Microsoft Defender XDR Reviews

It has helped us identify a lot of loopholes within our environment and mitigate risk. It has improved user experience as well.

The visibility into threats provided by the solution is amazing. If you have Sentinel, you can integrate it with Microsoft 365 Defender. You can then access all of the logs at once with a code. You would be able to quickly analyze and react to any threat.

We are able to prioritize threats with this solution. Depending on the type of license you have, you will be able to access different capabilities. We place very high importance on prioritizing threats because the easiest way to get attacked is through the user or the endpoint. You must have multiple layers of security.

We use several Microsoft security products such as Sentinel, Defender for Office 365, and Microsoft Defender for Cloud Apps (Cloud App Security). Microsoft has the highest form of integration, so these solutions integrate in a straightforward manner. Once Microsoft Defender for Cloud Apps is unlocked, you can connect to third-party applications as well.

These solutions work natively together to deliver coordinated detection and response. The threat protection that these Microsoft security products provide is comprehensive and very effective.

We use Microsoft Defender for Cloud and make use of its bi-directional sync capabilities. It gives us access to reports and makes reporting much easier as well.

Microsoft Sentinel enables us to ingest data from our entire system. Data ingestion is very important to our security operations because it makes it easy for us to know if there are any vulnerabilities or threats. It flags it, and we can analyze it and also create a query, which brings to light threats. We can then mitigate the threat or attack breach on the device.

Sentinel enables us to investigate threats and respond holistically from one place. It makes life easier for us and helps us not to be caught unaware. There are many forms of alerts that notify you immediately of any threats. You can set up automations, which might even fix the issue or mitigate the issue immediately without the need for intervention. That is, you can create a rule to automatically fix a particular problem.

Sentinel captures a lot of logs, and you'll be able to create action plans through the application to directly handle particular threats. The integration has been done already, so automatically it will send a signal to the environment or to the solution you have integrated with to carry out a particular action.

The cost of Sentinel is on the higher side compared to that of other standalone solutions.

We can automate routine tasks and write scripts to carry out difficult tasks, which makes things easier for us.

This solution has helped us to save 60% to 70% of our time.

Microsoft 365 Defender provides one XDR dashboard, so we don't have to look at multiple dashboards. In the Import Center, all you need to do is to select the solutions that you want, and it will give you multiple options on different categories and different data. It's amazing and straightforward, and you won't need to open other tabs.

We have been able to prepare for potential threats before they hit and take corrective steps. We can immediately identify users or systems that have viruses or malware. We can also find scripts that have errors underneath them. We can discover each element from the history and delete it. It covers a lot of aspects, and the integration with Sentinel helps as well.

Because there's someone actually monitoring everything, when there is a threat or any form of abnormality, all they would need to do is to create a rule or a query to create a particular section and add the action that needs to be carried out. It's easy to get to reports as well. Overall, the solution has decreased our time to detection and our time to respond by 60% to 70%.

Microsoft tends to provide too many features, which makes the solution prone to bugs.

Also, 365 Defender needs to be more flexible during deployment. When it comes to causal admittance, at times it seems slow.

We have been using this solution for about three years.

The stability is okay. Microsoft has evolved a lot, so they tend to make sure that the solution is up to date and up to par with best practices in the environment. They add new features as well.

It's very scalable.

The level of support you get depends on the knowledge of the engineer who has picked up your ticket. I'd rate technical support at seven out of ten.

Neutral

The initial deployment is straightforward as long as you meet the prerequisites. 
It doesn't really take a lot of time to deploy. All you need to do is to set up the policy, then assign the license to the users. Microsoft handles the maintenance of the solution.

Defender Plan 1 is tenant-wise, and Defender Plan 2 is per-user, which makes it more expensive. To have certain features, you would need to purchase the E5 license. For all of the capabilities that the tool provides, the price, though it can be high, is fair. 

I don't think having a single vendor's security suite is the best because once the threat actors are in through the surface, it's easy for them to penetrate. This is because they'll know all the cracks in that particular product. However, if you have another vendor protecting you as well with a different signature database that is separate, then the attackers have multiple walls that need to be cracked.

An average-sized organization can go for the Business Premium plan. Larger organizations can go with E5, which comes with the full functionalities of Microsoft 365 Defender. Overall, I'd give this solution a seven out of ten.

I am the head of IT of the police force in the Madrid municipality. I have deployed the product to all 6,000 policemen and police women here and we are trying to protect all our devices with it.

It has helped eliminate having to look at multiple dashboards. This is a part of the benefit of the integration. It's quite helpful to receive information and data that is correlated with other information, in the form of a graph or chart. It's a good added value. We are provided with consolidated information, which is very valuable for making decisions and moving forward in improving our devices and our security.

It's very well known by all our technicians and it has helped to decrease the time to detection and response.

And while I can't demonstrate it with metrics, my intuition is that we have saved money. Because we are a very large organization, we have very large needs in IT systems. Perhaps the best thing we did, years before, was to have everything, all applications and the operating system, come from Microsoft. Perhaps that means potential money savings.

The most valuable feature of all is the full integration with the rest of the software in the operating system and Office 365, as well as Microsoft SCCM. It is quite easy for us to work with the whole instance of Microsoft products. This integration improves the benefits of the whole suite of products. Even the desktop devices seem more productive by having all these products integrated. That's the best advantage.

I'd like to see a wider solution that includes not only desktop devices but also other devices, such as servers, storage cabinets, switching equipment, et cetera. That is where they should put in more effort. I don't have a global risk solution coming from Microsoft, one that could help me in all these different IT areas.

I have been using Microsoft 365 Defender for about two years.

I would rate its stability at seven or eight out of 10. It's quite good. Up until today, we haven't had any big problems with the solution. I'm quite comfortable with it.

The solution is deployed to more than 25,000 in the municipality, but my responsibility is only over 6,000 people in the police corps.

Microsoft provides quite good support across their different areas of activity. The people attending to your requests are quite professional. They take care of your requests and respond to your needs. They try to help you. The documentation is not the best in the world, but it's quite sufficient for our needs.

Positive

Years ago we had solutions from other companies, such as Trend Micro for the desktop devices, and Trend Micro and Sophos for servers.

We used to work in different ways. Some people were in the office with desktop devices, but most of our people work outside with mobile devices. The latter group is at much more risk and we wanted to protect all these devices from potential damage and risks.

The switch was a company decision made by higher management within the municipality. We started to work with Microsoft Office 365 years ago, and then a decision came down imposing the use of Microsoft 365. I feel comfortable with the decision, but I know inside our organization that we've had plenty of problems deploying all facilities given by M365.

I'm not aware of having more or fewer problems with this product than the ones we had before, when it comes to deployment or interfaces. It's quite standard and the deployment was quite easy, but it was equally easy to deploy all the products years ago.

It has been easy to integrate with the rest of our devices and software. In addition, there was no impact on the user experience. The solution is transparent. The users may not even know of the existence of this product. There was no problem deploying and starting to use Microsoft 365 Defender. We have some other products, beyond the desktop level, that work in a coordinated way Defender.

The deployment took a few months, but we needed at least a year to stabilize our organization. The first days were awful because people couldn't understand the change in mentality required to work with this paradigm of software. During the first year, we had to cope with plenty of incidents and problems. Having passed the one-year mark since we deployed, we have started to see some of the benefits.

I generally use an "onion" deployment methodology. I start deploying new solutions in desktops that are quite close to my area of activity in the IT department. We implement, let's say, 50 to 100 desktops per day and we wait for a week to see if everything is okay and whether there are incidents. Once we are assured everything is fine, we implement by regional police units in different locations.

We had 10 to 12 operations technicians involved in the deployment.

Every software solution requires maintenance. In this case, there isn't a lot of maintenance. We have to keep an eye on the status of the solution every day. That process involves two or three people.

As most software companies have done during the last few years, they have moved from a licensing model to pay-per-use. It was difficult to understand and accept this change. When we had to accept that model, it had a great risk for companies like ours that always have to cope with annual budgets. The question is: What happens if, for any reason, there's not enough budget to accept this model? That could be a great problem.

There was a possibility of continuing with the solutions we had been working with.

But we cannot compare them because the other solutions were built eight years ago. Technology has changed so much.

Fortunately, we haven't had the chance to see if the solution's threat intelligence helps prepare us for potential threats before they hit. But I'm quite sure that it's working together with other tools to help us to stop potential breaches and risks.

Give this product a chance. Is it the best in the market? I don't know. Is it the worst? I don't know. But what is quite good is the integration with the rest of Microsoft's software products. That's the added value.

Try it, prove it, and see how it integrates. It depends on the situation. If a colleague is using Linux in their data center and desktops, of course, I wouldn't recommend this solution. But here in Spain, most companies have Microsoft products.

We manage around 5,000 computers inside and outside our company. I use Defender to work on our security score by deploying security policies. We apply all the security recommendations to our computers and patch all third-party applications. We check every day for malware to alert our security teams.

Seven months ago, our security score was 50 score and it's now 84. We applied all the security policy recommendations coming from the solution and we became aware of the vulnerabilities and fixed them all, one by one.

We can also automate some tasks and that reduces daily work. And if we get an alert, and we know it is not a false positive, we automate things so that we don't get that alert again.

And if we find malware or a threat, we transfer it to level-one technical support to check and, after that, to the security team. But a lot of times, it catches malware and takes action to block it automatically.

Defender has also saved us money, about 30 or 40 percent. When we had Symantec, we suffered one attack against our company and we lost a lot of data and a lot of servers, and that was a lot of money. Since switching, Defender has been perfect, catching all malware and taking action automatically.

It has also decreased the time it takes me to check everything. I now spend only one or two hours a day monitoring things.

I like that it's fully integrated with Windows, Microsoft 365 Exchange Online, and Outlook. It is better than other antivirus solutions because it's fully integrated with all Microsoft products. It's easy to integrate them and onboard all Windows devices from SCCM. That is really amazing. Everything is clear in Defender. It's not difficult.

Also, everything for security is in one dashboard. It's great. It's not only for Defender but email and everything else. it makes things very easy. I can check everything at once.

The dashboard should be easier to use. There is also improvement needed in the reporting when it comes to exporting or scheduling reports.

I have three years of experience with Microsoft 365 Defender.

It is very stable.

It is also scalable.

On-prem, we have around 300 servers, a mix of Linux and Windows. We also have around 5,000 clients, all using Windows 10 and 11. We have a plan to migrate all on-prem servers to Azure. In the next six months we are looking to migrate 90 percent of them to the cloud. 

I like their support sometimes.

Neutral

We used Symantec for antivirus and security and we migrated all users from Symantec to Microsoft 365 Defender. It's easier to use than Symantec or McAfee and we can use it anywhere because it's a cloud solution. Also, with Symantec, we suffered an attack and it did not do anything. In addition, we already had an E5 license with security so we decided to use this license more fully.

I onboarded it to all machines using the configuration in SCCM. It was very easy. It didn't take much time.

We checked McAfee but we went with Microsoft because it has improved its product very quickly. Microsoft Defender of five years ago is not like it is now. Five years ago it was nothing, but Microsoft has improved it very quickly.

It works with Microsoft Sentinel and integrates well with that, but we do not use Sentinel in our company.

I am a purple teamer in my current job, so I also work with detection response in my organization. My job is to configure alerts and monitor incidents, and to do that, my company uses Microsoft Defender XDR. My company has endpoint detection tools for all the endpoints in the organization, and through Microsoft Defender XDR, we are able to get a top-down view of all the incidents on a daily basis and then actually be able to even customize what kind of alerts we want to look for and what kind of attacks are happening. One of the things that I personally love about the tool is the attack story that it provides. Every time there is a specific incident, it creates a graph and maps it to Mitre Att&ck Framework, so it could be initial access, or you may have malicious activity within the network. The tool can track all of the aforementioned areas, and it gives a confidence level. For example, if it is a high-confidence, high-risk alert, then the tool would probably quarantine that particular endpoint on its own, and then an investigator goes on there and actually verifies it. In my experience in the last six months, the false positive rates have been close to zero. Every time there is a case of high confidence alert, there has never been a case where it was not a malicious activity, and it is something I love about the product.

In terms of the most valuable feature of the product, I think it stems from the way it classifies incidents, as it is the most important area in my field of work. Another valuable feature of the tool is threat hunting. For example, there could be a chain of phishing emails that are being sent to our organization, and it may come up as an alert. Then, I know that I can use the artifacts, after which it gives a list of artifacts, which could be email addresses or IP addresses, to identify the threat actors. I can then go ahead and hunt for them across all endpoints within the network, making it essentially something similar to an SQL query that I can run based on what I am looking for. I get more leads in terms of which other mailboxes this particular phishing attack might have gone to where the user may not have interacted with it. The tool allows us to be more proactive in terms of getting close to the initial compromise. I think the threat-hunting feature is coupled with the alerts that my company has configured, and it allows us to proactively stop attacks, which is probably the most important thing for us.

I think that the tool can do a lot of things in a pretty effective way. A lot of times, one of the things I look at is how the false positive rates are, and so far, I see that they have been close to zero. Honestly, I don't think there is a lot in the area of false positives where the tool could improve. I do think that maybe having a feature within my organization where there are three different domains within which we have to operate would be helpful, as there is currently no unified view within the domains. Within a specific Active Directory, you can have Microsoft Defender XDR running, and so everything, including all the endpoints in that domain, are areas you are able to look at from one particular user interface, but there is no feature in which you can merge two different domains. For example, if there are xyz.com and abc.com, all of the endpoints within each of the domains, our company will have a separate UI from Microsoft Defender XDR, and because of it, we have to monitor three different UIs at each point in time. There is also a lot of automation that I have put in place, so every time there is a high-risk alert, our company gets an email in our InfoSec mailbox essentially. I think having a feature where you can merge everything onto a single dashboard would be something from which my company would definitely benefit because it's just a lot of sifting through different user interfaces and then collating data from it. In our company, we should just make sure that we are able to respond immediately, especially whenever there is a security issue within the organization.

I have been using Microsoft Defender XDR for six months. My company is a customer of the product.

I have been in the company for six months, and I think there has only been one time where I remember there was a bit of a slowdown which was associated with the antivirus server and it was not related to Microsoft Defender XDR. Considering the aforementioned issue, my company had to raise a ticket for support, but it has only happened once.

So far, the scalability offered by the product has been fine because it serves as an internal tool managing essentially all of the endpoints within the network, which essentially includes all of the employees, servers, access points, and all of that. In the last six months, my company has not really scaled up the use of the tool that much, and so the numbers have been constant, more or less. If my company ever plans to double up in size in a short period of time, it will probably be the time when the tool's scalability will be tested. I don't think I have the data points right now to answer questions related to the tool's scalability feature.

I have contacted the product's support team. I feel that Microsoft offers a very good support team, as they are usually well-equipped, and the support team members are currently the ones who set up the tool from scratch. The support team has complete visibility of the environment. Every time there is an issue, it gets resolved within 30 to 45 minutes, sometimes more if it is a bit complicated. For example, if the server is slowing down for some reason, the support team is able to sort it out pretty quickly. I think my experience with the tool's support team has been pretty good. I rate the technical support a nine out of ten.

Positive

Before Microsoft Defender XDR, I used some other solutions of the past. In one of my previous organizations, we used to use an SIEM solution like Splunk. The company had a lot of open-source tools, so we used Microsoft Defender XDR and ELK stack to generate alerts from a network monitoring point of view. The company also had Snort rules running on the same endpoint, which was like a blue team device for monitoring the network, and we also had a Splunk Universal Forwarder on the endpoint that was connected to Splunk's server, which was useful for visualization. Splunk was not an XDR tool; it was more about monitoring alerts that we had configured within the organization, customizing them, and making sure that we were able to catch threats based on signatures. There was less automation in the sense of how you can react to an incident. For example, in Microsoft Defender XDR, the moment there is a high-risk and high-confidence alert, it quarantines the endpoint or that particular mailbox and sends an alert to our company, and in such a manner, it stops the attacks, and also lets the investigators know that it is not a false positive, which is something I was missing in a SIEM solution that I used in the past. Alerts were being generated from Snort, and the company where I used to work had an ELK stack running, so we configured the alerts on it. The company also had a Splunk Universal Forwarder that would forward the alerts to a Splunk interface, and it is where we used to visualize all the alerts. In general, it was a combination of different tools that allowed my previous company to have the aforementioned process in place.

The solution is deployed on the cloud model, and our company has opted for the cloud services offered by Azure. In our company, we have Microsoft Access Control Service in place, so everything is controlled through Azure. If there are new members in the team, we give them read-only access to XDR through Azure, so it helps manage the identity and access, and then you can access Microsoft Defender XDR's portal. Our organization also creates specific IDs for every investigator to access Microsoft Defender XDR.

I don't think I can speak much about the pricing model of the product because it is not something I work with, and so I don't know the amount of money being burned by the company for the solution, making it an area beyond my visibility. With the little idea I have about the costs, I can say that XDR tools tend to be a bit expensive. If you are using Microsoft Defender XDR, then you need to go for a subscription-based pricing model. In my organization, which is a relatively large company with close to 3,000 employees, the solution works out well for us. For example, if I had a startup, it probably wouldn't be cost-effective to have an XDR solution in place, and that is where I would probably look at more open-source tools to work with and maybe have a SIEM solution which was a startup, a reason why we had to rely on open source tools. My previous organization also had opted for a subscription to use Splunk, which was expensive, but it was better than getting an XDR tool.

Speaking of whether I started to see the benefits of the product immediately after its deployment or if I had to wait for some time, I would say that Microsoft Defender XDR has been in place from the time I joined my current organization. I immediately saw the benefits of using the product. I wasn't present in the organization at a time when they had moved initially to Microsoft Defender XDR, so I can't speak about the time point during which others in the company saw the benefits or effects of the use of the solution. I think the tool has been very efficient because I have worked in other organizations where they were not using Microsoft Defender XDR, as they preferred SIEM solutions. I have seen that in scenarios where SIEM-based tools were used, it was more of the investigator who had to figure out what was happening because you just had a ton of data coming in from the bottom up. In my previous companies, we had a Splunk interface through which we could indulge in monitoring. I see a stark contrast between the previous products and Microsoft Defender XDR, and it is because the latter-mentioned tool not only allows you to get that bottom-up view where whatever is happening on an endpoint level, I am able to monitor while also being able to push things from the top to down. For example, if I wanted to quarantine a particular file on a subset of endpoints, I can do that from Microsoft Defender XDR, where I can put it on a block list and mark it to a particular Active Directory group, after which I am able to then block that out. The tool is quite effective from a detection and response point of view.

If I consider whether it is better to have just one solution instead of a combination of tools, I would say that it is always better to have a combination of products. The SIEM solution I had used previously was quite efficient in collecting data and in being able to process large amounts of data from where we had a lot of endpoints within a particular network, which I think was fast in many ways. Microsoft Defender XDR internally does the same thing as an SIEM solution. If you ask me, it is always best to have an SIEM solution integrated with an XDR tool because most SIEM products are very good at handling large amounts of alerts, and if you have configured it properly, then you can have a very precise view of what is happening at any given point in time within the network, and once you have it, you can have that database forwarded to XDR that can push down. The XDR tools are very good at classifying events. If you have actions in place as to what needs to be done, then, for example, if an email is marked under the phishing category, you would want to get rid of it from the inbox first. Ideally, it shouldn't even land in the inbox, but if it does, then you want to quarantine it. Pushing a certain action down to the affected devices, I think XDR tools do it brilliantly. I think it is always good to have a match between a SIEM tool and an XDR product or a customization between different tools to help achieve your goals.

The product does require maintenance. With the cloud instances that host the server, our company continuously monitors the health, as we have health checks in place that generate alerts in case something goes wrong, a major reason why we use Microsoft Defender XDR. My company also has Kaspersky's antivirus server, which is essentially hosted on a different server. Sometimes, because of the number of endpoints we have in our company's network, the server does slow down due to resource constraints. It is not my job to maintain the servers in my company, but we have a different team that deals with it. In our company, we do have a couple of instances where the servers are internally managed.

I think Microsoft Defender XDR is one of the best detection and response tools I have worked with as it is quite effective in flagging serious threats for the organization. In our company,we have faced multiple attacks over the last few months, but none of them have been successful, and I think Microsoft Defender XDR has played a major role in it.

Firstly, potential users of the solution should consider that the tool comes with a lot of already customized alerts for any Active Directory environment, but it is always good to understand, especially if you are a new user of the tool. Even if someone is new in the security team, I think it is that person's job to analyze the business, the kind of attacks you could expect coming in, and the kind of visibility that the organization provides on the internet. Once a person gets a good idea about the aforementioned areas, you need to customize alerts and create custom alerts for your organization because that is an area that is going to be unique and different for each and every company, so it won't ever be the same. Microsoft Defender XDR certainly helps with mapping the seven steps of the cyber kill chain, and if the product sticks to it and looks at every single step, lists down the kind of threats, and then customizes the alerts according to that, I believe the users will have a successful time in being able to detect threats before they happen or even while they are happening.

I rate the overall tool a ten out of ten.

Extended XDR expands threat protection across endpoints, email, identities, and cloud environments.

Microsoft Defender XDR provides strong identity protection with comprehensive insights into risky user behavior and potential indicators of compromise. It includes capabilities for monitoring Active Directory against attacks and threats, making it a broad and deep solution for identity security.

Improving scalability, especially for very large tenants, could be beneficial for Microsoft Defender XDR. Additionally, enhancing the privilege access management capability would make it a better solution overall.

I have been using Microsoft Defender XDR for about a year and a half.

Microsoft Defender XDR is very stable. I would rate the stability as a 10 out of 10.

I would rate the scalability of the product as a 10 out of 10.

Microsoft's customer support for Defender XDR is generally very good and I would rate it at around an eight out of ten. Larger customers like us, especially those partially owned by Microsoft, tend to receive excellent support. However, smaller organizations may not experience the same level of support.

Positive

Microsoft Defender XDR is typically deployed at the organizational level across multiple locations and departments. Maintenance is required, and the number of people needed depends on the organization's size and complexity. It could range from a large team for a big organization to just a few individuals for smaller ones.

Microsoft Defender XDR is expensive, especially for the full suite functionality. However, when compared to buying multiple-point solutions separately, it may be comparable in price. Overall, it is competitive within the market, but the broad capabilities make direct cost comparisons challenging.

Clients implement this tool to address various security issues efficiently. Microsoft Defender XDR offers a unified solution for a wide range of security needs, including extended detection and response across multiple platforms like Office, endpoints, mobile, and identity.

Microsoft Defender XDR includes some identity and access management features, especially when used alongside Azure Active Directory's privileged access management capabilities.

While primarily focused on Microsoft technologies, Microsoft Defender XDR can integrate with third-party SIEM vendors and covers multiple operating systems, including macOS, iOS, Android, and Windows, through its Defender for Endpoint and Intune capabilities.

Microsoft Defender XDR is designed as an XDR solution, utilizing the Mitre ATT&CK framework to detect and correlate events across various areas of compromise. It can identify and correlate events related to advanced attacks, such as business email compromise and ransomware, affecting security operations by providing insights into the events leading up to such attacks.

When security products like antivirus and vulnerability management software are discontinued in favor of Microsoft Defender XDR and other Microsoft 365 tools, it streamlines operations but may require less manual correlation of security events.

Some organizations might experience a 10-20% cost reduction with Microsoft Defender XDR, but for me, the main goal is to improve detection and response capabilities, not just save money. It is about adapting to the evolving threat landscape rather than focusing solely on cost savings.

Microsoft Defender XDR has saved time for our security team, making our operations more efficient.

For those evaluating Microsoft Defender XDR, my advice is to understand your requirements and map them to the appropriate licensing capabilities. It is not a one-time project but an ongoing process, so plan for continuous improvement of your security posture.

Overall, I would rate Microsoft Defender XDR as an 8 out of 10.

I work at a SOC, and we use Microsoft XDR to provide 24/7 monitoring for our clients. We use it to monitor all types of incidents, including attacks on endpoints and email-related threats. It's integrated with other Microsoft solutions.

I like how Microsoft XDR and the other Microsoft products are integrated into a single unified security stack covering identity access management, endpoint protection, email, cloud applications, etc. The Kubernetes security feature hasn't been released yet, but we're looking forward to that. I'm just focusing on that because it will be a game-changer.

The integrated identity and access management is helpful because sometimes you don't have the information you need inside XDR, so you can go to Entra for more details.

XDR can stop advanced attacks like ransomware and BEC attacks. It also has an AI-assisted automated feature that cuts off access to persistent attacks. This feature disrupts the attack by disabling user access. A person needs to analyze if the response is correct and reject or approve. 

Through integration with Microsoft Lighthouse, we can manage multiple tenants on one screen, and prioritize which areas of the environment to address first. Sometimes, one tenant may be inaccessible to you. It will show an error, but then it will start working again automatically. 

Because of the training model, Defender XDR's automatic response sometimes blocks legitimate users and activities. Also, the UI sometimes responds slowly. 

I've been working with Defender XDR for the last six months.

I rate Defender XDR 8 out of 10 for stability. 

Defender XDR is scalable. 

We had a problem once getting a feature to work correctly after an update. We contacted Microsoft, and it took about 2 or 3 days to resolve.

I previously used QRadar and Splunk

Deployment is easy. It requires some maintenance on the Microsoft side. 

I rate Defender XDR 9 out of 10. I would recommend Defender. It's easier to use than other products I've worked with, such as Splunk and QRadar.

We provide services to medium-sized businesses in the banking and administrative sectors. We are also using Microsoft Sentinel and Defender for 365. 

Defender helps our clients protect against any threats from outside the organization. Defender XDR helps our clients save about 25 percent by offloading some on-prem functions to the cloud. It also saves time because the cloud interface is manageable, and we can investigate incidents quickly. It's easy to create reports and share information with other teams. 

I like Defender XDR's threat detection and prevention capabilities. Defender's built-in identity and access management features are critical. The solution's coverage extends beyond Microsoft software. Defender is easy to use. It has a nice console, and everything is all in one place. 

The console is missing some features that would be helpful for a managed services provider, like device and user management. 

I have used Defender XDR for the last two years. 

I rate Defender XDR nine out of 10. 

I rate Defender XDR eight out of 10 for scalability. 

I rate Microsoft support nine out of 10. 

Positive

Some aspects of the deployment were not straightforward. It was moderately complex. I enabled all the connections and onboarding process, then implemented a basic set of configurations. It took about seven to 10 days to deploy. 

My clients have seen an ROI from using Defender XDR.

Defender XDR is reasonably priced but may be less affordable in certain countries. For example, it might be expensive for some customers in India. 

I rate Defender XDR eight out of 10. I would recommend Defender XDR. It's a fast solution, and it's easy to train people to use Defender. 

My company operates as a service provider, so we use Microsoft Defender XDR in our office to provide our customers with security services.

I won't say that the product helped improve how my organization operates, but there is a need to build trust between the user and the product. Microsoft Defender XDR has been used in my organization since we purchased Windows 10 or 11, after which a user does not need to install any products from Microsoft separately. Some of my company's customers insist they want to install antivirus software separately in their environment due to trust issues.

The most valuable feature of the solution stems from the fact that Microsoft Defender XDR is easy to integrate with other Microsoft platforms or products. Some other vendors of security products provide great features or capabilities of detection, but the best feature of Microsoft is its integration capability.

One important point about the solution that is an area of concern where improvements are required is related to the control center it provides. Generally, antivirus products provide a central control to manage every device in terms of who is installing it or who is trying to disable it, but Microsoft doesn't have such a control center for the antivirus product it provides.

I have been using Microsoft Defender XDR for three years. My company has a partnership with Microsoft. My company is also a reseller of Microsoft products.

As a part of Microsoft's attempt to reduce costs, there has been a direct cut down of the local technical support team. Sometimes, you have to use the technical support offered by Microsoft from other countries, but at times, we speak different languages, just like how people speak in Chinese or Mandarin, but there are still some differences between them. The front-line support from Microsoft has only limited technical abilities or access to their internal system. Sometimes, my company cannot even escalate an issue to Microsoft's senior team members.

The support team of Microsoft is nice as they attempt to solve the problems together with you, but I believe that due to some cost-related issues, they don't have enough permissions. Sometimes, users might feel blocked when trying to connect with the support team.

I rate the technical support a seven out of ten.

Neutral

My company started with Microsoft Defender XDR when we partnered with Microsoft. Some of our company's customers prefer CrowdStrike, Fortinet, and FortiSIEM.

You don't need to indulge in troubleshooting, making the initial setup phase an easy process because you could just use a GPO on your server to deploy everything. When there comes a problem to onboard some specific devices, and you need to indulge in troubleshooting, sometimes Microsoft Defender XDR's team says it is a problem with the devices a user is trying to onboard, and it's really hard for our company as service providers since we cannot always ask customers to reinstall their server.

Microsoft purposely makes its license combinations complex and includes combinations like Microsoft 365 E3 and Microsoft 365 E5, Office 365 E3, Office 365 E5, and Office 365 E1, so you get confused. Microsoft tries to sell you a bundle of a lot of things together. The licensing model of the product should be made more understandable.

There are other good products in the market, and it is difficult to state which one is better since all of them have micro differences in terms of pricing. There may be components like the user interface or maybe some other elements to judge other products, but when it comes to Microsoft, the most important factor stems from the fact that most people use Windows, so it's all integrated.

The product provides unified identity and access management as long as I use all of the products offered by Microsoft.

It is important for me that identity and access management are included within Microsoft Defender XDR because everything is controlled by your identity in the digital world, making it look like a user's government ID in the digital world. My company has tried a lot to talk to and educate our customers since some try not to use a complex password or MFA, which is the most important thing to protect your identity.

Some integration functions in Azure portal allow users to integrate their third-party applications. With the solution, it is not easy to track third-party applications. For transactions recognized by your credentials, it is not easy to track as they would stop, after which we are informed there is a problem. In my organization, we only know how some third-party applications ask to check the credentials, but we don't know what Microsoft Defender XDR does with it, so the product's security doesn't extend beyond just Microsoft technologies.

The product does stop lateral movement and advanced attacks like ransomware or business email compromise. The product blocks a lot of ransomware, which is good. It is considered to be a strict product, so if some of our customers use some local mail service, they have been blocked because Microsoft considers it to be not secure. Microsoft puts a lot of effort into security.

Microsoft Defender XDR's ability to stop attacks covers the product's ability to adapt to evolving threats. It is better to use it as a cloud-based solution that keeps adapting to changes and providing new features.

The product must adapt and evolve to manage threats since there is a new zero-day vulnerability every day, and there is no way to get protection from it. You cannot rely on the users or the admin to upgrade the features daily, so it's better to adopt it automatically with a cloud-based solution like Microsoft Defender XDR.

There were some problems when my organization tried to discontinue other products during the implementation phase of Microsoft Defender XDR since Microsoft tried to integrate all the products in our organization's environment together. If you have used Microsoft Defender XDR, you have to use an antivirus from Microsoft along with Microsoft Identity Platform Endpoint to get the best results. Sometimes, some customers may try to install some third-party antivirus in their environment other than the one provided by Microsoft, which gets blocked. Sometimes, antivirus software from a vendor goes into passive mode. When an antivirus software is in passive mode, some of its advanced features are not usable, causing some problems the user needs to deal with when using it.

The product's ability to save costs depends on how a user looks at a problem while using the solution. I worked as a part of the security team, and we always used to talk to our company's customers. The solution is sometimes like insurance, especially if you want to avoid some bigger problems and you need to spend some money to protect your environment. In some other IT teams or from some other client's point of view, Microsoft Defender XDR costs a lot of money, and they don't see anything. In the security world, no news is good news. You don't want to have to see everything happen and get plenty of alerts trying to prove the product's worth. The product has to control the attack surface so that you won't be attacked that much, or if there are any attacks, it can reduce the impact.

The product definitely saves time for my organization and our company's client teams, especially considering that it is not possible to manually go through the logs every day. The product did help pop up the abnormal activities so that my organization could just review the important things or abnormal activities.

It is hard to say how much time the product saves since it depends on factors like whether you are using some other products or using Microsoft Defender XDR alone. I guess that the product can save over 60 percent of my organization's time. When you use Microsoft Defender XDR in your IT infrastructure, and it works for you, then you just put it in there, and you will come to know when there are some abnormal activities or when you are attacked. With Microsoft Defender XDR, you can get some signs if you are being attacked.

Microsoft Defender XDR is a nice solution and can be combined with other solutions from Microsoft, but they offer limited flexibility. I want the product to be a high surveillance solution for me and not just an information-oriented tool, but nowadays, Microsoft doesn't provide any options to help choose the users' preferences.

I rate the overall product a seven out of ten.