Microsoft Defender XDR Reviews

We mainly use it to defend endpoints.

We have seen fewer threats with the solution. The attacks that we experienced in prior years have reduced drastically since we implemented Defender.

We also use Microsoft Defender for Identity. Their integration is very good. If you are a Microsoft 365 SaaS solution user, it is perfect. It works very well with all the services provided by Microsoft. These services work natively together to deliver coordinated detection and response across our environment. We are pretty much a Microsoft shop, so the integration of these different services is very important for us to secure our offices.

Microsoft 365 Defender's threat protection is very comprehensive. The service that is available now is much more comprehensive than what was available a few years back. The only area that I see lacking is the dashboard. I can create my own dashboard, but the preset security dashboards should be much more functional.

Its threat intelligence helps prepare us for potential threats and take proactive steps before the threats hit. The vulnerability scanning feature is great, and the Secure Score feature that scans the endpoints for vulnerabilities and keeps them up to date reduces a lot of the attacks that can possibly happen.

Microsoft 365 Defender has saved us time. It has saved at least 30% to 40% of our time.

Microsoft 365 Defender has saved us costs. Previously, we had to pay for third-party protection services separately, but because it is now integrated with our E5 licenses, it saves us a lot of money.

Microsoft 365 Defender has decreased our time to detect and respond. We now have visibility and this led to about a 20% to 30% reduction. 

The EDR and the way it automatically responds to ransomware and other attacks are valuable features.

The visibility into threats is not as good as other products in the market such as CrowdStrike, but if you know where to look, you can gain access to what is going on. The way the dashboard is designed is not as great as other products.

It helps to prioritize threats across the enterprise, but a lot of administrative overload is involved in determining which threats to prioritize. As compared to other products, it is a bit lacking.

Similarly, it helps to automate routine tasks and finds high-value alerts, but a little bit more automation would be appreciated.

Automated playbooks and automated dashboards would be preferable to the way the data is currently being presented. That is because a lot of organizations that I have worked with over the past years do not have full-on SOC or threat detection services. They should put in more automated response capabilities and dashboards for smaller organizations.

I have been using this solution for almost three years.

It is a very stable product. Our attack metrics have come down drastically since we integrated with Defender. In my opinion, it is a very stable product.

It is very scalable. I do not know about third-party clouds or third-party solutions, but when you are a Microsoft shop or have Azure or a hybrid setup, it is very scalable.

We have multiple departments and multiple locations. We have client-facing computers, and we have in-house and on-prem computers. We also have Azure VMs. 

Their support can be better. Their response time is good, but their knowledge and documentation are a bit lacking. Technology is moving faster than the documentation and the knowledge that is being provided to the support team. Their support team pretty much looks at the same documentation that we are looking at, but the technology is moving a lot faster than they can catch up. I would rate their support a seven out of ten.

Neutral

We used CrowdStrike and Trend Micro. We switched to Microsoft 365 Defender because we wanted to integrate services.

The solution is deployed on the cloud, but the endpoints are connected on-prem. In our organization, we have quite a few endpoints, so it took about three or four weeks.

The setup will be straightforward for big organizations if they have a complete IT department, but for a small organization, implementing the same service becomes trickier because they do not have full-fledged IT departments. That is where the problem lies. 

More automation would be better. However, automation is present with Autopilot and other services where you can integrate everything.

In terms of maintenance, you have to fine-tune the services on a regular basis and tweak the deployment as per your requirements.

We have about eight admins who worked on the implementation of the solution.

We have probably seen 30% to 40% ROI.

It is fairly priced because we get complete integrated services with the E5 license.

To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single-vendor strategy worked for us because it brought down our investment in terms of licensing and cost. The deployment across the organization has been a lot easier than integrating third-party solutions in different areas of the organization. For example, Defender integrates very well with both the endpoints and the cloud. Whereas with a third-party solution, we have to get different applications that need to connect back to the service to get the solutions that we require. Native integration is very useful for us when it comes to Microsoft. That is what I would recommend.

If you are a Microsoft shop, I would highly recommend it, but you have to do a PoC.

I would rate Microsoft 365 Defender a nine out of ten.

We mainly use this solution for security reasons. We use it for the complete stack of email security so we don't have to use a third-party tool, and we use the extended security features that are included in M365, like sandboxing.

The solution is deployed on the Azure cloud. We're a cloud-only company, so we only deploy cloud workloads, but we also have customers with legacy systems. If we're not able to migrate them to Azure, Defender for the server can be deployed on-premise.

The solution is deployed across Germany in four regions: Munich, Cologne, Bremen, and Hamburg. However, most people work from home.

There are about 50 endpoint users, but we have customers with thousands of users. We focus on customers with a thousand seats or more.

We use the entire M365 E5 license for everything that's going on in the M365 world. We try to accomplish everything we need with Microsoft products.

It was very easy to integrate the solutions. We integrated them so we could have an overall good view of our assets. The installation was fully automated via Intune.

Overall, the solution has decreased our time to detect and respond. If there is any issue, it's not complicated to get the information we need and respond quickly. We offer managed services to some customers, and we have a very clear view of what's going on in their security environments.

One of our main focuses is IT security. This solution has a huge impact on how we use tools and what we do in IT.

One of the biggest points is that Defender is included in the license. It's integrated fully into the M365 world. There's no need to have a third party, which is more complex and includes additional costs. Especially because we're partners, it's very good to have 100 free licenses. We're able to distribute all the information to our customers and integrate it into our projects in a very streamlined way.

We saw all of these benefits instantly. It's different with customers because they are often heterogeneous in the software they use. There's a little bit of explaining and promoting, but it's a huge benefit for most of our customers when they understand that they can have a centralized view of all these security topics. If we are able to deploy the solution to new customers, the benefits are realized in about six months because we have to train them and implement all of the security.

The solution helps with finding high alerts. I wouldn't say it helps with automation because we are piping the problem into the Jira automation, so our managed service kicks in. I would say that it's half-automated.

It helps save time when it comes to the operation and receiving information because we don't have to skip around with different products and customer situations.

This solution enabled our security operations. The legacy approach, in which the tools are in place and someone occasionally checks them, is not secure as it's meant to be today. 

It eliminates the need to look at multiple dashboards and gives us one XDR dashboard. The consolidated dashboard helps our customers get a faster view, which wasn't possible with the former solution.

The solution's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. Our security team is able to work well with it, and a lot of information is getting to our internal users. We distribute everything we learn to our customers.

Sentinel enables us to ingest data from our entire ecosystem because we're cloud-only, so there is no other architecture to monitor.

I would say the logging and analyzers are about 80% of our security operations. The ability to have a clear view of the security information is a big win. For legacy implementations, it's normal to have the security installed but not be able to monitor, detect anything, or get the information to the right people.

For the most part, Sentinel enables us to investigate threats and respond holistically from one place. Today, there are different views, different websites, and different portals to use in order to drill down and get to the real problem. It's a good starting point.

I like the easy integration and advanced possibilities. We can implement it at customer sites in a few clicks, but we can also dive deep and drill down to extended features. There's a very good starting point to get into this product and all the features from Defender. We use Plan 1 for email security because it's a common vector for phishing and attacks. The Plan 2 version goes more into advanced features and logging, which we also use for our internal security operations center.

The solutions work natively together to deliver coordinated detection and response across our environment by about 80%. There should be something to get a consolidated view, which doesn't exist at the moment. We have a known tool in place to consolidate all the information into one view for us. That would be a perfect function to have in the future.

I have more than 15 years of experience in IT security, so I have a very good understanding of the tools we need for a use case. I think the documentation helps us and all of our customers comprehend the product. For cloud products, it's normal that something new today is almost outdated tomorrow. Company-wide, we have a very good view of all these products, and we're very firm in deploying them.

I would like more of the features in Defender for 365 to be included in the smaller licenses. Even if I buy a small license and don't need everything, security shouldn't be a question. Security is one of the main aspects of all projects from our side, so it would be nice to have more features in the smaller licenses.

I would also like a more aesthetically pleasing dashboard. For German customers, it's important that the solution is in German. Multi-language support should be in all the features if possible. In many projects, we want to use digital signatures on emails. It would be perfect to have better integration of digital signing in a standard way.

In the last few months, the dashboard changed very often. When they restructure it, it's a little bit painful. Otherwise, the technology is very helpful.

The visibility into threats could be better. For the last six months, getting information from the access points has been difficult. However, the newest version fits very well. It's easy if you've found the right spot to view what's happening.

For legacy organizations or legacy customers, I would say it's possible to save time, but time-saving isn't always the best with security because it needs to be deployed and managed.

It can be installed quickly, but it takes time to check out false positives, have everything in place, and train each end user.

We have been using this solution for five years since our company started. The solution had a different name, but we have been using it since it's been available. We use company-wide E5 licenses.

The solution is stable.

We haven't had any scalability problems.

I haven't had a lot of contact with technical support.

For my personal project, I used many other legacy projects, but not at my company. We aren't selling anything other than the new Microsoft solution at the moment.

The solution doesn't require any maintenance.

We have seen ROI in project situations because we removed legacy email gateways and legacy antivirus on-premise solutions.

I would like to have more security features in the lower licenses because not every customer is able to buy E5 licenses. The bundling isn't always easy for our customers to understand. Compared to other tools, it's a good price.

I would rate this solution as eight out of ten. 

My advice to those who are looking to implement this solution is to get help from the right company so you can use the solution properly.

Defender helps us prioritize threats, but I would say it's a combination of all the information that we're getting from the internet and from other resources.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor security suite, I would say that it depends on the customer. If someone has their own VSOCK implemented and many security guys on board, then maybe best-of-breed is what they need. 

If someone is a classic customer who doesn't know a lot about security, then they should stick to a one-vendor strategy.

I'm a Security and Compliance consultant providing 365 Defender as a security solution for my clients.

All our solutions are Microsoft 365 products, including security, identity, etc., so we have better protection from advanced cyber attacks. It's also easier to ensure compliance with data regulations through the Microsoft Purview portal, which has templates for various regulations on medical privacy and personal data.

365 Defender helps us automate routine tasks and prioritize high-value alerts. Automation allows us to use time more efficiently. It makes functions easier by consolidating data from multiple Microsoft portals into a single dashboard. You can customize the playbook however you like and get a centralized view of the various components.  

The Threat Explorer feature helps us understand emerging threats in real-time and take steps to safeguard our environment. 365 Defenders saves us money because it's a bundle. If you purchased each of these solutions as a standalone product, it would cost you more than $60 per user per month, but you get them for $12 a month in a package. 

365 improved our detection and response times because we catch issues earlier in the chain of events. All the components of 365 Defender work together to provide instant detection. 

The most valuable feature depends on the scenario. For compliance, I like Microsoft Purview Information Protection and Data Loss Prevention. Sentinel is the most helpful feature for security. 365 Defender helps us prioritize threats across an enterprise. It's a crucial feature for the managed services team. 

I also have Defender for Cloud Apps and Defender for Office. Integrating other Microsoft solutions with 365 Defender is seamless. Microsoft has better documentation than some other solutions. I also work on AWS, but I feel more comfortable with Azure. There are some limitations with a standalone license, but integrating Microsoft products is a seamless experience that produces insightful analytics.

Sentinel enables us to ingest data from our ecosystem, giving us a complete picture of the entities associated with an incident. Those analytics are pretty helpful. We develop playbooks customized for any executive or developer-based summary. It depends on what we want to show and our creativity. 

365 Defender has multiple subsets, including Defender for Cloud Apps. When integrating Defender for Cloud Apps with apps on third-party cloud platforms like AWS or GCP, there are limitations on our ability to control user activities. If Microsoft added more control over third-party products, that would be a game-changer and help us quite a lot.

I have used 365 Defender for five years.

365 Defender is stable.

365 Defender is scalable. It's easy to create and manage groups, set policies, and add users. 

I rate 365 Defender support a seven out of ten. When I raise a ticket, I'm usually redirected to a third-party vendor like Convergence. I would prefer it if Microsoft India handled our tickets instead. That would be helpful. The third-party vendor sometimes doesn't have comprehensive knowledge of the product. 

Neutral

The deployment varies from client to client. Our implementation strategy is based on the client's business requirements and the RFP. You need at least two people to deploy 365 Defender, but you might need more support staff for larger jobs. 

It all depends on how a client wants to proceed, but we typically perform an audit before consulting to identify missing components or security controls. For example, if the client requires HIPAA compliance, we must control the data about specific patients. After following up on everything, we recommend the appropriate Microsoft product, and each has a separate timeline. 

I'm on the consulting side, so once we are done with the implementation, a managed services team takes over the maintenance on an SLA of one to three years. 

The price of 365 Defender is reasonable. 

I rate Microsoft 365 Defender a ten out of ten. Microsoft is a one-stop solution, and it has an answer for any problem you're facing. Before implementing 365 Defender, you should be clear about the problem you want to solve. Hiring a consultant can help, but typically, my clients know maybe three out of the five things they should know. 

Almost every use case is about security layers for messaging in Teams and for email. It especially used for phishing filters, spam filters, and composite authentication, as well as Zero-day advanced protection, and for protection within already received emails. Clients are also looking for link protection in Teams and in SharePoint.

The solution has improved the remediation steps we take for each threat. That has been the biggest impact on our organization because we need fewer human resources to deal with a bigger attack surface.

And for routine tasks and alerts on issues of high importance, the automation that the system provides has helped greatly. You can set up customized alerts and categorize trends to see a quick overview. As a result, our security officers can focus on the really important tasks, without noisy alerts. Previously, there was a procedure with a rule that was sending all emails that resulted from the SPF and DMARC controls failing to the phishing mailbox. Our security officers had to review every email and accept or decline. Now, using the automation tools within the Microsoft 365 Defender, they don't need to do that. They can check that the tool is working fine from time to time, but they don't need to do that task on a daily basis. It gives them a lot of time to do more important and creative stuff.

In addition, especially when it comes to Zero-day attacks, the solution's threat intelligence helps prepare you for potential threats before they hit. It identifies, for example, attachments containing something malicious and remediates by blocking additional delivery to other users. For example, an email may only be delivered to three users instead of 100 users. Even if somebody didn't open the email, the Zero-day attack protection has removed the email from their mailbox. This is a great remediation step for protecting that attack surface. Then I can observe how the tool is dealing with the attack instead of trying to figure out how to approach it, what to do, who I should contact, et cetera.

It also saves me time every day. It was taking me really long to review the message headers to identify what happened. It could take an hour or even more if it was a really complicated case. I needed to check the headers, the content, the links, the attachment. Using Microsoft 365 Defender, I can see in Explorer at a glance, or by clicking through one or two tabs, what is happening. It gives me a lot more time to do more interesting work and to close other cases. Instead of an hour, it takes five or 10 minutes now.

It's a lifesaver for me and keeps my clients from being threatened and attacked every day. It's not about the money, it's about the information. Attackers can use information to make money.

I can check the overviews and see trends where somebody wants to use some kind of open gate to gather my information. But the solution does the work on my behalf, so I don't need to observe the environment, traffic, and user behavior. And we don't have to invest a lot of money on repetitive training for users. Training is also good, but I don't need to invest so much money and effort in that process, and that results in savings.

For me, the email protection features are the most useful because I focus on that area.

I also really like the integration with the entire Microsoft 365 service because it's not really common to have a tool that is integrated well with Teams, SharePoint, and Exchange. 

Another feature I like is that inside Explorer I can perform an investigation to check, for example, if any accounts have been breached or accessed by a malicious actor. I can also check the source of emails from which we are receiving something that was not expected by us, such as 

• XML attachments 
• meeting invitations with the malicious links
• JavaScript. 

And I really like that the tool checks attachments within the hash so that we can investigate who received the malicious file and where.

There is also one dashboard that shows us the status of many controls at once and the details I can get. Sometimes I'm on a call with somebody from the security team who is asking why we received something or how we can better protect our environment. I can even show them the analysis of a particular Excel file and a macro inside that file. That is something I really like. It gives me a lot of information and I can respond very quickly to a particular case.

It gives a great overview of many areas, such as files, emails, chats, and links. Even with the apps, it gives you a great overview. In one place you can see where you should look into things more deeply and get knowledge of the details, instead of browsing the details and looking for something that might be of interest.

And, of course, it helps prioritize threats across the enterprise. The solution identifies threats and categorizes them. I can assess which category is more important for me and react accordingly. This categorization is really important because it gives something like an SLA for each case. You always have limited resources to deal with cases. For example, in one of the companies which I support, over half of the email traffic is filtered by Microsoft 365 Defender's tools as malicious traffic, amounting to about 5,000 emails a day. I can use the tool to see an overall view of the threats, instead of just going through each one, one by one. It gives a great overview and the ability to see trends for a day or a month and I can adjust my focus according to the trends.

With Defender on end-user devices, we have the ability to monitor them without the need to have them connected to the same network. People are working from home and sometimes they are working on their own devices. We can use conditional access policies to ask them to provide the minimum security standards. That gives us a lot of peace of mind when using Microsoft Defender. We can create rules that look for users who are uploading malicious content to Teams, SharePoint, Android, et cetera.

There should be better information for experts on features in the solution. What I see when reading about features in Microsoft 365 Defender is that it is always general information.

If Microsoft could go deeper into details for the experts about how to use the tools, usage of it would be more familiar and it would be easier to use. Right now, I need to spend a lot of time using Defender to check the possibilities and how to connect them together to see things better. If I could read a more detailed article about it and see some use cases and how some threats are remediated, that would be great. Maybe I'm not looking deep enough or maybe there is some room for them to improve in this area.

And I would really like to see new features.

I'm a Microsoft 365 consultant and have been using Microsoft 365 Defender for about three or four years.

It is really stable.

Sometimes, when there is a problem with the Microsoft infrastructure, for example, in India, then it can be hard because it's not just that somebody may have a problem. It's not about only one business unit but all of Europe. But it's not that problematic for us because usually this kind of situation is very limited and the fix is delivered really quickly.

It is a scalable solution. I haven't had any problems with the scalability of Defender.

We have the solution deployed in 38 countries. People are connected to their local networks and they use the updates from Intune and SCCM.

I haven't had any situation in which I had to ask for support for Defender. 

But for Microsoft 365, overall, when we contact the exact, dedicated team, it's really good. But before that, when a ticket goes through the first and second lines of support, sometimes it's too repetitive. The first line asks the same things as the second line. I know that it's required because Microsoft is a huge company and it has a lot of customers, so some kind of triage is needed. But when an issue is well-known and there is already a solution or a workaround, the sharing of this knowledge should be better.

Neutral

I used regular filters on the email server, running on Linux, with some type of anti-exploit solution that checked for threats inside the files. I filtered the DMARC and SPF with regular controls. That was a nightmare and I'm really happy to now use Microsoft 365 Defender.

I don't deal much with the pricing aspect, but the companies I am supporting use an E5 license for Microsoft 365 because they want to include all the features and it's cheaper for them to use E5 than SE3.

Maybe the solution should be cheaper because I have heard that the licensing is pretty expensive. I can imagine why: The knowledge is expensive and the tests and infrastructure are expensive as well.

From time to time there is maintenance in reviewing the rules so that we can focus on how to use it better. But that's not "maintenance" in the standard meaning that you need to check if the processes are working properly. For example, our security department uses phishing attack simulations to check if users are aware of how the tool behaves when we receive a phishing attack and what actions are taken to remediate that attack.

When trying to decide between a best-of-breed strategy versus a single vendor for security, it depends on the approach, resources, and of course, money. You can have a single vendor and extensively use the solution and really invest time and effort into better understanding how it works. Or you can buy a few solutions but understand each of them less, because it's not possible to have deep knowledge of how every solution works. For me, it's better to use only Microsoft 365 Defender instead of having additional security providers. I can then go deeper into the details and ask the vendor to implement a feature that is useful, and that probably will not only be useful for me. We can build it together instead of blaming each about who should do better work.

My advice is to go deeper into the details to understand how remediation is utilized inside the solution. Notice that Microsoft 365 Defender is using data collected from every tenant that is using the solution, not only mine. If a company's controls have been attacked, the tool can already protect me because I'm not on the first line of fire. It's great to understand this fact and understand the idea behind it and what the benefits are.

Microsoft Defender XDR is our antivirus solution.

Microsoft Defender XDR provides a unified identity and access management platform.

It does a good job with identity protection.

Including identity and access management within Defender XDR is valuable because it streamlines our organization's security by consolidating multiple tools into one. This eliminates the need to manage and pay for separate solutions and licenses, simplifying our security posture.

Microsoft Defender XDR has improved our visibility, making us more efficient by providing threat details and remediation steps as well as improving our security posture.

It safeguards our organization by preventing advanced threats like ransomware and business email compromise, along with stopping lateral movement within our network that could enable attackers to spread and gain wider access.

It includes the ability to stop attacks and adapt to evolving threats. This is an important feature for us.

We have been enabled to discontinue using Microsoft Sentinel.

Microsoft Defender XDR helps save costs through the licensing for businesses which is around $20 each and helps save time for our security team.

The ability to isolate and address viruses is the most valuable feature of Microsoft Defender XDR.

Just like in any solution, the price can always be cheaper.

I have been using Microsoft Defender XDR for three months.

Microsoft Defender XDR is stable. It has been running smoothly for us.

The support has been perfect.

Positive

To consolidate our security tools and avoid additional costs for a separate EDR solution, we leveraged our existing Microsoft Sentinel license to migrate to Microsoft Defender XDR, which already includes EDR capabilities.

Our initial deployment of Defender XDR onto machines was simple. Onboarding a machine involves configuring settings within Intune for our tenant, allowing Defender XDR to communicate and collect data. The entire deployment process took only two hours and required just one person.

The implementation was completed in-house.

I would rate Microsoft Defender XDR ten out of ten.

No maintenance is required.

I recommend Microsoft Defender XDR for small businesses like ours.

We're using it for our email filtering to check incoming emails and URLs. We're also using it for vulnerability management to see the status of our assets that are registered on the system. We also check it to see what kinds of threats and campaigns are currently being launched via emails.

It provides us with better insight into what's going on across our platform. It has also given us a very easy way to respond when threats or alerts come through. And when looking for someone in particular, it helps with that. It hugely improved our insight into what's going on inside the company's premises and environments.

365 Defender also helps find high-value alerts, but we haven't used it for complete automation. It has some automation features where it can try to block or quarantine things, but beyond the default automation configuration, we haven't explored deeper into using automation. The default settings work well.

And while we've always used one or two dashboards, this system has made it easier to have a quick overview on a single platform.

In addition, the threat intelligence helps prepare you for potential threats, to a certain limit, because it gives you insights into where your shortcomings are, your vulnerabilities. It also gives you some security recommendations to make improvements.

And the solution has decreased our time to respond because on high alerts you can get a quick response. The system will notify you very quickly if it detects something at a certain thread level or a custom threat level that you set.

Microsoft 365 Defender has a very great interface to help protect registered devices when it comes to web protection, which is very handy.

We also use the alert systems often. It's a great threat intelligence source for us, providing alerts for things it detects on the network and on the machines. We've used it often when there is a potential incident to see what was done on a computer. That works quite nicely because you can see everything that the user has done, including websites accessed, et cetera. And if something was on the machine, we can see what it was trying to do.

I use the alert system on a daily basis. It gives you a very good analysis of where something was found, which employee or which device. And it often gives you a good history on that. The alerts help me to monitor and check what is going on. That's a very valuable system to have.

We've also tried the attack simulation, which sends out phishing emails internally as a test to see how the users respond. We get feedback and use the training simulation as a result. We've only done that once, and it's something we want to work on a little more.

In addition, we're using the assets on the system as well as the inventory functionality. It checks all the machines to see what software is installed on them.

We've used a lot of the features on the cloud, although not everything to its full potential, but we've used 70 to 80 percent of all the features on the cloud.

In the beginning, it's difficult to navigate the system because it is quite large. Just trying to find your way and understand how the system works can be hard. After spending quite a lot of time searching it's a lot easier, but I wish it were a bit more user-friendly when you're trying to find things.

The information it provides is great, but for a newcomer, it is quite tedious and takes a long time to load. Here in South Africa, when you click, oftentimes you have to wait quite some time before you get to the next page. It's not necessarily internet-related. I think it's just that the service is a bit slow.

Also, while the solution does help to prioritize threats, unfortunately, it doesn't do so for the entire environment. The reason is that it only supports full integration from Windows 10 and up. It provides you certain information from your server environment, but when you start going with legacy services, it is a bit lacking.

Another issue that is sometimes a headache is that they constantly make changes. Things will be merged, they will get different names, or be moved around. Things will be added and other things go somewhere else. They do a lot of development to make the product better, but it's very frustrating having to search for stuff after they've moved it, because you don't always know that they have moved things. They might have little banners, but if you're just working and don't read them, you don't know where things have gone. 

I would also really like to see better integration with the server platforms for managing your server environment. That's something it currently doesn't do. For all the server environments, you either need to make use of group policies or SCCM to manage that independently. It can provide you information on the system, but it doesn't have control over your server line.

Also, I make use of 365 Defender on a business level and on a personal level. On the personal level, there is a lot less functionality. Something that would be very nice is that, for the level you are on, you would only see the product you are subscribed to. For instance, if you log on via the business, you have all your action areas, anything you can do and see, on the left. Because you're using it at a corporate level, you can see and do everything. On the personal level, or in a small business where you're only using some of the features, you still have all the same options, but when you click on them, it tells you that you need to upgrade or subscribe. They should only show you what you have access to, and not all the tabs and then say, "You need to subscribe to get access to this." It just clutters the whole area.

We have been using Microsoft 365 Defender for about two years.

Overall, it has 95 percent stability. We don't have any issues with it. It works well. Microsoft does provide frequent information when there are issues or delays. But the stability is very good.

We're still learning a lot about its capabilities. It's more capable than what we use it for. That is due to a restriction on our resources and availability to get to know the system even better.

We have contacted Microsoft tech support multiple times. They are quick to respond to the original request. Sometimes I have been quite surprised because they have replied within 15 minutes. Some of the questions we had were resolved quickly, on the order of 60 minutes. I had one that took almost two years to get resolved. But in general, they are quick to respond. Their support is very good and quick.

Positive

Before 365 Defender, we made use of Avast as our antivirus, which had its own web console. For malware protection, we used an on-prem Cisco IronPort system that was scanning all our emails. And most of our SIEM logging information was done manually. We had much less insight into what was going on in the company.

Because it was a new solution for us, we had a company that works with Microsoft assist us, to make sure that all the configurations were standard. But since then, we've maintained most of it ourselves. On our side there were no more than five people involved.

It's a very expensive product, but for any threat it has definitely stopped or protected us from, in that sense, it has saved money and time, by preventing things that could have happened. But is it affordable? No, it's expensive.

If you look at everything that the solution entails, and the big cost to companies, especially medium-sized companies, one would like to have a bit of a price decrease due to economic circumstances. The functionality is fantastic, but for medium and small-sized companies it's overpriced. It would be better if it were a little bit cheaper.

We did look at other solutions. In the end, we decided on 365 Defender because it was all integrated. It worked to our advantage because all the products that we needed were already on the machines. All the products that you get from the Defender area are part of the built-in Windows 10 features. It gave us a better way of controlling and managing things. Overall, it made more sense to have one central place to manage and control and be alerted.

My advice is don't be frightened when you start getting into the solution. If you are not used to the environment, it is a mouthful, and it can really scare your socks off. There's just so much to it that you won't really know where to start.

The best thing I can recommend to anybody who is starting is to get somebody who knows the system to give you a walkthrough. Also, look at the tutorials to see what the functionalities are. It will be beneficial for any person to get a good overview of what's going on in 365 Defender, the capabilities and how it looks. But getting in contact with somebody who has some experience already in using it will help you to ask where to find things. "Where do I go from here? Show me how you're set up, so I can at least see some of the functionalities."

My very first impression of 365 Defender was that I was looking for something, but I didn't even know where to start. It was too overwhelming. As I spoke to other people who knew about the system, they gave me an overview and that made it easier for me to understand and to know where to go.

365 Defender is our main deployment, but we've got the endpoints also connected on Intune. They work together to deliver coordinated detection and response in our environment. Our complete suite is pretty much all Microsoft. Our environment is a 50/50 hybrid. We use Intune for certain policy changes and some of the deployments. But because our environment has a lot of legacy systems, we make use of the normal, on-prem deployment services as well.

Sentinel is linked to our on-premises Active Directory. It helps identify things that are happening on-prem. For example, when a user's account instance gets locked out, it will show you, on Defender, from which local machine it was locked out. Or if certain things are accessed, it will show that information on the on-prem Active Directory. It works well. For investigating and responding to threats, it definitely helps by dumping the information in a centralized location with the alerts to identify a bit more flow pattern. If something happens that's not on the cloud area, but it's on-prem, it helps track and identify movement. The information from Sentinel is an added bonus.

Overall, Defender 365 has saved us time, compared to the old ways of doing things, but at the same time, I wish the site was faster. Sometimes it can be very slow.

Best-of-breed solutions versus a single vendor's suite comes down to personal experience. With best-of-breed, at least you know that they have been tested in the industry and have a lot of history behind them. Also, the redundancy would be a lot better. Going with a single vendor sometimes makes it a little bit difficult, especially if they are only focusing on one area. It's a difficult question. It might come down to the way someone was "brought up" in the security industry or the way that they trust these companies.

I give Microsoft 365 Defender a nine out of 10. Once you get to know the system, it's really awesome. It provides a lot of insights.

I am a purple teamer in my current job, so I also work with detection response in my organization. My job is to configure alerts and monitor incidents, and to do that, my company uses Microsoft Defender XDR. My company has endpoint detection tools for all the endpoints in the organization, and through Microsoft Defender XDR, we are able to get a top-down view of all the incidents on a daily basis and then actually be able to even customize what kind of alerts we want to look for and what kind of attacks are happening. One of the things that I personally love about the tool is the attack story that it provides. Every time there is a specific incident, it creates a graph and maps it to Mitre Att&ck Framework, so it could be initial access, or you may have malicious activity within the network. The tool can track all of the aforementioned areas, and it gives a confidence level. For example, if it is a high-confidence, high-risk alert, then the tool would probably quarantine that particular endpoint on its own, and then an investigator goes on there and actually verifies it. In my experience in the last six months, the false positive rates have been close to zero. Every time there is a case of high confidence alert, there has never been a case where it was not a malicious activity, and it is something I love about the product.

In terms of the most valuable feature of the product, I think it stems from the way it classifies incidents, as it is the most important area in my field of work. Another valuable feature of the tool is threat hunting. For example, there could be a chain of phishing emails that are being sent to our organization, and it may come up as an alert. Then, I know that I can use the artifacts, after which it gives a list of artifacts, which could be email addresses or IP addresses, to identify the threat actors. I can then go ahead and hunt for them across all endpoints within the network, making it essentially something similar to an SQL query that I can run based on what I am looking for. I get more leads in terms of which other mailboxes this particular phishing attack might have gone to where the user may not have interacted with it. The tool allows us to be more proactive in terms of getting close to the initial compromise. I think the threat-hunting feature is coupled with the alerts that my company has configured, and it allows us to proactively stop attacks, which is probably the most important thing for us.

I think that the tool can do a lot of things in a pretty effective way. A lot of times, one of the things I look at is how the false positive rates are, and so far, I see that they have been close to zero. Honestly, I don't think there is a lot in the area of false positives where the tool could improve. I do think that maybe having a feature within my organization where there are three different domains within which we have to operate would be helpful, as there is currently no unified view within the domains. Within a specific Active Directory, you can have Microsoft Defender XDR running, and so everything, including all the endpoints in that domain, are areas you are able to look at from one particular user interface, but there is no feature in which you can merge two different domains. For example, if there are xyz.com and abc.com, all of the endpoints within each of the domains, our company will have a separate UI from Microsoft Defender XDR, and because of it, we have to monitor three different UIs at each point in time. There is also a lot of automation that I have put in place, so every time there is a high-risk alert, our company gets an email in our InfoSec mailbox essentially. I think having a feature where you can merge everything onto a single dashboard would be something from which my company would definitely benefit because it's just a lot of sifting through different user interfaces and then collating data from it. In our company, we should just make sure that we are able to respond immediately, especially whenever there is a security issue within the organization.

I have been using Microsoft Defender XDR for six months. My company is a customer of the product.

I have been in the company for six months, and I think there has only been one time where I remember there was a bit of a slowdown which was associated with the antivirus server and it was not related to Microsoft Defender XDR. Considering the aforementioned issue, my company had to raise a ticket for support, but it has only happened once.

So far, the scalability offered by the product has been fine because it serves as an internal tool managing essentially all of the endpoints within the network, which essentially includes all of the employees, servers, access points, and all of that. In the last six months, my company has not really scaled up the use of the tool that much, and so the numbers have been constant, more or less. If my company ever plans to double up in size in a short period of time, it will probably be the time when the tool's scalability will be tested. I don't think I have the data points right now to answer questions related to the tool's scalability feature.

I have contacted the product's support team. I feel that Microsoft offers a very good support team, as they are usually well-equipped, and the support team members are currently the ones who set up the tool from scratch. The support team has complete visibility of the environment. Every time there is an issue, it gets resolved within 30 to 45 minutes, sometimes more if it is a bit complicated. For example, if the server is slowing down for some reason, the support team is able to sort it out pretty quickly. I think my experience with the tool's support team has been pretty good. I rate the technical support a nine out of ten.

Positive

Before Microsoft Defender XDR, I used some other solutions of the past. In one of my previous organizations, we used to use an SIEM solution like Splunk. The company had a lot of open-source tools, so we used Microsoft Defender XDR and ELK stack to generate alerts from a network monitoring point of view. The company also had Snort rules running on the same endpoint, which was like a blue team device for monitoring the network, and we also had a Splunk Universal Forwarder on the endpoint that was connected to Splunk's server, which was useful for visualization. Splunk was not an XDR tool; it was more about monitoring alerts that we had configured within the organization, customizing them, and making sure that we were able to catch threats based on signatures. There was less automation in the sense of how you can react to an incident. For example, in Microsoft Defender XDR, the moment there is a high-risk and high-confidence alert, it quarantines the endpoint or that particular mailbox and sends an alert to our company, and in such a manner, it stops the attacks, and also lets the investigators know that it is not a false positive, which is something I was missing in a SIEM solution that I used in the past. Alerts were being generated from Snort, and the company where I used to work had an ELK stack running, so we configured the alerts on it. The company also had a Splunk Universal Forwarder that would forward the alerts to a Splunk interface, and it is where we used to visualize all the alerts. In general, it was a combination of different tools that allowed my previous company to have the aforementioned process in place.

The solution is deployed on the cloud model, and our company has opted for the cloud services offered by Azure. In our company, we have Microsoft Access Control Service in place, so everything is controlled through Azure. If there are new members in the team, we give them read-only access to XDR through Azure, so it helps manage the identity and access, and then you can access Microsoft Defender XDR's portal. Our organization also creates specific IDs for every investigator to access Microsoft Defender XDR.

I don't think I can speak much about the pricing model of the product because it is not something I work with, and so I don't know the amount of money being burned by the company for the solution, making it an area beyond my visibility. With the little idea I have about the costs, I can say that XDR tools tend to be a bit expensive. If you are using Microsoft Defender XDR, then you need to go for a subscription-based pricing model. In my organization, which is a relatively large company with close to 3,000 employees, the solution works out well for us. For example, if I had a startup, it probably wouldn't be cost-effective to have an XDR solution in place, and that is where I would probably look at more open-source tools to work with and maybe have a SIEM solution which was a startup, a reason why we had to rely on open source tools. My previous organization also had opted for a subscription to use Splunk, which was expensive, but it was better than getting an XDR tool.

Speaking of whether I started to see the benefits of the product immediately after its deployment or if I had to wait for some time, I would say that Microsoft Defender XDR has been in place from the time I joined my current organization. I immediately saw the benefits of using the product. I wasn't present in the organization at a time when they had moved initially to Microsoft Defender XDR, so I can't speak about the time point during which others in the company saw the benefits or effects of the use of the solution. I think the tool has been very efficient because I have worked in other organizations where they were not using Microsoft Defender XDR, as they preferred SIEM solutions. I have seen that in scenarios where SIEM-based tools were used, it was more of the investigator who had to figure out what was happening because you just had a ton of data coming in from the bottom up. In my previous companies, we had a Splunk interface through which we could indulge in monitoring. I see a stark contrast between the previous products and Microsoft Defender XDR, and it is because the latter-mentioned tool not only allows you to get that bottom-up view where whatever is happening on an endpoint level, I am able to monitor while also being able to push things from the top to down. For example, if I wanted to quarantine a particular file on a subset of endpoints, I can do that from Microsoft Defender XDR, where I can put it on a block list and mark it to a particular Active Directory group, after which I am able to then block that out. The tool is quite effective from a detection and response point of view.

If I consider whether it is better to have just one solution instead of a combination of tools, I would say that it is always better to have a combination of products. The SIEM solution I had used previously was quite efficient in collecting data and in being able to process large amounts of data from where we had a lot of endpoints within a particular network, which I think was fast in many ways. Microsoft Defender XDR internally does the same thing as an SIEM solution. If you ask me, it is always best to have an SIEM solution integrated with an XDR tool because most SIEM products are very good at handling large amounts of alerts, and if you have configured it properly, then you can have a very precise view of what is happening at any given point in time within the network, and once you have it, you can have that database forwarded to XDR that can push down. The XDR tools are very good at classifying events. If you have actions in place as to what needs to be done, then, for example, if an email is marked under the phishing category, you would want to get rid of it from the inbox first. Ideally, it shouldn't even land in the inbox, but if it does, then you want to quarantine it. Pushing a certain action down to the affected devices, I think XDR tools do it brilliantly. I think it is always good to have a match between a SIEM tool and an XDR product or a customization between different tools to help achieve your goals.

The product does require maintenance. With the cloud instances that host the server, our company continuously monitors the health, as we have health checks in place that generate alerts in case something goes wrong, a major reason why we use Microsoft Defender XDR. My company also has Kaspersky's antivirus server, which is essentially hosted on a different server. Sometimes, because of the number of endpoints we have in our company's network, the server does slow down due to resource constraints. It is not my job to maintain the servers in my company, but we have a different team that deals with it. In our company, we do have a couple of instances where the servers are internally managed.

I think Microsoft Defender XDR is one of the best detection and response tools I have worked with as it is quite effective in flagging serious threats for the organization. In our company,we have faced multiple attacks over the last few months, but none of them have been successful, and I think Microsoft Defender XDR has played a major role in it.

Firstly, potential users of the solution should consider that the tool comes with a lot of already customized alerts for any Active Directory environment, but it is always good to understand, especially if you are a new user of the tool. Even if someone is new in the security team, I think it is that person's job to analyze the business, the kind of attacks you could expect coming in, and the kind of visibility that the organization provides on the internet. Once a person gets a good idea about the aforementioned areas, you need to customize alerts and create custom alerts for your organization because that is an area that is going to be unique and different for each and every company, so it won't ever be the same. Microsoft Defender XDR certainly helps with mapping the seven steps of the cyber kill chain, and if the product sticks to it and looks at every single step, lists down the kind of threats, and then customizes the alerts according to that, I believe the users will have a successful time in being able to detect threats before they happen or even while they are happening.

I rate the overall tool a ten out of ten.

We use 365 Defender to manage organization-level devices and vendor security compliance. We are a retail-focused organization that offers cloud services through Azure, GCP, and AWS, but we manage all the security through 365 Defender. Some of our users are based in other countries, and everything is centralized. We operate in multiple regions. 

We can easily track any other malicious activities or additional applications that will prevent it. We can get it here. It will be a helpful tool once we create policies for DLP and third-party programs. 

365 Defender stops the lateral movement of advanced attacks. It prevents something that happens on the device level from affecting us on the organization level. The solution enables us to track all the details, like the IPs and the device types. 

365 Defender helps us deal with unknown threats by creating custom policies, which enable us to block access by specific unknown sources and unsafe links. 365 Defender has multi-tenant capabilities, and we have multiple tenants, but I'm only involved in the retail part, so I don't have authority over other tenants. 

We were able to discontinue some of our other security products when we implemented 365 Defender, but there are some exceptions. We can use non-Microsoft solutions when the customer requires it. Mostly, we use cloud solutions. We've saved some costs on the security side at the organizational level by reducing equipment costs. Using 365 Defender's automation capabilities, we can cut our vulnerability management time by about 40-50 percent. 

I like 365 Defender's advanced threat hunting. The dashboard is user-friendly with templates for site policies, etc. The most important use case is evaluating the risk links and applications. 

The cost can be high if you want to build custom license packages. Another area for improvement is the policies. In Azure, we need to implement policies in JSON format, but in 365 Defender 365, it would be helpful to use a different format so we can customize the platform.

I have used 365 Defender for more than two years. 

365 Defender can have some performance issues during enrollment. It can take a while at times, but sometimes it's duplicated immediately. That's an issue with some other cloud-based programs like Intune and Azure products. 

I rate Microsoft 365 Defender support nine out of 10. Their support representatives provide solutions based on priorities. They prefer to follow the proper SLA part. 

Positive

The deployment is quick, straightforward, and involves only two people. 

Sometimes 365 Defender is expensive, but it can be moderate, depending on the organization's size and the license type. We're satisfied with the cost because it gives us a product that protects our entire environment with DLP. To compromise some cost, of course, we are to complete the most secure environment. 

I rate 365 Defender nine out of 10.