Microsoft Defender XDR Reviews

We offer an MDR service and use Microsoft Defender XDR with Defender for Endpoint, Defender for Cloud Apps, and Defender for Cloud.

Having Microsoft Defender XDR integrated into our ecosystem has helped provide a single pane of glass for identifying, monitoring, and responding to issues across multiple customers.

From an attack chain perspective, Defender XDR handles phishing and spam emails easily, while Defender for Endpoint manages endpoints effectively. We've drastically improved our user experience. Even though we have Check Point in place, without adding complexity, XDR helps manage a significant baseline, enhancing user productivity by reducing signals significantly. The ability to report phishing is more accessible with the add-on features in Outlook.

It would be beneficial to reduce the number of clicks required to navigate between blades, as the current navigation and breadcrumb system can be a bit confusing. Some inconsistencies exist between blades, which could be improved for a more seamless user and UI experience.

We have used Defender XDR for just over a year now.

The services within our ecosystem have been reliable, meeting their SLAs. However, sometimes the experience feels congested, likely due to increased usage, which indicates high adoption levels.

Microsoft Defender XDR shows tremendous scalability, much more so than on-premises solutions. Microsoft has ensured these capabilities are available for its customers.

Support has gotten better, but there is room for improvement. It's critical to escalate SEV B issues immediately to a domestic engineer. Having a CSAM makes a significant difference.

Positive

I have always worked with Microsoft solutions for the past twenty-five years, expanding my knowledge to include third-party solutions as Microsoft evolves rapidly.

The deployment wasn't intuitive,  but it was simple for me. The documentation helps despite a few gaps when they roll out new features. You need to understand the technology before you implement it. Read up as much as you can before establishing a dev tenant, implementing, testing, and then piloting in production.

I wasn't part of the M&A transition, so I'm unaware if a Microsoft partner was involved. I've served as a consultant with various Microsoft Gold partners, and without those partners, adoption would have been more challenging.

From a support desk perspective, there has been a decrease in support requests and an increase in user productivity. Although I don't have exact statistics, user experience has improved significantly, which is crucial for the company's progress.

Licensing is somewhat confusing, particularly when presenting our pitch decks to stakeholders and leveraging key features in premium SKUs, but we managed with some assistance from Microsoft.

I rate Microsoft Defender XDR 10 out of 10.

We have it deployed as part of our security stack for our endpoints.

The technicians working on the issues have a clearer idea of a higher priority issue versus a lower priority. 

I like that Defender is easy to use and the alerts are all in one central location.

Some of our older hardware experienced a slight bump in CPU and memory usage. Although I don't have empirical data to back that up, I would suggest possibly more streamlining in the software.

I have been using Defender XDR for seven months.

We haven't had any issues with it, so I don't have any problems with its stability.

From what I have seen, it's easy to roll out to new onboarded machines and servers.

Microsoft support is not very good. You get stuck in low-level support for way longer than you should, instead of them escalating the issue up the chain. This is kind of the same with all Microsoft support, not just XDR.

Positive

We had BitDefender EDR, which is a pretty similar product, but we switched because we were trying to put everything under the Microsoft umbrella. We got good pricing on it and were happy with the results of the testing we did. Defender XDR officers richer insights into Defender XDR. It's a better overall experience. 

I don't personally crunch those numbers, so I don't know. But I know that we're committed to this for the future, so I would assume that we're doing okay.

Defender XDR is priced comparably to other solutions on the market.

I would rate Defender XDR as an eight or a nine. There is always room for improvement.

We are using Microsoft Defender for Office 365 for identity and email security, safe links, etc.

It works as an antivirus, and it also works for any behavioral issues in a particular machine. It protects all the applications from any vulnerability. It works in both ways. It works for vulnerability management and also for the EDR part. Earlier, we had Qualys for vulnerability management, but Microsoft Defender takes care of both. It provides information about how vulnerable a machine is, and it also takes care of the antivirus and behavioral issues in a particular machine due to some threats or any unwanted applications installed.

It helps us manage vulnerabilities. If there are any vulnerabilities in a machine due to a lack of patches or end-of-life software installed on the machine, it gives us the report. After seeing the report, we can fix those vulnerabilities by uninstalling the vulnerable applications or by patching them.

It takes care of the antivirus part. The signatures are constantly getting updated related to new viruses. It covers any identity-related issues or device-specific issues. It covers the MITRE framework. If any threat or risk is present in our environment, it takes care of that and then tells us that these are the issues that we need to work on. After we get the alerts, we do the investigation and remediation.

It provides unified identity and access management. You can create role-based access. You can create policies based on different risk levels. You can also trigger password resets. There are a lot of capabilities that are built in. You can also create conditional access (CA) policies. If any vulnerable application is installed on a device, you do not want that device to be connected to your network, you can create conditional access policies. It will first check whether the integrity of the device is as per your organization's requirements. If it is compliant, then only that device will be allowed to connect to your network. The same goes for identity. If MFA is enabled in your environment, the users will be allowed to connect only if their accounts have MFA enabled. Otherwise, the access is blocked. You can automate such things.

It is important that identity and access management are included in Microsoft Defender rather than needing an additional solution. Nowadays, you see a lot of phishing emails and unsecure links being forwarded to user accounts. In Microsoft Defender, we have secure links and safe links. Once enabled, if any malicious link is sent to a user account, when the user clicks on a link, it immediately checks whether it is safe to access. If it is found to be malicious, it is immediately blocked. If a user mistakenly clicks on a link, the risk state is changed automatically in the web portal. If you have a conditional policy in place, the access is blocked for that user. Even if the attackers have access, they will not be able to do anything. In today's scenario, it is pretty important to have these in place.

As of now, the integration part is pretty limited to Microsoft products. However, by using Sentinel, which is a SIEM solution, you can integrate other products.

It stops the lateral movement of advanced attacks like ransomware or business email compromise. You can create lateral movement policies, and you also can create high-risk users or high-risk devices. You can have customized policies for them. You can create different policies, and the alerts triggered from those devices or users are put into high severity so that you can take immediate action.

You get the telemetry of any attack observed by Microsoft Defender. You can see everything from the starting point till the remediation steps automatically taken by Microsoft Defender. The investigations can be found easily. They are pretty detailed. Everything is there in the portal.

It has the ability to adapt to evolving threats. Threat intelligence is embedded in the portal itself for new threats, technologies, ransomware, or malware. All the latest threats are automatically handled by Microsoft Defender. Remediation is also automatically available.

It saves time. There is automatic remediation, and there are playbooks that you can configure. You can automate the remediation steps that you have already tried on a particular machine. If you want to suppress some of the alerts, you can create suppression rules so that your team does not spend time investigating them. Playbooks, automatic remediation, and suppression of similar alerts save a lot of time.

Vulnerability management is valuable. We had a different product for vulnerability management. We were using Qualys for that, but after we got Microsoft Defender, we also got the vulnerability management part. It is embedded in the portal itself. We do not have to look into another solution or tool. We did not have to install any additional sensor which reduces the overhead and does not affect the machine's capability. With the same sensor, we get the vulnerability report and threat report. We also get to know any risks and issues related to malware and other things.

The portal is quite user-friendly. There is integration with Office, Intune, and other products from the same portal. From there, we can see which policies are installed on a particular machine. We also can manage devices, groups, and tagging. For a different set of teams or departments, we can create different device groups. Based on the teams and their work portfolio, we can create different policies. It is quite handy, whereas with the Qualys solution, the portal was quite cluttered. To find a particular option, we had to look at many options, whereas Microsoft Defender is quite user-friendly.

We are also getting all the reports by using the same sensor. It is light on the machines as well. It consumes less resources than other solutions available in the market.

It is evolving. We are seeing new advancements and integrations. They have integrated Copilot, so going forward, we can take the AI advantage. It will be quite easy for us to run any queries. These are the advantages that I see in Microsoft Defender in comparison to others.

The patching capability should be there. Patching is something that you cannot do even though you see the vulnerabilities present in your environment. For patching, you have to depend on another solution.

Other than that, there are still limitations in creating device groups. You can create tags, but these tags are based on limited options. There are only a few categories based on which you can create a tag or device group. If there are other conditions that you want to put, such as creating a group based on the application installed on a particular machine, you cannot do that. There are some shortcomings. Also, if you want to whitelist a particular application for a set of groups, you cannot do that. We had an incident where we wanted to whitelist a particular application that was getting blocked by Microsoft Defender, but we were not able to create those groups. We were not able to whitelist the application for some of the devices. We had to whitelist it for the whole environment, which we did not want to do.

It only has pre-built dashboards. You cannot create customized dashboards. They have a set of dashboards, but they are not customizable.

We can create reports using KQL, but it is hard to create customized reports using KQL. You get a CSV, but you need to use Power BI or another reporting product to create the report. The other products available in the market give you customized dashboards, customized reporting, and customized workflows. This is pending in Microsoft Defender.

I have been working with this solution for 1.5 years.

It is a Microsoft product. It is similar to any other Microsoft product in terms of stability. They do change the name and other functionalities, but it is pretty much similar to any other Microsoft product.

It is pretty scalable. It does not stop you anywhere.

I am working in an MNC. We have more than 6,000 people.

It depends upon the license that you have. They have a different set of licenses based on which you get support. It depends on the support packages you have purchased.

It is very easy to raise a request. They have a portal. From there, you can create a ticket by email or by chat. The response is based on the support package that you have. If you have premium support, you can get a response in minutes. 

In my previous organization, I worked with Palo Alto XDR. In this organization, we had McAfee, which is a signature-based solution. Microsoft Defender is more advanced than McAfee. It is EDR-based, whereas McAfree was signature-based. It was based on the signatures related to a particular threat or virus. It was handling threat prevention, but behavioral analysis and other functionalities that you see in EDRs were not there. We wanted to move to a behavioral-based antivirus solution. That is why we opted for Microsoft Defender.

Microsoft Defender also enabled us to discontinue the Qualys solution. It has many capabilities related to vulnerability management. They are available out of the box, but patching is something that is missing. For patching, you need to use Intune, whereas, in Qualys, you can also do patching, so patching is something that is missing in Microsoft Defender. However, Microsoft Defender is very good for the assessment of vulnerabilities.

You also get visibility of the devices that are still not onboarded to Microsoft Defender. You have something called Device Discovery in Microsoft Defender. Once enabled, you can get details of all the machines that still do not have Defender, whereas, in Qualys, you have to create customized or scheduled scans of your network. They then run on a periodic basis, but that is not the case with Microsoft Defender. It is on a real-time basis. The Microsoft Defender client continuously does the scanning, and you get visibility into all the machines on your network that still do not have Microsoft Defender onboarded. However, you cannot do patching with Microsoft Defender.

Microsoft Defender can save costs. Qualys is pretty expensive. Microsoft Defender does vulnerability management out of the box, so if you do not want to do patching and you have another solution for patching, you can save costs. It also has out-of-the-box functionality for identity protection.

It is deployed on a public cloud. If you do not have people in your team who know about this product, Microsoft can give you a vendor to help with deployment, creating the policies, etc.

Overall, it is pretty straightforward because Microsoft Defender is enabled on all Windows machines. All you need to do is to activate the sensor that is already installed. The installation process is not much, but if you want somebody to help you, Microsoft can help you with a list of vendors at a particular location. The vendor can help you with configuring the policies and activating different licenses.

Documentation is available on the Microsoft portal to help you create policies and go forward as per your environment.

We took help from somebody for implementation.

It does not require a lot of people because it is a cloud solution and the sensor is already available in the machine itself. It does not require a lot of manpower to get started with Microsoft Defender and do a migration. However, it also depends on how big your organization is. If it is an MNC with a presence in multiple countries, you might need at least one person per region. If any hands-on support is required on a client machine, you can do troubleshooting remotely or provide on-site support. If you have only one site, you do not need much manpower. A single person can do it.

Its maintenance is similar to any other solution. If you are changing any policy, you have to test them before putting them into production. Apart from that, it does not require anything. The Defender updates are automatically available. You can push them through your patching solution. Its maintenance is not hard.

Every organization has different requirements. In my previous organization, we opted for Palo Alto even though we had Defender and CrowdStrike. CrowdStrike is also a best-in-class solution, but we opted for Palo Alto because it was giving something that was a requirement. In that organization, we also wanted to do some management. We wanted to run some scripts through our XDR solution. CrowdStrike had some limitations. We also wanted to do a console login for a particular machine. CrowdStrike gave that functionality, but it was pretty limited, whereas, in Palo Alto, it was limitless. We could straightaway see the files present on a machine by using the console view. We could run a different set of queries. It did not matter whether we were running a PowerShell script, a Python script, or any other language script because the compiler was embedded in the sensor. Palo Alto met the needs of that company. For the use cases, it was the best fit.

In my current organization, the use cases are different. We only wanted an EDR solution. Also, because most of the products in our environment are from Microsoft, the integration with them was pretty easy. That is why we opted for Microsoft Defender. An organization should look at its use cases and then decide on an EDR/XDR solution.

Comparing Microsoft Defender's EDR capabilities with other solutions, I would recommend going for another solution available in the market. I would rate it a 6 out of 10 because there are a lot of things that are available in other solutions, such as doing a remote of a particular machine and running other language scripts. Other solutions are also better in terms of the isolation of a particular device, removal from the isolation, and granularity of security control. I am not comparing it with others for vulnerability management because Palo Alto or CrowdStrike do not do that. If there are any vulnerabilities and you want to fix them, you have to do all the work.

We provide services to medium-sized businesses in the banking and administrative sectors. We are also using Microsoft Sentinel and Defender for 365. 

Defender helps our clients protect against any threats from outside the organization. Defender XDR helps our clients save about 25 percent by offloading some on-prem functions to the cloud. It also saves time because the cloud interface is manageable, and we can investigate incidents quickly. It's easy to create reports and share information with other teams. 

I like Defender XDR's threat detection and prevention capabilities. Defender's built-in identity and access management features are critical. The solution's coverage extends beyond Microsoft software. Defender is easy to use. It has a nice console, and everything is all in one place. 

The console is missing some features that would be helpful for a managed services provider, like device and user management. 

I have used Defender XDR for the last two years. 

I rate Defender XDR nine out of 10. 

I rate Defender XDR eight out of 10 for scalability. 

I rate Microsoft support nine out of 10. 

Positive

Some aspects of the deployment were not straightforward. It was moderately complex. I enabled all the connections and onboarding process, then implemented a basic set of configurations. It took about seven to 10 days to deploy. 

My clients have seen an ROI from using Defender XDR.

Defender XDR is reasonably priced but may be less affordable in certain countries. For example, it might be expensive for some customers in India. 

I rate Defender XDR eight out of 10. I would recommend Defender XDR. It's a fast solution, and it's easy to train people to use Defender. 

Our main use cases include securing critical university services and establishing a research tenant for researchers to store and manage their findings across both everyday machines and dedicated research spaces. It involves dealing with malware and managing server security through tags. Additionally, a significant portion of our work involves exploring and investigating emails using the Explorer tool. It is well-suited for addressing these scenarios and ensuring robust security measures.

It enables us to respond to incidents more swiftly, pinpointing root causes with greater speed. Retrieving emails is now a much smoother process compared to the previous method using Power Shell. With Explorer, it's a more straightforward and visually intuitive approach, eliminating the previous concerns associated with Query Drive and reducing any associated anxieties. It allowed us to phase out the use of other security products entirely. Initially, we managed this transition through SXM, and later migrated it to the online version of Defender. It has had a notable impact on the operations of our security team. We've had to reshape our procedures, particularly focusing on alerting. There has been a significant upskilling effort, shifting from the previous model where Cisco admins primarily dealt with alerts within SSC or through email.

The most valuable aspect is undoubtedly the exploration capability. Given that we are consistently engaged in exploration, constantly seeking reasons for message delivery issues and searching for malicious attachments, the Explorer feature stands out as the primary and most beneficial tool for our needs.

I'd like to see more integration with various components. While the ecosystem is quite impressive, there's a noticeable back-and-forth between the Defender console and the Exchange console. It would be beneficial to have a more seamless experience with everything consolidated in one place, particularly when dealing with aspects related to the Exchange console. Currently, we rely on a third-party service for the majority of our IAM needs. The data center extension of security coverage has proven to be highly significant for us. Given our extensive use of Linux and third-party applications, having the capability to monitor these aspects within the Defender console would be immensely valuable.

I have been using it for four years.

The stability is quite high. Despite various outages, we've experienced consistent reliability.

Scalability is indeed very impressive. We can deploy resources globally with just a few clicks, and the use of Terraform to create VMs adds a fast and efficient dimension to the process. In terms of end-users, if we focus on mail and overall usage, we currently have around 105,000 users of VMs. Specifically in Azure, we're nearing the 100,000 mark with more migrations in progress, making the average user count approximately 100,000.

Microsoft support has been performing well, promptly addressing any conflicts that arise. Our account manager is quick to respond and provides additional resources when needed. The frequent check-ins, with calls every hour, contribute to a positive experience. I would rate it eight out of ten.

Positive

The initial deployment was quite straightforward.

The deployment process went smoothly, with check-ins and some policies to configure. Overall, it didn't feel cumbersome.

In the long term, there is potential for significant time savings for our security team. Although currently, many of us are investing time in upskilling and adapting to the new system, overall, I believe that as we become more familiar with it, there will be noticeable efficiency gains.

There has been a noticeable reduction in costs. We've managed to navigate it effectively through our enterprise agreement, and Microsoft's academic discounts have proven to be quite generous. The overall expense is significantly lower, approximately fifty percent less than what we would incur with a traditional enterprise license.

Especially with an enterprise license, the transition is relatively low-risk. If you're currently using the old-school Defender SCCM, moving to the new system is not a challenging shift. It's worth picking a few machines, testing them out, and seeing if it suits your preferences. Overall, I would rate it nine out of ten.

We manage around 5,000 computers inside and outside our company. I use Defender to work on our security score by deploying security policies. We apply all the security recommendations to our computers and patch all third-party applications. We check every day for malware to alert our security teams.

Seven months ago, our security score was 50 score and it's now 84. We applied all the security policy recommendations coming from the solution and we became aware of the vulnerabilities and fixed them all, one by one.

We can also automate some tasks and that reduces daily work. And if we get an alert, and we know it is not a false positive, we automate things so that we don't get that alert again.

And if we find malware or a threat, we transfer it to level-one technical support to check and, after that, to the security team. But a lot of times, it catches malware and takes action to block it automatically.

Defender has also saved us money, about 30 or 40 percent. When we had Symantec, we suffered one attack against our company and we lost a lot of data and a lot of servers, and that was a lot of money. Since switching, Defender has been perfect, catching all malware and taking action automatically.

It has also decreased the time it takes me to check everything. I now spend only one or two hours a day monitoring things.

I like that it's fully integrated with Windows, Microsoft 365 Exchange Online, and Outlook. It is better than other antivirus solutions because it's fully integrated with all Microsoft products. It's easy to integrate them and onboard all Windows devices from SCCM. That is really amazing. Everything is clear in Defender. It's not difficult.

Also, everything for security is in one dashboard. It's great. It's not only for Defender but email and everything else. it makes things very easy. I can check everything at once.

The dashboard should be easier to use. There is also improvement needed in the reporting when it comes to exporting or scheduling reports.

I have three years of experience with Microsoft 365 Defender.

It is very stable.

It is also scalable.

On-prem, we have around 300 servers, a mix of Linux and Windows. We also have around 5,000 clients, all using Windows 10 and 11. We have a plan to migrate all on-prem servers to Azure. In the next six months we are looking to migrate 90 percent of them to the cloud. 

I like their support sometimes.

Neutral

We used Symantec for antivirus and security and we migrated all users from Symantec to Microsoft 365 Defender. It's easier to use than Symantec or McAfee and we can use it anywhere because it's a cloud solution. Also, with Symantec, we suffered an attack and it did not do anything. In addition, we already had an E5 license with security so we decided to use this license more fully.

I onboarded it to all machines using the configuration in SCCM. It was very easy. It didn't take much time.

We checked McAfee but we went with Microsoft because it has improved its product very quickly. Microsoft Defender of five years ago is not like it is now. Five years ago it was nothing, but Microsoft has improved it very quickly.

It works with Microsoft Sentinel and integrates well with that, but we do not use Sentinel in our company.

The product replaced Sophos, a third-party product we used, helping us save money equal to its yearly subscription. The product saves us time. We do not have to interfere. It just keeps running.

Considering we haven't encountered any technical problems since we started using it. It is working as intended. It has great stability.

I don't know if that is Defender's feature, but more active monitoring for data breaches would be beneficial. There could be a way to proactively monitor unusual activity versus just depending on viruses and malware. If the traffic seems unusual, it could detect anomalies and update us. It would help us stop malware attacks ahead of time.

I have been using Microsoft Defender XDR since 2015.

We never encountered stability issues.

Whenever we add a license, it automatically sets the account for a new user.

The initial setup process was fine and similar to Office 365. We had to get our email server lifted externally from the premises to the cloud. It is easy to use once all applications are deployed.

Microsoft Defender XDR is already included in our Office 365 licensing. It is better because we're saving money by using it.

The product was included with the Office 365 licensing that we had. So, we decided to try it out. Before that, we were using Sophos.

I haven't run into that particular instance where the security features have extended beyond Microsoft technologies. The only products we use outside of Microsoft are proprietary lockdown applications, and it's not really an issue there.

During staff training, we've been using Intune to detect phishing attempts. It hasn't detected anything in that aspect. However, it has the ability to check for malicious attacks preemptively.

I rate it a ten out of ten.

The summarization of emails is a valuable feature. I get more than 1000 emails a day. It is hard to read them all. Summarization makes it a lot easier. The solution also provides transcription features.

It doesn't work in Word, Excel, and PowerPoint consistently. We find it full of bugs. It doesn't work properly. The tool gives inconsistent answers and crashes a lot. I spoke with the Microsoft team regarding these issues. The person I spoke to said that our expectation was too high and that we should have expected that it would only operate at 70% accuracy, which was a bit of a shock.

I have been using the solution for four years.

We use most of E3 and E5. We're using 92% of the catalog. Everything runs in the cloud. In the past six months, there have been incidents where the cloud has had some issues. We've escalated them to Microsoft and have had a conversation about stability.

The tool is scalable.

The support is decent. It could be better in certain circumstances. Overall, it's acceptable for what we need it for.

We were using a Symantec tool before. We stopped using it because we were exiting a relationship with the Symantec tools. We chose Microsoft Defender for Office 365 because we had a relationship with Microsoft, and it did similar things to what we used the Symantec tool for. It was an easy choice.

The initial setup was complex. It doesn't work. Semantic Index takes 48 hours. Getting people to onboard is not as simple as turning it on and making it work.

We have to ensure that we are teaching people about these tools, their value, and the use cases to determine whether they will use them. If we turn it on and somebody is not trained to use the tool, they will abandon it. It's still not functioning properly. It's a bit of a risk for Microsoft to push out a tool that's not ready yet.

We did the implementation ourselves. We have a large enough internal team.

The solution is too expensive. Each license costs us $30.

Google is an alternative. The comparison is based on market share, penetration, usefulness of tools, and cost. Microsoft has the lead. It's embedded. We use it as a productivity suite for our company. Excel, Word, and PowerPoint are tools that people use on a daily basis.

The tool provides a little bit of unified identity and access management. It's not the most important thing for us. Security is a multi-layered strategy, and Defender is one aspect.

The product is one of the many tools we deploy to ensure that the lateral movement of advanced attacks does not occur. If it were the only tool we had, I wouldn't be as confident in saying that we have the proper levels of security, but it is one of the multiple tools we have. So, lateral movement is almost impossible.

The solution might be able to adapt to evolving threats in a smaller shop. However, it is not so in our organization.

We run a bank. We are testing out Copilot. We're about to roll it out to several thousand users. The tool hasn't yet helped improve things in our organization, but it has the potential. Copilot is new. It's difficult to determine the ROI and its value. It's hard to tell. We do get some value out of the product.

Overall, I rate the product a seven out of ten.