Microsoft Defender XDR Reviews

It is, of course, an antivirus tool. I work as a lead for a SOC team, and it's our job to monitor all the endpoints in our organization. We are looking for any unusual activity happening on the devices, and Defender monitors them.

If there are any changes or unusual activities, it triggers an alert. An analyst will pick up the alert from the Microsoft 365 Defender and go through the timeline to understand what triggered that alert and whether to categorize it as a security incident or not. Some of them turn out to be false positives, and some turn out to be true positives.

We use it for other tasks like IOC management. In the cyber world, different applications have different vulnerabilities. If an application is used in our organization, we make sure all the IOCs, whether hash values, malicious IP addresses, or malicious domains, are blocked in the Microsoft 365 Defender.

It has given us a very wide range of visibility over the endpoints and it's easy to manage. If I see a threat or an attack pattern emerging from a certain location, I can easily isolate those endpoints at a very quick pace. That has pretty significantly improved our proactive measures when it comes to security in the last three years.

Apart from that, it gives us an overall picture, and not just of the endpoints. It has identity and access management and an email security module as well. If there is anything related to phishing or spam emails, we can analyze that in the same portal. We don't have to rely on multiple portals. It's just a single pane of glass where everything is visible. It gives us a clear picture and our visibility has increased a lot.

Another thing I like about Defender is that if a threat is detected, it starts the investigation by itself, by running the scans on itself, trying to isolate the device, and determining which IP addresses or websites it is connecting to. It gives us a detailed picture. All we have to do is make sure all these are blocked. But the initial triage and investigation are pretty much done by Defender itself. That is one of the significant areas of improvement for us, which I definitely like about this product. Automation is one of the key features in Defender, which saves us a lot of time. Sometimes, we don't need manual intervention. It does its job automatically.

If an analyst would take 40 to 45 minutes just to understand what was going on with respect to the alerts that were coming in with the product we were using previously, 365 Defender has reduced that time by half, by 20 to 25 minutes. That is a pretty good improvement. When you're working in a cyber security environment, you need to be very quick to respond because, in a matter of minutes, you'll be firefighting. And that's not what you want.

Among the most valuable features are the alert timeline, the alert story, which is pretty detailed. It gives us complete insight into what exactly happened on the endpoint. It doesn't just say, "Malware detected." It tells us what caused that malware to be detected and how it was detected. It gives us a complete timeline from beginning to end. It gives us a pretty detailed overview of the timeline of the attack.

Another benefit is that Defender absolutely stops lateral movement or advanced attacks like ransomware. The MITRE ATT&CK framework is pre-integrated, and all the use cases or categories that have been defined in Microsoft Defender are based on that framework. Lateral movement is part of that. There are multiple cases of lateral movement available in Defender, and ransomware, of course, is one of them.

We also have threat analytics in the solution. If there is a zero-day attack, it gives us the information. As of now, we haven't seen any impact on our devices. If there is any impact, it shows us, and we can take action accordingly. Those aspects work pretty well.

The only problem I find is that the use cases are built-in. There is no template available that you can modify according to your organization's standards. What they give is very generic, the market standard, but that might not be applicable to every organization. For example, an organization might look into an alert in a different way, not in the way Microsoft provides. There is no way to modify a template according to your needs, and that is something that I really don't like.

Those kinds of alerts are generating too many false positives for us, creating additional overhead. For example, part of the identity and access management is called "impossible travel activity." It generates false positives for us but there is no way I can modify the rule they have given that causes alerts. I cannot use that template or create a new one using that template, which I then modify to fit my organization's standards.

When we raised the issue with Microsoft, they said, "It's a product feature. What you are requesting is a product enhancement. We can take your request, but we are not sure when it's going to happen."

I have been using Microsoft 365 Defender for almost three years.

I have not observed even one time that the tool has lagged or crashed.

It is pretty scalable and user-friendly. There are no issues with the scalability.

We have raised a few tickets for cases we needed assistance with. Their support is good. The response is good. Sometimes, the challenge is that an issue might be a high priority for us, but they might not consider it a high priority based on their understanding. Their severity levels vary compared to ours. That's fair, of course. It's not something I am complaining about. Overall, the response from their support is always positive.

Positive

We were using McAfee ePO, but we have completely stopped using it now that we have 365 Defender. Discontinuing McAfee has definitely reduced manual correlation. Most things are automated in the Defender portal, so if a high-severity alert comes in, an automated investigation is triggered. That is one of the key features.

Irrespective of whether your organization is a mid-sized company or a big company, Defender is pretty scalable and very easy to use. As a cloud solution, you don't have to worry about it crashing. The alert timeline is pretty detailed. It catches most of the threats out there. You don't have to worry too much if there is a new threat because Microsoft makes sure that it is already addressed by Defender. If something comes up, it will sound an alert.

If you are looking for a nice antivirus product that doesn't take up many of your endpoint resources—compared to other antivirus software on the market, some of which take huge resources from your machine—it comes built-in with Microsoft. You don't have to install anything.

It's a cloud deployment, so I don't think there is any maintenance required from our end, unless there is a policy change requested at the organization level.

The platform provides unified identity and access management. When I started using it three years ago, that was a separate product. It was under Azure Cloud App Security. Now, they have integrated into Microsoft 365 Defender. We can see identity and access management-related alerts in Defender. Identity protection is something we have not explored that much. Our main focus lies on the endpoint.

Still, it's good to have it in Defender itself because it comes as a complete package. Just because we are not actively using it doesn't mean it's bad. It gives us detailed information, but we are working on the endpoints, focused on the device side. But if a brute-force attack is happening, it comes from a specific device. We don't have to rely on multiple portals to get that information. Everything is available in a single window, because we have that user information. You also see user access to devices and check if there are any malware-related alerts on that device. And that information is in the same portal. Integrating identity and access management in the same portal is a pretty good feature rather than having a separate feature altogether.

My role is to monitor Microsoft 365 Defender. We investigate various alerts and incidents that occur there. We utilize the solution to block any malicious domains, URLs, or other harmful elements that could affect our environment. Microsoft 365 Defender is our tool of choice for this purpose, and it helps improve our secure score. We assess the available remediation options to determine if they are suitable for our enrollment. Additionally, we use it for email analysis and make use of all the features provided by Microsoft 365 Defender.

Microsoft 365 Defender offers excellent visibility into our environment. We have a dedicated team that focuses solely on handling threats. As for me, I mainly deal with the architectural aspects of the overall environment. However, we rely on Microsoft 365 Defender for threat detection, and in the future, we plan to implement Sentinel as well. The reason for choosing Sentinel is that its integration is much more compatible, as Microsoft does not send various logs for other third-party tools like QRadar or any other tool. Therefore, we have decided to move forward with Sentinel.

Microsoft 365 Defender assists in prioritizing threats across our organization by offering real-time threat analysis. However, it does not provide upcoming threat alerts, such as identifying vulnerable technologies for our environment. To secure them, we can access the security score and follow the recommended actions. The platform displays current metrics and trends.

We are currently in the process of integrating Microsoft Defender for cloud apps and Microsoft 365 Defender, with 80 percent completion. Both solutions work together to deliver coordinated detection and response across the environment. We have one unified dashboard to monitor and control both solutions from a single place.

To create a fully comprehensive threat protection environment, we will integrate Sentinel with Microsoft 365 Defender and Microsoft Defender for cloud apps. This integration will allow us to receive additional data related to threats that are currently not shared by Microsoft.

Microsoft 365 Defender is an excellent tool. It is compatible with Teams and Outlook, making it ideal for threat detection and mail security in a Windows environment, which is commonly used by many corporate entities.

Microsoft 365 Defender is helpful in automating routine tasks and identifying high-value alerts. The Microsoft dashboard facilitates the remediation of alerts by grouping alerts of the same kind, which is beneficial.

Microsoft 365 Defender helps reduce the number of dashboards we need to look at, but it does not completely eliminate them.

Microsoft 365 Defender has saved us time by consolidating many of our solutions into a single tool.

Microsoft 365 Defender helps reduce our MTTD, but Sentinel would help decrease our MTTD even further.

The 'Incidents and Alerts' tab is a valuable feature where we can find triggered alerts.

Microsoft Cloud App Security has now transitioned its alerts to 365 Defender. As a result, all alerts that were triggered in Microsoft Cloud App Security are now visible in Microsoft 365 Defender.

It is beneficial that we can search for any of the devices. If we choose any of the devices, it will display the alert, incident, and the entire timeline related to that particular device. These are the features covered, including the ability to run antivirus directly on the device, isolate the device, and apply restrictions. These are the positive aspects of the solution. The same applies to 'Identity' as well. 

We can also investigate that router using email. The image represents the user's complete inbox. We can find out who the main users are, what the titles of the emails are, and how much malware we have received, including the number of phishing emails. We can see all this information in that explorer. Additionally, that thing is also beneficial.

There is a section titled 'Action and Submission.' When we submit any kind of share value for evaluation to Microsoft, they take a significant amount of time for the process.

When discussing the secure score, which includes overviews and recommended actions, some of these recommended actions are not applicable to us, particularly those related to Microsoft Internet Explorer, which we do not use in any of our environments. Nevertheless, there are instances where options to disable macros and various configurations appear, even though they shouldn't be present.

I have been using Microsoft 365 Defender for two years.

Microsoft 365 Defender is stable.

Microsoft 365 Defender is scalable. The solution can handle numerous endpoints, and as our user base grows, the number of endpoints automatically increases.

Many times, the engineers assigned to our tickets are not very knowledgeable about the solutions and features.

Neutral

I would rate Microsoft 365 Defender an eight out of ten. There are many rapid and independent changes happening each month or every other month, making it difficult to keep track of them.

I prefer adopting a best-of-breed strategy instead of relying on a single-vendor security suite. I have observed this approach being implemented in numerous organizations.

Microsoft 365 Defender surpasses most platforms available in the market in terms of advancement and offers extensive integration with other Microsoft solutions. I highly recommend this solution.

It has helped us identify a lot of loopholes within our environment and mitigate risk. It has improved user experience as well.

The visibility into threats provided by the solution is amazing. If you have Sentinel, you can integrate it with Microsoft 365 Defender. You can then access all of the logs at once with a code. You would be able to quickly analyze and react to any threat.

We are able to prioritize threats with this solution. Depending on the type of license you have, you will be able to access different capabilities. We place very high importance on prioritizing threats because the easiest way to get attacked is through the user or the endpoint. You must have multiple layers of security.

We use several Microsoft security products such as Sentinel, Defender for Office 365, and Microsoft Defender for Cloud Apps (Cloud App Security). Microsoft has the highest form of integration, so these solutions integrate in a straightforward manner. Once Microsoft Defender for Cloud Apps is unlocked, you can connect to third-party applications as well.

These solutions work natively together to deliver coordinated detection and response. The threat protection that these Microsoft security products provide is comprehensive and very effective.

We use Microsoft Defender for Cloud and make use of its bi-directional sync capabilities. It gives us access to reports and makes reporting much easier as well.

Microsoft Sentinel enables us to ingest data from our entire system. Data ingestion is very important to our security operations because it makes it easy for us to know if there are any vulnerabilities or threats. It flags it, and we can analyze it and also create a query, which brings to light threats. We can then mitigate the threat or attack breach on the device.

Sentinel enables us to investigate threats and respond holistically from one place. It makes life easier for us and helps us not to be caught unaware. There are many forms of alerts that notify you immediately of any threats. You can set up automations, which might even fix the issue or mitigate the issue immediately without the need for intervention. That is, you can create a rule to automatically fix a particular problem.

Sentinel captures a lot of logs, and you'll be able to create action plans through the application to directly handle particular threats. The integration has been done already, so automatically it will send a signal to the environment or to the solution you have integrated with to carry out a particular action.

The cost of Sentinel is on the higher side compared to that of other standalone solutions.

We can automate routine tasks and write scripts to carry out difficult tasks, which makes things easier for us.

This solution has helped us to save 60% to 70% of our time.

Microsoft 365 Defender provides one XDR dashboard, so we don't have to look at multiple dashboards. In the Import Center, all you need to do is to select the solutions that you want, and it will give you multiple options on different categories and different data. It's amazing and straightforward, and you won't need to open other tabs.

We have been able to prepare for potential threats before they hit and take corrective steps. We can immediately identify users or systems that have viruses or malware. We can also find scripts that have errors underneath them. We can discover each element from the history and delete it. It covers a lot of aspects, and the integration with Sentinel helps as well.

Because there's someone actually monitoring everything, when there is a threat or any form of abnormality, all they would need to do is to create a rule or a query to create a particular section and add the action that needs to be carried out. It's easy to get to reports as well. Overall, the solution has decreased our time to detection and our time to respond by 60% to 70%.

Microsoft tends to provide too many features, which makes the solution prone to bugs.

Also, 365 Defender needs to be more flexible during deployment. When it comes to causal admittance, at times it seems slow.

We have been using this solution for about three years.

The stability is okay. Microsoft has evolved a lot, so they tend to make sure that the solution is up to date and up to par with best practices in the environment. They add new features as well.

It's very scalable.

The level of support you get depends on the knowledge of the engineer who has picked up your ticket. I'd rate technical support at seven out of ten.

Neutral

The initial deployment is straightforward as long as you meet the prerequisites. 
It doesn't really take a lot of time to deploy. All you need to do is to set up the policy, then assign the license to the users. Microsoft handles the maintenance of the solution.

Defender Plan 1 is tenant-wise, and Defender Plan 2 is per-user, which makes it more expensive. To have certain features, you would need to purchase the E5 license. For all of the capabilities that the tool provides, the price, though it can be high, is fair. 

I don't think having a single vendor's security suite is the best because once the threat actors are in through the surface, it's easy for them to penetrate. This is because they'll know all the cracks in that particular product. However, if you have another vendor protecting you as well with a different signature database that is separate, then the attackers have multiple walls that need to be cracked.

An average-sized organization can go for the Business Premium plan. Larger organizations can go with E5, which comes with the full functionalities of Microsoft 365 Defender. Overall, I'd give this solution a seven out of ten.

We have very strong DLP policies. The product will inspect each and every outgoing email and what kind of attachments they have, including if any have business-sensitive information such as outgoing email going to some public domain such as Gmail or Yahoo. If the solution detects this, it'll raise an alarm and notify the required teams. On top of that, the incoming email will scan attachments for any potential malware tech or any phishing link. 

The native capabilities are quite good as it slips in seamlessly as part of our integration. 

It integrates well without AD, Active Directory.

It gives a lot of flexibility in terms of configuration and customization as per the business requirements.

These days, in the security industry, there is a buzzword called zero trust. I personally have not seen much evidence of how Defender can enhance the story of Zero Trust for enterprises. Microsoft needs to offer more features here or spread awareness in the industry and the market about how Defender addresses Zero Trust issues.  

I've used the solution for more than a year now.

The stability is good. it's up to the mark. 

It's usually scalable. 

We're using it on a daily basis. 

The solution works for any size of organization. There is no such limitation for Microsoft as the ecosystem they have built doesn't really have a limiting factor. It will work for a small sized up to a big-sized organization. Our company is half a million strong. If it satisfies our needs, then definitely it can satisfy anybody else as well.

I personally have never reached out to technical support as our in-house expertise is good enough.

It's good for the most part, as it is their own homegrown product and they understand it well.

We haven't worked with any other products.

The setup is a simple process, however, users can adopt the phase-in approach and start simple and then yeah. For example, over a period of time, you can achieve what you want to achieve, but not in a single shot. You can do it in phases and work everything in slowly.

The amount of time it will take to deploy Defender depends, actually. If a customer is already sure about all the processes and reporting information they require, then to start, it should not take more than a couple of months, including planning.

There is some maintenance required. We need a team to run the show, however, when you compare it to other options, the maintenance requirements are reduced. We typically have a cloud operations team to oversee it, and it's business as usual. Our company is able to provide any needed maintenance services to our clients. 

Our company integrates this solution into our client's infrastructure.

We have E3 and E5 licenses for our users and there is the default.

Depending on the user role, the senior people and critical positions have been allocated the E5 licenses and the intermediate users have been allocated E3 licenses.

Whether it is inexpensive or not is not a very straightforward question as, when you compare the total cost, you have to consider the total cost of ownership. It's not only a comparison between two products. You have to see the other dependencies when you deploy any other solution. That said, I would say it is more or less cost-effective.

We are partners with Microsoft.

I'm in a customer-facing role where we propose different email security solutions to our customers. My role demands that I identify the required security solutions for the different needs of our customers.

We are on the latest version of the product.

I'd advise potential new users to define their business requirements first, however, it's likely Defender will need them and provide what they need.

I'd rate the solution at a nine out of ten.

One of my largest customers deployed Defender for Endpoint, but they also wanted Defender XDR to get a specific feature. Defender XDR is included in the E5 license, but it's a bit too expensive. Our customer wanted Defender XDR's file integrity monitor tools for compliance. My client is using Defender with Sentinel, but I'm unsure how much they use it. 

My clients like Defender's file integrity monitoring. They're monitoring Windows and Linux system files.

My client would like the solution to be more customizable without using code. You can only build on the default console, but we're not allowed to change it. 

We have a similar tool to Defender's file integrity monitoring. Under the VMware VM properties, there is a change-checking tool, and it will tell us if the extension is in a different location. You can configure checking and do the monitoring. When I log into Defender's file integrity portal, I cannot see that this machine was enabled.  It's the same agent and extension. 

It's confusing because I don't know how to tell the customer they don't need to pay $15 per month because you already can enable the extension in VMware. Under the Defender account, it all seems like it's high code, and we cannot change it. Every customer has requirements for us to customize those things. 

I have used Defender XDR for about a year. 

Defender XDR is an enterprise-scale solution. 

I rate Microsoft support 4 out of 10. 

Neutral

I rate Defender XDR 3 out of 10. I don't think Defender XDR is ready to deploy in its current state. It has too many solutions inside, and they're not fully integrated. 

We mainly use it to defend endpoints.

We have seen fewer threats with the solution. The attacks that we experienced in prior years have reduced drastically since we implemented Defender.

We also use Microsoft Defender for Identity. Their integration is very good. If you are a Microsoft 365 SaaS solution user, it is perfect. It works very well with all the services provided by Microsoft. These services work natively together to deliver coordinated detection and response across our environment. We are pretty much a Microsoft shop, so the integration of these different services is very important for us to secure our offices.

Microsoft 365 Defender's threat protection is very comprehensive. The service that is available now is much more comprehensive than what was available a few years back. The only area that I see lacking is the dashboard. I can create my own dashboard, but the preset security dashboards should be much more functional.

Its threat intelligence helps prepare us for potential threats and take proactive steps before the threats hit. The vulnerability scanning feature is great, and the Secure Score feature that scans the endpoints for vulnerabilities and keeps them up to date reduces a lot of the attacks that can possibly happen.

Microsoft 365 Defender has saved us time. It has saved at least 30% to 40% of our time.

Microsoft 365 Defender has saved us costs. Previously, we had to pay for third-party protection services separately, but because it is now integrated with our E5 licenses, it saves us a lot of money.

Microsoft 365 Defender has decreased our time to detect and respond. We now have visibility and this led to about a 20% to 30% reduction. 

The EDR and the way it automatically responds to ransomware and other attacks are valuable features.

The visibility into threats is not as good as other products in the market such as CrowdStrike, but if you know where to look, you can gain access to what is going on. The way the dashboard is designed is not as great as other products.

It helps to prioritize threats across the enterprise, but a lot of administrative overload is involved in determining which threats to prioritize. As compared to other products, it is a bit lacking.

Similarly, it helps to automate routine tasks and finds high-value alerts, but a little bit more automation would be appreciated.

Automated playbooks and automated dashboards would be preferable to the way the data is currently being presented. That is because a lot of organizations that I have worked with over the past years do not have full-on SOC or threat detection services. They should put in more automated response capabilities and dashboards for smaller organizations.

I have been using this solution for almost three years.

It is a very stable product. Our attack metrics have come down drastically since we integrated with Defender. In my opinion, it is a very stable product.

It is very scalable. I do not know about third-party clouds or third-party solutions, but when you are a Microsoft shop or have Azure or a hybrid setup, it is very scalable.

We have multiple departments and multiple locations. We have client-facing computers, and we have in-house and on-prem computers. We also have Azure VMs. 

Their support can be better. Their response time is good, but their knowledge and documentation are a bit lacking. Technology is moving faster than the documentation and the knowledge that is being provided to the support team. Their support team pretty much looks at the same documentation that we are looking at, but the technology is moving a lot faster than they can catch up. I would rate their support a seven out of ten.

Neutral

We used CrowdStrike and Trend Micro. We switched to Microsoft 365 Defender because we wanted to integrate services.

The solution is deployed on the cloud, but the endpoints are connected on-prem. In our organization, we have quite a few endpoints, so it took about three or four weeks.

The setup will be straightforward for big organizations if they have a complete IT department, but for a small organization, implementing the same service becomes trickier because they do not have full-fledged IT departments. That is where the problem lies. 

More automation would be better. However, automation is present with Autopilot and other services where you can integrate everything.

In terms of maintenance, you have to fine-tune the services on a regular basis and tweak the deployment as per your requirements.

We have about eight admins who worked on the implementation of the solution.

We have probably seen 30% to 40% ROI.

It is fairly priced because we get complete integrated services with the E5 license.

To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single-vendor strategy worked for us because it brought down our investment in terms of licensing and cost. The deployment across the organization has been a lot easier than integrating third-party solutions in different areas of the organization. For example, Defender integrates very well with both the endpoints and the cloud. Whereas with a third-party solution, we have to get different applications that need to connect back to the service to get the solutions that we require. Native integration is very useful for us when it comes to Microsoft. That is what I would recommend.

If you are a Microsoft shop, I would highly recommend it, but you have to do a PoC.

I would rate Microsoft 365 Defender a nine out of ten.

I've been using it for endpoints and for Microsoft 365, along with Microsoft Defender for Identity. I use it to create policies for anti-spam, anti-malware, anti-phishing, as well as safe links.

I also use it for the security score, making sure that our company achieves a good security score across the organization.

It has helped us increase our rules and policies, protecting our users, information, and data.

When I deploy a policy for anti-spam or anti-phishing, the solution automatically helps us mitigate those kinds of attacks that could expand across the organization. The automation stops those attacks and emails and sends the emails to a secure place where the admins can accept or eliminate them.

It has also eliminated having to look at multiple dashboards, which not only makes things easier, but helps us detect, and see for ourselves, the threats that are happening across the organization.

In addition, the threat intelligence helps prepare us for potential threats, providing us with security steps to take based on what other experts have done, the steps and recommendations, to prevent those threats. It collects information from the website that Microsoft has where security experts provide information.

And with our endpoints, it has helped us save time because, before we installed Microsoft 365 Defender, we had an antivirus solution that took our time. In addition, by using Defender for Identity, we have been saving time with the password self-reset, because we no longer need IT members or administrators to help reset users' passwords. They can do it by themselves. And with Microsoft Defender for Cloud, we're no longer installing the software on their computers, so there are time-savings as a result.

And one of the greatest characteristics of 365 Defender is that it natively helps you coordinate, detect, and prevent threats, and it provides investigations across the organization's domain. And with the responses across the endpoints and various resources in the cloud, it has many sophisticated solutions integrated to protect against cyberattacks. It has absolutely helped us to save money because it is just one solution, rather than paying for multiple services at the same time.

The security score and the threat intelligence are really good features. I also like the Exchange message trace.

The visibility into threats is also very impressive because Microsoft helps you predict things and provides analytics to help you really improve your security. And all of this technology works across the domain, so it is pretty helpful in terms of threat analytics. It immediately detects and tells you what you can do, with recommendations.

The solution also indicates threats as high, medium, or low priority. When the priority is high, that is when I put all of my effort and knowledge into it, and focus on it, because it is valuable for the enterprise.

We also use the solution's role-based access control across the organization. Because, as a company, we work remotely, we make sure that our users have access to what they need and we better protect our company from intruders and cyberattacks.

Intrusion detection and prevention would be great to have with 365 Defender.

I've been using Microsoft 365 Defender for nearly a year.

The stability has been great so far.

It's very scalable. That's one of the benefits of the cloud. You can scale or downsize it whenever you want.

We have many locations and departments around the world. I'm located in the Dominican Republic, but there are people in Europe and the United States.

Their technical support is great because they mostly provide responses in less than 24 hours.

We were facing downtime with our Outlook email, and they told us what was happening with our data center. After they responded to us, we provided the information to the head administrators. After two hours, they restored our services.

Positive

The solution doesn't require any maintenance, as far as I have seen.

Between a single- and a multi-vendor security solution, it depends on whether you are using multiple technologies. Microsoft solutions are pretty much integrated, and help you with the pre- and post-breach. If you are using Microsoft, I would absolutely recommend Microsoft 365 Defender. But if not, I would recommend something else because, with just Microsoft, you probably would not be getting the best solution. There would probably be latency.

Defender XDR is a solution that protects your enterprise systems and devices.

Defender XDR has helped a lot in terms of capturing all kinds of activities happening on the endpoints where it is. If you want to know what happened at a point in time, you can go to the history and search everything. This helps you investigate exactly what happened if you have a security breach. It doesn't take much time, but I don't have anything to compare it to because Defender is the only XDR we've used. 

Defender XDR has a feature called the timeline that lets you track all activities. It helps a lot with investigations. Microsoft has many identity management features and products that complement each other.

It covers the weaknesses and vulnerabilities of non-Microsoft solutions, but it will not help you to do the remediation. You need another third-party tool to do the remediation. 

Defender protects against advanced attacks like ransomware or email phishing. The protection Defender provides is excellent. It's a great product for preventing attacks and reducing risks for organizations. 

There are a few technical issues with Defender XDR that can be improved. Sometimes, the endpoint devices are not reporting properly to the Defender 365 portal. When you're getting all the information from the Microsoft portal, the devices are sometimes not in sync. We have hundreds of endpoint devices, some needing to be onboarded again. 

I have used Defender XDR for three years.

I rate Microsoft support nine out of ten. It's excellent. 

Positive

We did a POC for a McAfee product. There weren't many differences, but Microsoft Defender was included with our E5 license. The major difference is that we saved money by not purchasing another product. 

Defender XDR is a cloud-based solution. You can access it and see all the information you need inside the Microsoft portal. 

Defender XDR is not expensive. It's average compared to other products. 

I can get Defender bundled with the E5 package. We had considered replacing it, but after evaluating some competing products, we decided there was no significant difference between the third-party products and Defender. 

I rate Microsoft Defender XDR eight out of ten. I think there is room for improvement in terms of its coverage of non-Microsoft technologies.