they are here. One thing I do like is that they also give you advanced hunting queries, so you can look for the behavior associated with those threats and make sure that you've got your coverage in place. I wouldn't necessarily call it threat intelligence. It's more of threat analytics and reporting that they provide.

I'm not aware of whether it saved any money in any of my previous roles, but a lot of organizations have the E5 security license, and they don't realize it. They have third-party vendors doing their email security, endpoint security, and so on, but holistically, Microsoft's E5 license gives you all of those capabilities, and it would also be cheaper than paying multiple vendors.

It decreases your time to detect and time to respond. It does a good job. It has the auto investigation ability so it can automatically detect threats. When you build custom detections, you can have automated response actions. Those two together help you with the mean time to remediate and the mean time to resolve. The information at a glance easily lets you see if it's a false positive or something that you know in your environment, and it's gonna be non-malicious. You can glance over and dismiss those alerts, and you could potentially be setting up suppression so that you don't get notified about them in the future. All in all, it helps you to improve your remediation. The time reduction depends on the scenario. Sometimes, you can instantly see false positives that would decrease your time by 85%. On the whole, there is about 35% to 40% time savings because of the way it correlates with the signals and gives you quick ways to remediate them.

For me, the advanced hunting capabilities have been really great. It allowed querying the dataset with their own language, which is KQL or Kusto Query Language. That has allowed me to get much more insight into the events that have occurred. The whole power of 365 Defender is that you can get the whole story. It allows you to query an email-based activity and then correlate it with an endpoint-based activity. The advanced hunting capabilities have definitely been one of my favorite features.

The way the incidents are put together is also good. It can intelligently correlate activities from email to endpoint, and then you can visually see it in the timeline view or graph view. It does a good job of presenting that incident to you, and it's easy to navigate between it and then pivot to some actions as well.

For some scenarios, it provides good visibility into threats, and for some scenarios, it doesn't. For example, sometimes the URLs within the emails have destinations, and you do get a screenshot and all further details, but it's not always the case. It would be good if they did a better job of enabling that for all the emails that they identified as malicious. When you get an email threat, you can go into the email and see more details, but the URL destination feature doesn't always show you a screenshot of the URL in that email. It also doesn't always give you the characteristics relating to that URL. It would be quite good if the information is complete where it says that we identified this URL, and this is what it looks like. There should be some threat intel about it. It should give you more details.

One other limitation is with cloud-based events. Sometimes, you don't get enough details in the alert. You have to go to other portals to then complete the story or do your own research, ask the user, etc. 

The other one is that with Defender for Endpoint, the attack story is quite good in terms of queries and things like that, but sometimes, multiple events for the same thing are captured, and it's not summarized in a good way. You have to open each entry to see what that partial syntax is. It'll be good if it said that this specific partial syntax was seen fifteen times, and maybe it's something to pay attention to. They could also do some sort of pattern matching. There could be some sort of pattern matching where it says that this is the attack trying to do some enumeration or reconnaissance activities. 

I've been using it for over three years.

There are some times when it does have downtime or service outages. They do a good job of updating the service status page to let you know about that, but there have also been misclassifications, for example, for Chrome updates, generating malicious alerts and things like that. On the whole, it's quite stable.

There are sometimes when it can freeze up or not present the data that you want. It gives you data unavailable or other errors, but, usually, these are quite quickly resolved. Sometimes, it's just to do with a particular instance, but sometimes, there can be wider outages. You just have to pay attention to the service status page or raise a support case and then be notified when that's resolved. On the whole, it's fairly stable.

Because it's built on the cloud and for the cloud, it does scale quite well. However, one area where it can be a challenge is when you use the Kusto Query Language for event hunting. Sometimes, if you do quite a generic search across, for example, thirty days of data, it gives you processing errors and limitations. I guess Microsoft does that for two reasons. One, to keep the cost down on their side, and two, from a performance standpoint. That is a bit of a limitation of scaling because if you want to do generic sessions across thirty days, you're not able to, but the idea is that you should be able to filter and granularly restrict conditions to get exactly the events you want. However, it would be nice if you were able to search more widely and if the solution could scale to support that, whereas, currently, it doesn't seem to, but that's not the use case they might have had in mind.

It depends. With some clients, we've had the fast-track option, whereas, with some clients, we just had to raise support cases. Usually, when you raise support cases, you're not going through an SME, so there is a bit of basic troubleshooting and things like that. With the fast-track option, you directly get through to someone who understands security, and you can explain the issue. They understand the issue, and you can get a much quicker response. So, the fast-track option is the one where I've had better success. The normal support can sometimes be a bit drawn. There could be a lot of back and forth about not relevant things just because they're not security trained, so they're trying to understand and then help you. 

It has been a mixed experience. Overall, I would rate them a seven out of ten because there have been some gaps, and there have been some successes, especially through the fast-track program.

Neutral

We didn't have anything that was overarching and correlated all the different signals. We had different products. We had a different product for email security or a different product for the endpoint. I might be wrong here, but I don't think there's another tool that brings those aspects together as well as 365 Defender does.

From what I went through in various roles, it was mostly in the cloud. Defender for Endpoint is a cloud-based solution. In fact, most Defender solutions are now based on the cloud. The only exception is if you've got Defender for Identity. For one of our engagements, I did deal with that, so it was a mixture. Apart from Defender for Identity, all the other solutions have been on the cloud.

In one of my roles prior to my current one, I was doing onboarding for a client with Defender for Endpoint. I was getting them onto it and migrating from McAfee. I was involved in the setup, coordinating the groups and the roles, and things like that. In all the other roles, the tool was already in place. It was just about maturing it and getting hands-on.

The setup was quite complex. Microsoft Docs guide you, but there were a few gaps that I had to fill in. One example is onboarding with group policy. Microsoft does lay all the steps on the docs page, but it doesn't give you screenshots. It doesn't give you things to look out for. It doesn't give you logs that would correlate to those events and things like that. I had to put things together using external sources, such as YouTube or just Google search. On the whole, it was very okay to follow, but it just didn't have that depth. What I produced for that client was a step-by-step coding guide with screenshots that they could give to the infrastructure team to get them on board. We had a good success rate that way, whereas if I had just sent them the Microsoft Docs link, I'm sure they would have had a few more questions.

That was the only use case I had experienced initial-setup-wise. The onboarding for group policy took maybe a month or two just because we had quite a big setup. We had different groups to roll it out to. We rolled it out to pilot devices, then 10 or 20 devices, then 100, and so on. It took about a month or two.

In terms of maintenance, from the service side, you rely on Microsoft to make sure it's available, secure, and things like that. Sometimes, you get downtime, and sometimes, you get bugs. For example, last year, a Chrome update was misclassified as malicious, which caused all the alerts. You then have to raise support cases to find out what happened. Eventually, Microsoft releases a fix, so in terms of maintenance, it's more on them. The only thing from your side is making sure, for example, the roles are still relevant. If someone who has access leaves, you need to make sure that their role is revoked. You need to make sure that you've got your role set up for the least privilege and things like that on an ongoing basis because there may be certain new features in the portal that have a corresponding role assignment. If you don't have that enabled or configured, then you're not going to get that benefit. That's the only thing needed from the maintenance perspective. You just need to make sure your roles are regularly reviewed and optimized when needed.

All I can say again is the E5 gives you all the capabilities that it offers. It also gives Office 365 and one terabyte of storage. All in all, the E5 license model makes sense. There are some people who say it's quite costly, but rather than paying different vendors, it makes sense to go all in with Microsoft if you've got that licensing. From that perspective, it's cost-effective, but I can't comment much on that.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that I'm slightly biased because I'm such a fan of the Microsoft suite. Some people do say that you shouldn't put eggs into one basket, and you're giving a lot of control to Microsoft and things like that. I would advise evaluating based on your needs. For example, for your endpoints, you might see much better value in CrowdStrike, Tanium, or something like that as compared to Defender for Endpoint.

You can do PoCs. Microsoft makes it quite easy. You can have the trials and things like that. You can play around and see which one supports your environment. I wouldn't say Microsoft is necessarily the option for all organizations, but I do think it's a very compelling offer. They're constantly evolving the product. They pay a lot of attention to consumer feedback. They've enterprise feedback as well to improve the product. I wouldn't completely rule out either option. If you've got one that's tried and tested for your enterprise, and that's a third party, you can see what Microsoft can offer. If it just doesn't match up, then stick to what you have even if it costs more because all in all, you may have tried and tested processes. You may have an investment in that product, and it may just have capabilities that the Microsoft one doesn't have. I would also encourage you to add a feature request for the Microsoft one, and then they'll be more on the equal side.

I would advise doing a PoC. If you are using Carbon Black, CrowdStrike, or Titanium, evaluate it. Have a sample host or spin up some VMs or onboard them to Defender. Do some simulations and do some attacks that you think are likely going to be. See how the logs look, see the investigation processes, and do a gap analysis with your current solution. If it brings you any value, then potentially look to deploy it further. Don't just go all in without understanding what it does. If you don't have any security solution right now, and you are a small business or a local business, it's worth doing the trial and seeing what value you get from the trial because, in that situation, you don't have anything to compare to. You are an easy customer to onboard from Microsoft's perspective because you wouldn't be that complex. So, do a trial and then go from there.

I would rate it an eight out of ten overall. I do really like the product. I do like the fact that it combines all the alerts into one. I remember when I was a security analyst back in 2019, I had to open multiple tabs and close alerts in one portal and then the other portal. They've done a good job of bi-directional syncing of alerts. If you're closing in 365 Defender, it'll close in the MCAS portal or cloud apps. Overall, the biggest thing for me was just advanced hunting capability because previously, it wasn't possible to get those cloud app events or Defender for Office events to do hunting. Endpoint was the first one to have that hunting capability, and I'm glad that they've extended that to the other stacks. So, overall, I would give it an eight, and I'm really impressed.

I am a consultant responsible for deploying and providing customer support for Microsoft products. We use Defender XDR for endpoint protection. It helps them secure endpoints with an advanced XDR solution that conducts behavior analysis and things like that.

Defender XDR provides more visibility into all the connected services, including the security stack and all the productivity software. They're all integrated. It's much less maintenance and has fewer headaches during integration and setup. Implementing the solution and getting the customer fully protected takes very little time. According to Gartner, it's one of the best solutions on the market,  and it requires a limited amount of time and resources to get it fully operational.

By adopting Defender XDR, our customers have discontinued other security products. The solution can replace products like Kaspersky, McAfee, Trend Micro, and even CrowdStrike. 

It has affected customers' security operations by simplifying permissions and reducing the total cost ownership if we discontinue all the security products that the customers used before. Customers usually save around 20 percent, but it's more than simply replacing one component with another. It replaces several security solutions like email and cloud application protection. If you compare the total cost of ownership of on-prem solutions versus Microsoft, it is better to go with Microsoft. You also get lifetime upgrades for the systems and features that you implement.

Microsoft XDR's system of analysis and investigation is super convenient for our customers. It integrates with other Microsoft solutions like Defender for 365 to protect email traffic from malicious external web links and phishing. Customers like that the platform provides a single pane of glass for all the security services. Many of them do not have the capacity to support complex systems, so it's better for them to have most of the tools integrated into one platform. 

You can integrate XDR with Microsoft's identity solution Entra ID if you have a premium license. Those tools are fully integrated, but you need to purchase a separate solution called Defender for Identity to get tools to protect identities and connect the Enterprise Data Center with Defender.

Defender XDR's coverage isn't limited to Microsoft products. You can use almost any solution and achieve the same single point of control. For example, you can integrate Microsoft Defender for Cloud Applications, which covers all the cloud service providers. It isn't limited to only Microsoft infrastructure.

Customers say they want absolutely seamless integration between other Microsoft solutions and Defender XDR, including the ability to change device settings within the Defender portal. They need to contact the IT team responsible for the device management tools to change some settings. They would prefer that those changes be initiated directly from the Defender portal or applied from Intune without involving the IT operations team.

I have used Microsoft Defender XDR for five years. 

Defender XDR is almost 100 percent stable.

Defender XDR is infinitely scalable. 

I rate Microsoft standard support six out of 10 and premium support eight out of 10. The response times for basic Microsoft support leave much to be desired. It can take up to two weeks to resolve issues if you don't have a support contract. 

Neutral

Deploying Defender XDR is relatively straightforward, but it depends on whether the customer has already integrated its on-premise infrastructure with the Microsoft cloud.

Deployment requires one or two engineers on our side. We determine the scope of the work and the deployment before rolling out the clients to the endpoints. The biggest question is whether the customer already has the network infrastructure prepared for that service based on the Microsoft documentation. For example, we must determine if the endpoints connect directly to the Microsoft cloud or through a proxy server, firewalls, etc.

Defender includes four or five products different products. The most useful is Defender for Endpoint, which typically takes up to two weeks to deploy, while Defender for Office and Defender for Identity take one week to deploy. Defender for Cloud Applications can be deployed in a few days. It also depends on how the customer will use it. If it's being used for compliance, the customer's requirements may be totally different. 

The number of maintenance and administrative personnel depends on the organization's size and the number of solutions deployed. It's hard to calculate how people would be necessary for that particular part of the security ecosystem. However, Defender XDR takes up to three people to manage. 

Defender XDR is expensive, but the cost is justified. Defender is included in an E3 or E5 license. If you don't have a premium Microsoft license and you purchase Defender separately, the whole model will be different. You can also pay extra for premium support. 

I rate Microsoft Defender XDR nine out of 10. I recommend starting it as soon as possible, but you must also plan for any future on-premise solutions that you might bring into the system. Consider any prerequisites you need if you decide to go with the product. The biggest issue is that your network infrastructure needs to be set up according to the Microsoft documentation.

My company mostly uses Microsoft Office products, so we use 365 Defender for our security. 365 Defender is deployed globally, and it works the same whether you are in Europe, China, or India. It currently covers around 4,000 people worldwide. 

Defender reduced our attack surface with built-in rules for USB-based threats. Sometimes employees plug in a USB containing threats. Defender will immediately stop malicious executables from running. 

We have our own method for defining incident priorities. For example, most identity-related incidents are on the higher side. However, if we see a large number of low-level alerts affecting a single user in a short period, then those need to be checked. Automation can help in these cases. It's good to have, but I don't think Microsoft is currently very capable of machine learning. 

Defender has a security dashboard, but there is a different console for vulnerability management. We can create multiple reports where alerts are categorized and labeled, and Defender provides a single console where we can fetch all those reports. 

There isn't a foolproof method for preventing all cyber attacks, but best practices can reduce risks and limit the impact of threats. If you identify threats, you can build block lists and create regular employee training to tell people what to avoid. 

Preventing threats requires a strong firewall and antivirus solution. Defender is a good one. You can also implement threat prevention and detection technology in your remote environment. Nothing can completely prevent attacks from happening, but you can create policies using threat intelligence to ensure they are stopped. 

365 Defender helps us save time by simplifying threat response. For example, one of my customers uses USB to transfer data from one place to another. Some USB drives contain malicious programs, so I configured a rule to stop the executable. If a user copies documents from the USB with a harmful executable, Defender will lock it down. They can only copy the documents, but the executable will not run. 

It saves us lots of time. It reduces the time we spend on these tasks by about 50 to 60 percent. I switch it to audit mode and collect logs. After a month, I have received hundreds of alerts. With my rule in place to block USB executables, we no longer get alerts for that particular threat. Implementing that single rule reduced our alerts by around 30 percent. 

Defender reduces the detection time. We have a SOC team to review all those logs and alerts, and it helps them work quickly. There is little delay between detection and remediation. 

Microsoft Defender's most critical component is its CASB solution. It has many built-in policies that can improve your organization's cloud security posture. It's effective regardless of where your users are, which is critical because most users are working from home. It's cloud-based, so nothing is on-premise.

When dealing with remote users, you need the coverage of firewalls, antivirus, and all those essential security measures. There are multiple policies available that can help the organization secure its environment to prevent something malicious from entering. You need to flag users logging in from a different IP and guard against brute force attacks by detecting multiple failed login attempts.

There is also an option for identity. Most organizations aren't entirely on the Cloud. They still rely on on-prem data centers, so you need Defender for Identity. Another advantage of a cloud-based solution is that you don't need to constantly upgrade it monthly, quarterly, or weekly. All of your infrastructure is online. 

You need multiple solutions for outside threats. I can see if someone is logging in from a malicious IP before they can access the environment. You cannot completely block cybersecurity threats, but you can proactively resolve them and create a wall around your environment. 

365 Defender's attack surface reduction rules could be more customizable. Microsoft has its own pre-defined rules that can be adapted to every organization, but Defender should support the ability to create custom rules from scratch.

Defender also lacks automated detection and response. You need to resolve issues manually. You can manage multiple Microsoft security products from a single portal, and all your security recommendations are in one place. It's easy to understand and manage. However, I wouldn't say Defender is a single pane of glass. You still need to switch between all of the available Microsoft tools. You can see all the alerts in one panel, but you can't automate remediation. 

Automated remediation can be improved. I'm currently creating a remediation structure there and pushing it to my vendor, but the vendor should have their own way of resolving things. It only alerts you that something is happening. The security administrator needs to take action because Defender's automated capabilities aren't up to par. 

I have been using 365 Defender for more than a year. 

365 Defender is stable. I haven't seen an outage in the past year. We've had 100 availability. Occasionally, the servers go down for maintenance, and the sensors stop working. It doesn't happen frequently. 

365 Defender is highly scalable. 

Microsoft's support is excellent. Most issues resolve on their own, but when we need support, they typically resolve the issue quickly. 

Positive

At my previous company, we used other antivirus and identity solutions, but they weren't a complete package like 365 Defender. For example, CrowdStrike was our EDR solution, which had extended capabilities, or XDR. We had various solutions that collectively did the same thing as Defender. 

365 Defender is cloud-based, so the deployment is straightforward and only takes 10 to 15 minutes. You need to change a few configurations on your devices using Intune. One person is sufficient to do the job. It's a simple installer. 

After the deployment, you don't need to do any maintenance because it's on the cloud. The only thing deployed on-premise is the ATP sensor, which automatically upgrades. 

365 Defender is bundled with our Microsoft Enterprise license. Additional costs for support, etc. depend on the license level. If you have a premium account, you will receive priority support, but it costs more. 

I rate Microsoft 365 Defender a nine out of ten. I personally wouldn't recommend only using a single solution or vendor. If you don't try other products, then you won't be aware of what is happening in the market. There should be multiple products involved, so you can compare the solutions and go with the best one. 

We primarily use the solution for email protection to scan incoming emails and attack simulation. Attack simulation allows our users to practice detecting phishing emails without any risk. The product also gives us an overview of our security situation. 

We operate a hybrid environment with a wide variety of users around the world. 

We use multiple Microsoft security products, including Defender for Endpoint, Sentinel, and Defender for Cloud Apps.  

We have integrated all our Microsoft security solutions, and the integration is easy and seamless, though an Azure account is required to connect Sentinel with other products. 

The solutions work natively together to deliver coordinated detection and response across our environment.  

The multiple Microsoft security products provide comprehensive threat protection, especially by combining 365 Defender and Defender for Cloud Apps, Endpoint, and Identity.  

The solution allows us to remediate threats better, and the Microsoft Secure Score tells us where we need to improve the security of our organization.

365 Defender saves us time in the region of 10%.

With security products, it can be hard to determine how much money they save us by protecting us from attacks, but I would say our cost savings are around 15%. 

The tool decreased our time to detect and respond, as we can quickly navigate to the required dashboard to get on top of unfolding threats. It reduced the time by 5% for each.  

The attack simulation is excellent; initially, this feature wasn't very robust, but Microsoft improved what we could achieve with it. We can now customize our practice phishing emails and include our company logo, for example. Attack simulation also helps integrate with third-party solutions where applicable and provides an overview of our security architecture through testing. The summary includes areas for improvement in our protection and what steps we need to take to get there.

365 Defender works seamlessly with other Microsoft products like Defender for Endpoint, and once we've onboarded a device, it's easy to see the entire progression of a malicious email. This includes the IP origin, and these are some of the things I love about the product.

The solution provides us with excellent visibility into threats; there are various features that clearly show when our organization is under attack, which country the attack originates from, and what we need to do to mitigate it. 

365 Defender prioritizes threats across the enterprise, which is essential because it gives us an overview of what we need to do to improve our security. We don't need to think of what we must do which is significant for us. 

The solution's threat intelligence helps us prepare for potential threats and take proactive steps before they hit. Over time, the threat intelligence learns and gets better, much like an AI.  

A simple dashboard without having to use MS Sentinel would be a welcome improvement. 

We sometimes get false alerts, and Microsoft told us the issue was with them and that they were aware of it. They were supposed to remediate it, but we had to do much ourselves. The false positives need to be reduced. 

We've been using 365 Defender for four years. 

The stability isn't bad, but we get too many false positives.

Microsoft has been able to scale up the solution over time, so it's scalable. All we need to do is purchase licenses according to our requirements. We have around 1,000 users.

The customer support is good, but there is room for improvement. 

Neutral

The deployment was straightforward and quick; it took minutes. Onboarding the other solutions can take a little longer, depending on the environment and migration methods.

The setup can be done by one or two staff. In a scenario with many thousands of users and a proficient security admin, the deployment could be done in 15 to 20 minutes. The solution doesn't require any maintenance on our end, as it's cloud-based. 

The product gives us an ROI as it protects our organization from potentially costly attacks. Our ROI is around 5%.

The product is fairly priced for what we get from it. 

I rate the solution seven out of ten. 

We use MS Sentinel, but I wouldn't say it ingests data from our entire ecosystem. It's straightforward to integrate, but getting the most out of Sentinel requires a lot of configuration, which needs significant expertise and time.

Sentinel enables us to investigate threats and respond holistically from one place, and that's important for us. The process is primarily automatic once the logic hub and configuration are set up.  

Regarding the comprehensiveness of Sentinel's security protection, it's less a tool for protection and more of a solution for providing an overview, management, and optimization of security processes. The most significant security features are found in the Defender line of products. 

We can automate some aspects of 365 Defender, but MS Sentinel is required for more complete automation.

365 Defender doesn't eliminate having to look at multiple dashboards; we still need to click through numerous dashboards for a complete security overview. Sentinel allows management from a single XDR dashboard.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor's security suite, I'd say, why not save the stress of dealing with multiple vendors? You can have one vendor one click away and seamless integration between your products. 

I recommend the solution; I've worked with it in three different organizations and realized how seamless it is to use the Microsoft suite. They integrate well and help us protect all the services in Microsoft 365.

We use the entire 365 security package. Defender XDR is primarily used for real-time malware scanning. Our company has about 1,500 endpoints. 

Before Defender, we used a different tool but were unhappy with its performance and frustrated with the deployment. Defender offers real-time scanning and alert notifications.

By adopting the Microsoft stack, we have eliminated other security solutions. Defender XDR reduces manual work. Our organization manages more than 1,500 systems, and manual intervention on all these systems would be a huge workload. Cloud solutions are easier to manage and monitor. 

We are a massive Microsoft shop. We see significant savings by getting all of our security from one vendor. There is a considerable drop compared to buying from other vendors. 

Defender XDR enables you to scan a system remotely and get a complete inventory of its assets. You can gather more information from the asset inventory and apply threat intelligence using Office 365 or something. It's a user-friendly, cost-effective, and feature-rich solution. The XDR features offer considerable value because you get more insights from your user systems.

Microsoft Defender XDR stops the movement of advanced attacks by working with the complete 365 package. For example, you can create rules for email filtering to block phishing emails. I can create rules for email filtering. If there are any suspicious links in an email or its attachments, we can quarantine that email. It notifies the admin or the user.  The user can ask the admin to remove the email from the quarantine. We can investigate the email before it reaches the endpoint. Defender also has web content filtering and all the other EDR file features.

Defender's ability to adapt to evolving threats is critical today. The number of attacks today is multiplying, and Defender's adaptability and awareness are amazing.

The initial time spent setting up and configuring Defender XDR is a bit longer than the other solutions. If everything were on one portal, the platforms for managing policies or alerts would be simpler. We must automate and manage policies on Intune rather than the same portal.

I have used Microsoft Defender XDR for nearly 14 months.

I am very satisfied with Defender's stability. It's a reliable solution that improves our confidence in our security.

I rate Microsoft support seven out of 10. I would like Microsoft's support to be a little more robust and technical.

Neutral

Deploying Defender XDR is pretty straightforward. We deployed it in phases with deadlines. It took a couple of months. We met all our deadlines, and it wasn't a very complex solution to implement. 

We prepared and configured the tenant. Next, we created XDR policies and groups and orchestrated our requirements. We tried pushing the policies to see if the endpoints received them and sent the required information back to the admin portal. There was a testing period before we went live. Deployment only required two people. 

Defender doesn't require much maintenance after deployment because it's a cloud-based solution. We only need to tweak and update the policies, then push them out. 

Defender XDR is reasonably priced based on the licenses we need and the solution's capabilities. At the same time, Defender is a little pricier than some of the other solutions. 

We also considered CrowdStrike and Trend Micro. Trend Micro came the closest to meeting our expectations. Ultimately, we decided to use Defender XDR because we already used most of the Microsoft products, so it was a little more cost-effective. 

I rate Microsoft Defender XDR nine out of 10. Before deploying Defender XDR, potential users should be informed about the pricing, support, and the labor required to manage, maintain, and deploy the solutions. 

We mainly use it to defend endpoints.

We have seen fewer threats with the solution. The attacks that we experienced in prior years have reduced drastically since we implemented Defender.

We also use Microsoft Defender for Identity. Their integration is very good. If you are a Microsoft 365 SaaS solution user, it is perfect. It works very well with all the services provided by Microsoft. These services work natively together to deliver coordinated detection and response across our environment. We are pretty much a Microsoft shop, so the integration of these different services is very important for us to secure our offices.

Microsoft 365 Defender's threat protection is very comprehensive. The service that is available now is much more comprehensive than what was available a few years back. The only area that I see lacking is the dashboard. I can create my own dashboard, but the preset security dashboards should be much more functional.

Its threat intelligence helps prepare us for potential threats and take proactive steps before the threats hit. The vulnerability scanning feature is great, and the Secure Score feature that scans the endpoints for vulnerabilities and keeps them up to date reduces a lot of the attacks that can possibly happen.

Microsoft 365 Defender has saved us time. It has saved at least 30% to 40% of our time.

Microsoft 365 Defender has saved us costs. Previously, we had to pay for third-party protection services separately, but because it is now integrated with our E5 licenses, it saves us a lot of money.

Microsoft 365 Defender has decreased our time to detect and respond. We now have visibility and this led to about a 20% to 30% reduction. 

The EDR and the way it automatically responds to ransomware and other attacks are valuable features.

The visibility into threats is not as good as other products in the market such as CrowdStrike, but if you know where to look, you can gain access to what is going on. The way the dashboard is designed is not as great as other products.

It helps to prioritize threats across the enterprise, but a lot of administrative overload is involved in determining which threats to prioritize. As compared to other products, it is a bit lacking.

Similarly, it helps to automate routine tasks and finds high-value alerts, but a little bit more automation would be appreciated.

Automated playbooks and automated dashboards would be preferable to the way the data is currently being presented. That is because a lot of organizations that I have worked with over the past years do not have full-on SOC or threat detection services. They should put in more automated response capabilities and dashboards for smaller organizations.

I have been using this solution for almost three years.

It is a very stable product. Our attack metrics have come down drastically since we integrated with Defender. In my opinion, it is a very stable product.

It is very scalable. I do not know about third-party clouds or third-party solutions, but when you are a Microsoft shop or have Azure or a hybrid setup, it is very scalable.

We have multiple departments and multiple locations. We have client-facing computers, and we have in-house and on-prem computers. We also have Azure VMs. 

Their support can be better. Their response time is good, but their knowledge and documentation are a bit lacking. Technology is moving faster than the documentation and the knowledge that is being provided to the support team. Their support team pretty much looks at the same documentation that we are looking at, but the technology is moving a lot faster than they can catch up. I would rate their support a seven out of ten.

Neutral

We used CrowdStrike and Trend Micro. We switched to Microsoft 365 Defender because we wanted to integrate services.

The solution is deployed on the cloud, but the endpoints are connected on-prem. In our organization, we have quite a few endpoints, so it took about three or four weeks.

The setup will be straightforward for big organizations if they have a complete IT department, but for a small organization, implementing the same service becomes trickier because they do not have full-fledged IT departments. That is where the problem lies. 

More automation would be better. However, automation is present with Autopilot and other services where you can integrate everything.

In terms of maintenance, you have to fine-tune the services on a regular basis and tweak the deployment as per your requirements.

We have about eight admins who worked on the implementation of the solution.

We have probably seen 30% to 40% ROI.

It is fairly priced because we get complete integrated services with the E5 license.

To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single-vendor strategy worked for us because it brought down our investment in terms of licensing and cost. The deployment across the organization has been a lot easier than integrating third-party solutions in different areas of the organization. For example, Defender integrates very well with both the endpoints and the cloud. Whereas with a third-party solution, we have to get different applications that need to connect back to the service to get the solutions that we require. Native integration is very useful for us when it comes to Microsoft. That is what I would recommend.

If you are a Microsoft shop, I would highly recommend it, but you have to do a PoC.

I would rate Microsoft 365 Defender a nine out of ten.