Microsoft Defender XDR Reviews

The solution is primarily used for security response. We work with many government ministries that use Microsoft, Microsoft 365, or security tools like Azure XDR. This solution integrates with other products, helps with detection, and offers quick response times.

The threat-hunting and incident investigation capabilities are very strong. It can investigate and block phishing attacks and monitor them effectively. We can even do endpoint behavior analysis. 

The solution's XDR platform provides unified identity and access management for customers. If the customer is using a Microsoft Enterprise XDR solution, it does. We do have Microsoft Defender for Identity. It's part of the suite itself. Customers can have Defender for Endpoints, Defender for Identity, and Defender for Cloud. All these things combined form the XDR. The main use cases are around identity - to understand whether there is identity hacking, privilege escalation, or some malicious user in the environment. It helps us respond to those events very quickly.

From a coverage point of view, it's good. We are quite happy with it. If we have users with multiple devices, the solution provides comprehensive coverage.

While the solution does cover technology beyond Microsoft, it's strongest when monitoring the Microsoft Suite. We do have servers, and it can monitor them. They don't necessarily have to be Windows servers.

Defender XDR can stop advanced attacks, like ransomware or business email compromise. It depends on how the solution is configured. It does a lot of monitoring and helps the SOC team or the analysis team find issues. 

The solution has the ability to stop attacks and can adapt to evolving threats. It can ingest a lot of threat intel data, which actually gives us the latest information about how the threats are happening. It does a quick analysis of that. 

Some customers use Defender XDR's multi-tenant management capabilities. That said, most of the time, they might not need a multi-tenancy. In one or two cases, customers may have done it, but not very frequently. The multi-tenant management capabilities for investigating and responding to threats across tenants are pretty decent. It provides a very unified view. That's one of the core capabilities of Microsoft XDR - the unification of the view. In a security situation, I might have solutions in multiple places. However, our tenant will be protected, and we will receive alerts. It helps a lot with individual client monitoring. It will help me hunt other tenants as well. It makes it so we have a very cohesive environment. 

Defender XDR has enabled some of our customers to discontinue the use of other security products. However, it's not always based on capabilities. In Qatar, for example, it's a government mandate to use Microsoft as much as possible, so we move a lot of customers over exclusively to Microsoft in those cases. That doesn't mean the other product wasn't performing. It just means there is a heavy preference towards being solely on Microsoft. 

The Microsoft XDR solution has helped some customers to reduce costs. One of the major cost reductions is on the resources side (not on the technology side). As a service provider, we can move to a much leaner team with the XDR setup than with a non-XDR setup. When you have different environments to monitor and different alerts coming in from different devices, then you need more people to do the monitoring and analysis. However, when you have a unified view of the environment, then you can reduce the team to a certain extent. We can do a 25% reduction on a team, which is a considerable reduction since resources are expensive. How much a company can save depends on the environment. If it's small, the reduction in cost may not be significant. It can be as low as 10% or as high as 25%, depending on the size of the environment. 

It's helped us save time. It's difficult to specify how much; however, it's likely up to 25% thanks to the reduction in the analysis needed. 

From a performance standpoint, improvements could be made. 

I've used the solution for one and a half years. 

I'd rate the stability eight or nine out of ten. If it's just a Microsoft environment, the reliability is very good. If it's a mixed environment, I'd rate the stability seven out of ten. 

The solution is highly scalable. 

Technical support is good. We have enterprise support and they are responsive.

Positive

I do not handle the initial setup process. The customer may deploy it across multiple locations. The size of the environment can vary from 100 users to 1,000.

There isn't really any heavy maintenance. You just have to renew the licenses. If it's a small environment, one person can handle that. If it's bigger, there may be two or three people. 

My understanding is that Microsoft is trying to change the pricing. However, right now, it's bundled together. If it could be decoupled a bit, it would help customers be able to afford the solution. 

We are service providers, and we resell Microsoft solutions. 

XDR is basically used for unification. It's more of a dashboard. When you have an XDR, you can monitor the entire environment. You can also see and take actions across the entire environment, which is actually a very big advantage when it comes to a particular software analyst's day-to-day job. They can be monitoring one screen. Typically, if an issue is found, a ticket needs to be made, and that's passed onto an engineer, but with XDR, a lot can be automated. It can help reduce costs related to manpower and make the process more efficient. 

I'd rate the solution nine out of ten and recommend it to others. Smaller companies may not need it; however, if a company is growing fast or is already sizable, it's a good option—especially if it is a mostly homogeneous Microsoft environment.

We implement it on client endpoints and server endpoints. We also integrate it with Microsoft Entra ID for the identity part because the security part of Microsoft Defender is completely correlated to user activity.

Microsoft Defender XDR is important for the mitigation of threats, visibility of vulnerabilities, and identification of issues within the environment. It has been a leader in the market for consecutive years.

We have a single pane of glass for servers, endpoints, and mobile devices. It makes it very easy to identify which devices are at risk when you go to the vulnerability part. There are also recommendations. Especially for me, these recommendations are gold. You see exactly what you need. Microsoft Defender XDR is completely different from your antivirus solution. It detects based not only on signatures but also on the policies, so you are forced to harden your servers or client endpoints, which makes a much stronger solution.

Being a Microsoft solution, it integrates well with other Microsoft systems. The majority of the systems are Microsoft-based. This integration comes without the need to install a client on the local machine. It makes the life of the operators and whoever implements it way easier.

Microsoft has a range of Defender products. There is Defender XDR, Defender for Endpoint for clients and servers, and Defender for Office 365 which protects mailboxes, SharePoint, and OneDrive. Then you have Defender for Identity, which is integrated with Defender XDR. You also have Defender for Cloud Apps that is connected to Defender XDR. When integrated, you can get sources of threats, for example, from Defender for Identity connected directly on the endpoint. Defender for XDR protects the endpoint devices against ransomware and different threats. We need to see more holistically at all the Defender solutions instead of isolating them. There is an element of correlation of identity. For me, nowadays, it is much more important to protect the identity than the endpoint device itself because the majority of the vectors are coming from identity attacks. They are more than the viruses attacking the endpoints.

I do not have much experience with Linux as such. I am very focused on Microsoft solutions. I never focused on Linux, but I have worked with my peers, for example, on projects to enroll Linux devices. We needed to prepare simple scripts or puppet scripts to automate the process of pushing policies and automate the update of the antivirus. It is trickier. It is more complex to manage because of the nature of Linux itself. It is not as straightforward or integrated as Microsoft solutions, such as Microsoft Windows 11 or Windows Server, but Microsoft Defender still covers everything. There are some limitations regarding Linux servers and endpoints because you need to have the version of Linux that is supported by Defender, but at the same time, with whatever is supported, Microsoft Defender does the job. Linux and Windows operating systems work in different ways, and the way that antivirus interacts with the operating system is completely different. There is role-based access control in Windows. You have local administrators and domain administrators. On Azure, you define roles for users to access certain environments. On Linux, you have the root user, and as a core front operation system embedded in it, you do not have the least privileged access management solution. This comes with a price because you need to control much better to whom you give access. SSH keys, for example, are very important to be protected, which is a different protocol than the Remote Desktop Protocol (RDP). You need to protect Linux servers in different ways, which is very different from Windows. Defender or Defender XDR extends the protection, especially when you need to connect with Azure Ark, which is part of Microsoft services.

Microsoft Defender XDR has consolidated security solutions. Previously, you had an antivirus, and you had a different type of endpoint protection for servers, and then you had a web content filtering solution, which is part of Microsoft Defender XDR. It consolidates all the extra products that you require, but it does not give all the elements. It is not a firewall. It is not a web application firewall (WAF). It does not give you everything required as a security solution, but as an extended detection and response system, it gives a lot of leeway for you to meet your security objectives. If we compare it with other products, Defender XDR is much more complete than the competition.

The integration, visibility, vulnerability management, and device identification are valuable. You can automatically deploy the clients depending on how you are implementing the solution. 

The web filtering solution needs to be improved because currently, it is very simple. It is very important.

Integrations with Linux should be done in a better way. With the AI world and the security part, things are going to be much simpler and easier to set up, configure, deploy, and maintain. I am looking forward to new releases of Microsoft Defender XDR to have better integrations, but the web filtering solution is the main pain point.

I have been working with Microsoft Defender since it was released. It has been about four years. I started working with it when it was not even called Defender. It was Advanced Threat Protection. It then changed to Defender for Endpoints and then to Defender XDR.

I have not experienced many bugs or issues. Sometimes, you have delays in the response, but that is due to connectivity issues. It is a cloud-based solution, so you cannot expect to have a real-time response, but this can be improved by Microsoft. I know that they are trying to improve. I would rate it a nine out of ten for stability.

It is ultra-scalable. I would rate it a ten out of ten for scalability. 

I love Microsoft, but due to its growth, the overall support quality has decreased a lot. My recent experience with support was not that good. For the Defender part, it was not that bad. I would rate their support a six out of ten. Their response time and knowledge could be better.

Neutral

I work with Trend Micro. I work with Kaspersky. Trend Micro has its own cloud-based solution similar to Microsoft Defender XDR, but it is not the same. It has some problems. It is not as effective as Microsoft Defender XDR. Especially whenever it comes to vulnerabilities and recommendations, Microsoft Defender XDR is amazing because of its integration with Microsoft operating systems. Microsoft is much ahead of the competition.

I would never touch Kaspersky again. It is not because it is a bad product. It has been a very good product for several years, but because of the Russia and Ukraine war, it has become a prohibitive product at least in Malta to use. A lot of customers moved from Kaspersky immediately to different products. The majority of them went to Microsoft Defender XDR, especially because it also comes integrated with some products. Microsoft is bundling its own products, and Microsoft Defender XDR is very attractive to implement as a cloud solution. It is a no-brainer for the customer. That is where Microsoft has an advantage over Trend Micro, Kaspersky, and other vendors.

With Cloud servers, it is easy and very straightforward. You can almost do it automated, but in a hybrid environment, you have the element of the on-prem servers, which becomes a little bit more complex. You also have the element of Azure that simplifies the deployment process.

It can be difficult to deploy in the beginning because you need to consider different products and elements, but the deployment is the simplest part of the onboarding process. The configuration process is much more difficult, especially because on servers, you need to deploy group policy objects (GPOs) and set all the policy options to protect from the vulnerabilities. You need to configure the antivirus to protect from exploits. There are so many features and configuration possibilities that it becomes more complex to implement on server endpoints. On the client side, it is easy, especially when you implement Defender through Intune, which is the mobile device management solution of Microsoft. With a platform like Intune, it becomes easy because you have policies that assist you already out of the box, such as security baseline policies. With Intune, it is much easier to set a policy. It is way less complex to implement. When you have a hybrid environment with endpoints joined on a local active directory, the complexity increases because you need to deploy GPOs as well if you do not have Intune involved. It is complex to implement.

The deployment takes a few weeks, but it also depends on the size of the customer. If you have just Windows 11 client endpoints, it is easier to implement. Client endpoints are easy to implement because you do not need to test that much. You configure the policies. The policies are all known because of our experience. When it comes to servers, it depends on the server's workload. It depends on what type of service you have installed on the server side. If it is the IIS web server, you need to test certain policies that can block that service. You cannot simply go and implement the best practices of the policies because then you are going to make the server unusable. You are going to generate downtime, which is not ideal and also not the objective, so you need to be very knowledgeable on the infrastructure side and the security side of all applications. You need to study. You need to create a test environment and start implementing server by server. You require details, and it is complex to implement because of this reason.

I am currently doing an implementation for a company with 300 people, and it would take around two months to implement because of the number of servers and endpoints. You need to go into each and every device and analyze the environment. It takes a while. In smaller companies, it is very quick. Within a week or two, you can manage to implement it.

In terms of maintenance, there is no maintenance of the product, but there is maintenance of the environment. Microsoft releases frequent recommendations, and they detect new vulnerabilities very frequently, which requires constant maintenance of policies.

I usually allocate two people. There is one person more focused on the client endpoints, and the other one is more focused on the servers because of his expertise. We split the roles and responsibilities within the team.

It has not saved us costs, but we have invested in a proper solution. We have a better return on investment. We now have better visibility. We are investing in a product that gives what we need instead of a product that does not fulfill our requirements and our customers' requirements.

As a service provider, it is very hard to calculate an ROI. For customers, it is more of a return on value rather than a return on investment. If you have not been under any threat after implementing the solution, it provides the value you need. This is my point of view on security because there is no perfect solution, but there is a solution that works better than the others where you have much more control. With Microsoft Defender XDR, in my experience, we have managed to give that to our customers. Our customers are satisfied with the product, and none of them have replaced or changed Microsoft Defender XDR.

There is the cost of the license, and there is the cost of implementation services. Only by enabling a license for your user, all the features are not going to be enabled and the policies are not going to be configured. It does not work like this. You need specialized people to implement, monitor, and maintain the systems. It comes as a package.

I would rate Microsoft Defender XDR a seven out of ten for pricing. It is costly, especially on the cloud part. There is also Defender for Cloud, which is part of Microsoft Defender XDR. It is 15 dollars per server per month. It is worth it, but it can be costly. It depends on the company's size. That is the big issue.

If you have a company with ten employees and ten servers because you have your own infrastructure hosted within virtual machines, you need to protect ten client endpoints. It is cheap if you get a business premium license. It costs around 17 euros per user. To protect the servers, you need to pay an extra 14 euros per server per month. For ten servers, it is 140 euros per month. Per year, it is around 1600 euros. Small companies or companies with a small budget would not go for it because they do not want to invest in IT. They do not see this value. In my opinion, big companies can justify this cost.

In the countryside of Malta, it is tricky to sell the solution. I have to give them all the advantages. I always have a test environment, so I show them how it works, how the automated detection works, how it behaves, and how it acts on the threats. I give them an overview, and they get amazed. When it comes to the pricing, they get a little bit scared, but ultimately, they go because they see value in it. Everything depends on the value that a product gives and how you sell a product as a solution provider. An XDR solution provides value because it protects your assets. Your data is your major asset. If you do not have it protected, you can get hacked or have a ransomware attack. Companies are now starting to understand the importance of it, and they are starting to invest more. It is still a long way for us to have the mindset where they say that it does not matter how much it costs, we need to invest in security.

I would recommend Microsoft Defender XDR. It is the best solution in the market.

For me, Microsoft Defender brought a career change. It made me go deeper into the security products. Previously, I was more of an infrastructure guy. I was more focused on on-prem and Windows servers, but then I moved away from infrastructure. I work for a data center company, and I am a presales solutions architect designing solutions for financial companies, banks, and gaming companies or companies with online casinos.

A lot of people did not like Microsoft Defender because Microsoft was not known as a security company, but Microsoft has been investing billions of dollars every year in security, and now, they provide cutting-edge technology, especially with AI.

I have been following Microsoft, and I go to Microsoft events. There is a new product called Security Copilot that is going to be completely connected to Defender XDR. It will give much faster feedback and response to threats by issuing reports. Today, a security analyst takes four to five hours to prepare a report. With Microsoft Security Copilot and Defender, it is going to change massively. Within five to ten minutes, you can prepare a report with the Security Copilot solution. It is going to be released very soon, and I am looking forward to it.

Overall, I would rate Microsoft Defender XDR a ten out of ten.

We are a Microsoft partner and we have clients who are Microsoft 365 administrators in several companies. They are looking for ways to secure their tenants and make sure that their security is top-notch. That's where Microsoft Defender comes in. We use Microsoft 365 Defender for security and compliance to secure tenants from malicious attacks, including spam and phishing attacks. And when it comes to compliance, it is used for data privacy and data protection to ensure that very sensitive data doesn't go out to the wrong location.

It makes security and protection very seamless.

And Defender saves me time. For instance, if I get notified that a user isn't receiving emails from a particular person, I know that the first thing I have to do is a message trace. It saves me time to an extent because I have a go-to location. With message trace, I'm able to trace emails from, for example, abc@givendomain.com over the past two days. It gives me information about what actually happened in the mail flow. I'd rate the time it saves me as a seven out of 10. 

It has also saved us money, on the order of 50 percent. And our time to respond has improved to the level of a six out of 10.

The features of the solution are vast and wide.

The most valuable feature is the content search feature in the compliance portal. It is very useful because it covers both audit log search and content search. The audit log search is very useful because, most of the time, you see several changes within the admin portal and it's hard to keep track of what happened. Our customers want to get to the root cause and see the activity that must have triggered those changes. That's where the audit log search comes in. They've enhanced the feature in such a way that it has a vast range of search options so that an analyst can carry out a full search.

The content search feature has also advanced to a point where you can carry out several searches with your keywords. You can point it to a certain location, such as Exchange Online or SharePoint Online, or Teams Online. You can narrow the search down to a particular individual or group of individuals. When administrators report that they have lost content or accidentally deleted a mailbox or the mailbox content, the content search feature is a good way to recover the content.

Another top feature is threat management. It helps prioritize threats across the enterprise.

In addition, you can navigate to the security compliance portal and set restrictions to block IP addresses from different locations. You can also choose to flag domains that are sending malicious attacks and block them and update the anti-spam policy to make it more strict to prevent attacks from happening in the future.

Many people don't realize that Microsoft Azure, Exchange Online, and the security and compliance portal all sync together. For instance, within the Azure portal, you can set security restrictions and policies to help secure your tenants, but most administrations do not know about that, including things like multi-factor authentication, conditional access policies, and privileged access.

We've had reports from clients about compromised accounts because someone got access to a password that they shouldn't have. Multi-factor authentication helps eliminate this. As for conditional access policies, you can set certain policy restrictions to certain locations or IP addresses so that emails or sign-ins only come from particular locations. That helps secure your environment against malicious sign-ons to your accounts.

The good part of it is that these products have already been integrated. When you sign on as an admin you have global admin rights and that gives you access to all these features. You will see Exchange Online, security and compliance, and Microsoft Azure. All you need to do is click and it takes you to the portals.

Overall, the comprehensiveness of the threat protection is at 95 percent. It's not 100 percent because of updates not being done on the Knowledge Base and technical know-how.

The alert feature allows you to set the severity of alerts. If there is a malicious or suspicious sign-on, an alert triggers immediately letting you know, as an administrator, to check what's going on in that account. For example, there was a time when one of our users' accounts was about to be compromised. We got an email notification which was sent to all administrators on the tenant. I was able to block that activity in real-time and then set the system to trigger more alerts for such sign-ons in the future. I also blocked the IP address. That particular feature has helped. The alert arrived in real time to prevent the account from being compromised.

When changes are done within either the admin or security and compliance portals, there should be a real-time update to administrators about the changes. Many times I'm supporting a case where someone says, "I used to do this like this, but I'm unable to do it that way anymore. What happened?" And I will have to say, "Oh, sorry. That doesn't work like that anymore. It's now done this way." So there should be a way to notify people about changes like that, and prompt information when changes are done within a portal.

I would also like to see regular updates about new features in the Knowledge Base. There are cases where I'm using a Knowledge Base article to try to educate a customer, but when I check the feature on the admin portal, and in the article, they don't look alike. For instance, it's saying, "Go to settings. From settings, go to options." Meanwhile, on the portal itself, I'm seeing "Settings, go to more settings, then go to options." It would help a whole lot if feature updates were updated in real-time in the documentation.

Also, the message trace feature for investigating mail flow issues should add more detailed information to the summary report. The summary report is what the administrators are able to understand. The extended reports are a very deep dive and the administrators will only understand them if they reach out to support engineers. But if they could extend the summary report a little bit, and make it more descriptive, ordinary administrators could understand what happened and that the emails failed at this or that point. That way they would know the location to go to try to correct it and prevent it from occurring again. Making that summary report more extensive and detailed would be of great help.

I have been using Microsoft 365 Defender for a little over three years.

Overall, it is stable. 

There are a few bugs but they generally don't impact the reliability. The bugs are not the kind that impact the work done by an organization. Processes can continue while they fix the bugs.

It is scalable.

It is used across multiple departments with anywhere between one and 200 endpoints.

Their response time is okay, it works fine, but the time it takes to resolve escalated cases needs improvement. An escalated case is when there is a bug. You could literally have reported a bug and it's still not resolved the following week. Bug fixes take a long time, especially when a very essential feature is not working as expected.

Neutral

It took me three to five months to understand it because it has a vast number of features. If you do not understand it, one click could mess up a whole lot of things.

Microsoft should provide lower-level licensing options. They should do it in such a way that even an individual could purchase a license, and it should be entirely flexible. An individual should be able to access the solution at a very affordable rate.

Most administrators, in my experience so far, are reaching out to third parties for email filtering and to manage threats in their organization. According to them, Microsoft 365 Defender isn't giving them the information they need. And I realize that this is not correct. What they're missing out on is the proper information or technical know-how to utilize the features.

For example, if someone uses Barracuda as their third-party filtering service, I begin to ask questions such as, "Okay, why did you choose to use the Barracuda service when we have the ability to create good anti-spam policies that could help secure your tenant? You can create anti-phishing policies and rules that will help restrict IP addresses." Often, what they say is that Barracuda is better because it gives them more information and real-time data. At that point, I ask them to let me provide a deep dive into the features of Microsoft 365 Defender. I use the documentation and Knowledge Base articles to explain its features, one after the other, and they begin to say, "Oh wow." They didn't know these features actually exist. They'll begin to look at the possibility of utilizing the Microsoft solution since they have paid for it. Why should they pay additional money to a third party to get services that Microsoft provides? They feel very happy about the information I provide.

So far so good. The Microsoft 365 product hasn't given me a reason to want to check for other products and move to something else.

For the best and most seamless user experience, it's best to go with a single vendor because there could be a lot of complications going with a best-of-breed strategy. It's easier to understand things with a single vendor.

When you don't understand a feature, ask questions and reach out for support. There are some features that are being used wrongly or that are underutilized.

Also, test the product beforehand. They provide trials so you can test the solution and see if it meets your expectations.

Microsoft 365 Defender is an extension of Windows Defender. Windows Defender is an AV that is integrated with Windows OS, and with this extension, you also get the EDR functionality for security purposes. Microsoft 365 Defender gets more access to the device and provides more insights and control over that. Apart from the Windows platform, it also includes other OSs, such as Linux and macOS.

We do have multiple options for deployment. We did deploy it on the cloud. We got the on-cloud license, and we onboarded our devices to the portal. The portal is deployed on the Azure cloud.

It helps us prioritize threats across the enterprise. We also have options to prioritize a specific device and monitor it. We can keep a device on high alert or on the watch out for each and every event. There are different severity levels, such as critical, high, medium, and low. We can set severities on any of the devices. Based on the set severity level, Microsoft 365 Defender can track events, and we can monitor those events from the console.

We get more insights and more information about the devices that we have. Because most of them are Windows devices, we have integrations with Intune or SCCM. It is easy to transfer all the information and see everything in one single portal. If we want to configure anything or control the devices in the whole organization, it is easy because all of them are in the same environment. It is easy to manage and control them.

There are fewer compatibility issues and errors and a better ability to track events. With third-party solutions, I used to see more issues related to compatibility and setting the ports. For each and everything, we had to either go through the support documents or through the support to get information. Most of the Microsoft documentation is publicly available. It is not that you only get that when you open a support case. That's an advantage compared to others.

It helps to automate routine tasks and the finding of high-value alerts. We have KQL or SQL queries that we can set up. We can schedule them so that it automatically queries for a specific device or all the devices and gives us a report that we can simply export.

Its threat intelligence helps to prepare us for potential threats before they hit and take proactive steps. It has helped us to recover a few devices. Because it is integrated with the OS, we get information about failed logins.

It saves time and manual labor. Previously, we used to use a deployment portal such as Filezilla or GPOs. We used to manually update the signatures, but now, it is automatic. It saved me pretty much half a day's work.

It has decreased our time to detect and our time to respond. It has saved half a day's work. The sensor constantly connects to the console. In case of an issue, we get an email immediately. We also get a notification in the console. Previously, we used to manually scan the device or query something and then get the results. Because it is automated, we don't need to manually do that. Previously, we used to manually isolate or block a device, or we used to work with different teams to get the device offline, but now, we can simply search the device name in the console and isolate a device from there, which is convenient for us.

The EDR features are valuable. By getting the EDR features, we have more control over the device. We have information about events in real-time and more protection against zero-day threats and zero-day vulnerabilities. We can monitor every event or action that a device is going through. We can get an idea if it is something malicious or if we have to take any actions.

Because Microsoft 365 Defender is integrated with the OS, we get more insight into the events or threat activities. With a third-party solution, we could have some limitations or compatibility issues with the OS, whereas with Microsoft 365 Defender, there are no compatibility issues for Windows, and we get more insights and more information on the threats simply by logging into the console.

The onboarding and offboarding need improvement. I work with other vendors as well, and they have an option to add a device or remove a device from the portal, whereas with Microsoft 365 Defender, we need to do that manually. However, once you do that, everything can be controlled through the portal, but getting the device onboarded and offboarded is currently manual. If we have an option to simply remove a device from the portal or get a device added from the portal, it would be more convenient. The rest of the features are similar. This is the only area where I found it different from others. I would also like to be able to simply filter with a few of the queries that are already there. 

It has been almost three months.

I would rate it a seven out of ten in terms of stability. It is quite stable but it can be improved for a few scenarios. It is still new for macOS and Linux, and for these OSs, I would rate it a six out of ten in terms of stability.

It is scalable. We are using it pretty extensively. It is for multiple departments, and there are multiple teams handling it. In the tenant I have, there are 2,000 devices that are currently onboarded. We also get information about which devices are not onboarded. I can see that a few hundred devices are not onboarded. We also have a few other clients or partners who are using it but on a small scale. 

It is good. We do get constant responses and inputs from them whenever we raise a case. They are quite helpful. I would rate them an eight out of ten.

Positive

I started working with this solution because I changed my organization. That was the major reason. 

Being able to get the information simply from a single portal and the integration with other portals have been some of the benefits. Previously, we used to get data manually, and then we used a SIEM or event collector to send that data to other portals. Now, we can integrate with other Microsoft portals, such as Intune, and get the same information there as well. That's one convenience I have found.

I am not involved with tenant deployment. I am involved with the onboarding of the devices. If you have the right knowledge, it is completely fine. They do have an admin console. You can deploy multiple tenants and also control through that console, but I don't have access to that. I only have access to my own tenant. I only have control over that. We can also include a tenant for a specific organization from the admin console. That admin console is deployed on Azure.

Most of the maintenance is automatic. Because we allow Windows updates, most of the Defender updates are also included in Windows updates. We don't have to specifically go and check. If we see any alert or we find any suspicious events or something on the console while we are investigating, then it might need manual checks. We do get some recommendations through the console itself for what we can do to improve the device security score. So, it requires some maintenance, but that's only when we detect something or we are investigating something. For maintenance, we have different teams in each section. We have around 15 to 20 people.

I don't have the metrics, but we started to see its benefits within a couple of weeks from the time of deployment.

Its licensing and pricing are handled by someone else. My role is limited to incidents or issues with the portal, but you get what you pay for. It is worth the cost.

We did compare it with VMware Carbon Black and McAfee. We did check Symantec as well, but Symantec didn't have EDR capabilities. So, we dropped it. The final call was Microsoft because we found the integrations and other things easy. It saves time for us because we don't need to go through another team or get a separate team involved just for data transfers.

I would definitely recommend this solution. Getting the product is easy. You simply get the license, but after getting the product, you need to go through the deployment and configuration of the product to match your environment. You can just try out the product and experiment in your own way and learn each and every feature. The documentation is completely public. 

I would rate it an eight out of ten because there are a few areas where it can be improved.

Our primary use case for Microsoft Defender XDR is to serve as our email security solution, offering file protection, scanning, alerts, and incident management. It is a part of every Microsoft 365 deployment we do.

The integration of Microsoft products simplifies management, reporting, and investigations. It offers capabilities that other solutions don't offer.

The feature I find most valuable is Defender for Endpoint. It's because endpoint management is my primary focus, and this feature integrates well with my other skills.

The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users.

I've been using Microsoft Defender XDR for about ten years since it was known as Office 365 Advanced Threat Protection.

I have no concerns about the stability of Microsoft Defender XDR.

We are only a small organization, and our operations don't even challenge Microsoft Defender XDR's capabilities.

The customer service and support have been good. Whenever it is needed, they are fast to respond.

Positive

We used various solutions over the years, but since then, we've been using the Defender variants.

The initial deployment was straightforward.

We implemented Microsoft Defender XDR ourselves in-house.

There are no issues with pricing, but sometimes, the clarity in licensing is a concern. I still need to verify what's included with each license occasionally.

I would rate Microsoft Defender XDR a ten out of ten.

One of my largest customers deployed Defender for Endpoint, but they also wanted Defender XDR to get a specific feature. Defender XDR is included in the E5 license, but it's a bit too expensive. Our customer wanted Defender XDR's file integrity monitor tools for compliance. My client is using Defender with Sentinel, but I'm unsure how much they use it. 

My clients like Defender's file integrity monitoring. They're monitoring Windows and Linux system files.

My client would like the solution to be more customizable without using code. You can only build on the default console, but we're not allowed to change it. 

We have a similar tool to Defender's file integrity monitoring. Under the VMware VM properties, there is a change-checking tool, and it will tell us if the extension is in a different location. You can configure checking and do the monitoring. When I log into Defender's file integrity portal, I cannot see that this machine was enabled.  It's the same agent and extension. 

It's confusing because I don't know how to tell the customer they don't need to pay $15 per month because you already can enable the extension in VMware. Under the Defender account, it all seems like it's high code, and we cannot change it. Every customer has requirements for us to customize those things. 

I have used Defender XDR for about a year. 

Defender XDR is an enterprise-scale solution. 

I rate Microsoft support 4 out of 10. 

Neutral

I rate Defender XDR 3 out of 10. I don't think Defender XDR is ready to deploy in its current state. It has too many solutions inside, and they're not fully integrated. 

Defender XDR can replace multiple security products. It covers everything, including phishing protection, network security, device security, applications, etc. 

The solution has reduced time spent on manual tasks because almost everything is automated. You don't have to do anything. If something happens, you'll get a notification, and it will instantly run the playbook for the incident. For example, a phishing email might take an hour to investigate manually. If you have Defender, you will have all the information you need on the incident page. It's all there, so you can investigate the incident in around 5 to 10 minutes.

Adopting Defender cuts costs. While the solution is a little pricey, you only need two products—XDR and Sentinel—so you don't need to add other security products. You only need to use the Microsoft security stack. 

The advantage Microsoft Defender XDR has over other XDRs in the market is that it's easy to use. You can quickly differentiate between alerts, incidents, devices, software, etc. It's easier to investigate an incident, and you have so many options. You can automate investigations and use playbooks. There's also the live response session, which is something you can't find in any other XDR. 

The identity protection is excellent. It uses some rules, including some built-in rules from Microsoft itself. It identifies risky users and differentiates between a user who is trying to sign in and isn't the actual user. Identity and access management is a valuable component of Defender.

Defender covers non-Microsoft technologies if you're using the full Microsoft stack with Sentinel and Defender. You can ingest logs from other solutions, like Palo Alto and Fortinet firewalls. 

It stops advanced attacks like ransomware and phishing in real time and prevents them from entering your environment. There's a feature called Security Advisory that shows you all the latest threats and vulnerabilities in the market so that you can make rules for them. It helps you understand them more. 

With Sentinel and Microsoft Lighthouse, you can use multi-tenant access. It allows you to connect multiple tenants to one tenant, which you can use to monitor everything from there. Before we had Microsoft Defender, we had to go to each tenant, log n from your account, and investigate the incident if it's there. Lighthouse has one page with all the alerts, and they're all connected together. You can investigate every alert from one page.

The design of the user interface could use some work. Sometimes it's hard to find the exact information you need.

I rate Microsoft Defender XDR 7 out of 10 for stability. There are some performance issues maybe 5% of the time. 

I rate Microsoft Defender XDR 9 out of 10. It's easy to scale. 

I rate Microsoft support 8 out of 10. They answer quickly. If you open a ticket, they will respond immediately. You can chat with them or schedule a call. 

Positive

The setup is straightforward. You only need to buy the product and onboard every device. It's like a script for Microsoft Intune. The process takes a couple of days for a small company, but a larger business may require three or four days. 

Defender XDR is fairly priced. 

I rate Microsoft XDR Defender 8 out of 10. I recommend giving the product a try. If it doesn't work for you, try something else until you find a suitable product. There might be other solutions that are a better fit. It's good for my case, but it might not be right for everyone. 

The summarization of emails is a valuable feature. I get more than 1000 emails a day. It is hard to read them all. Summarization makes it a lot easier. The solution also provides transcription features.

It doesn't work in Word, Excel, and PowerPoint consistently. We find it full of bugs. It doesn't work properly. The tool gives inconsistent answers and crashes a lot. I spoke with the Microsoft team regarding these issues. The person I spoke to said that our expectation was too high and that we should have expected that it would only operate at 70% accuracy, which was a bit of a shock.

I have been using the solution for four years.

We use most of E3 and E5. We're using 92% of the catalog. Everything runs in the cloud. In the past six months, there have been incidents where the cloud has had some issues. We've escalated them to Microsoft and have had a conversation about stability.

The tool is scalable.

The support is decent. It could be better in certain circumstances. Overall, it's acceptable for what we need it for.

We were using a Symantec tool before. We stopped using it because we were exiting a relationship with the Symantec tools. We chose Microsoft Defender for Office 365 because we had a relationship with Microsoft, and it did similar things to what we used the Symantec tool for. It was an easy choice.

The initial setup was complex. It doesn't work. Semantic Index takes 48 hours. Getting people to onboard is not as simple as turning it on and making it work.

We have to ensure that we are teaching people about these tools, their value, and the use cases to determine whether they will use them. If we turn it on and somebody is not trained to use the tool, they will abandon it. It's still not functioning properly. It's a bit of a risk for Microsoft to push out a tool that's not ready yet.

We did the implementation ourselves. We have a large enough internal team.

The solution is too expensive. Each license costs us $30.

Google is an alternative. The comparison is based on market share, penetration, usefulness of tools, and cost. Microsoft has the lead. It's embedded. We use it as a productivity suite for our company. Excel, Word, and PowerPoint are tools that people use on a daily basis.

The tool provides a little bit of unified identity and access management. It's not the most important thing for us. Security is a multi-layered strategy, and Defender is one aspect.

The product is one of the many tools we deploy to ensure that the lateral movement of advanced attacks does not occur. If it were the only tool we had, I wouldn't be as confident in saying that we have the proper levels of security, but it is one of the multiple tools we have. So, lateral movement is almost impossible.

The solution might be able to adapt to evolving threats in a smaller shop. However, it is not so in our organization.

We run a bank. We are testing out Copilot. We're about to roll it out to several thousand users. The tool hasn't yet helped improve things in our organization, but it has the potential. Copilot is new. It's difficult to determine the ROI and its value. It's hard to tell. We do get some value out of the product.

Overall, I rate the product a seven out of ten.