Microsoft Defender XDR Reviews

It is an integral part of our security infrastructure, primarily serving to monitor both our server and client environments comprehensively.

Its strength lies in providing a holistic view of the protection it offers. When a threat is detected, the system not only identifies the nature of the threat but also provides valuable insights into how and why it was detected. This thorough understanding empowers us to take well-informed steps to remediate the threat effectively. The unified Microsoft environment enhances overall ease of use, making it considerably simpler for our team members to collaborate and work efficiently, given our familiarity with Microsoft products. Unified identity and access benefits stand out as crucial, especially as we delve deeper into compliance considerations. The increasing importance lies in having a centralized view, streamlining visibility through a single interface rather than navigating across various sections in Defender.

The incident threat response and its ability to facilitate effective remediation against threats are the standout features. I haven't encountered a similar level of comprehensive incident response in other solutions before.

Perhaps there's room for visual enhancements to make the platform more appealing. Stability could be improved by avoiding frequent changes to the interface.

We have been working with it for approximately a year.

It has proven to be scalable within our organization, which, while not exceptionally large, consists of around eight hundred users globally. It strikes a balance, meeting our needs effectively without being overly complex.

The technical support is generally good, but we sometimes find the first-line support process a bit cumbersome. After initiating a case, we, as experienced professionals, go through the standard script diligently (ABC), only to find that first-level support requests the same steps again. While I understand the need for thorough troubleshooting before escalation, it can be time-consuming. I would rate it six out of ten.

Neutral

Compared to antivirus or security products such as Trend Micro or McAfee, Microsoft Defender XDR appears notably more user-friendly and offers a clearer interface. The adoption of Microsoft Defender allowed us to phase out the use of other security products, including our long-standing reliance on McAfee and Trend Micro. The transition was prompted by the effectiveness of Advanced Threat Protection offered through Microsoft Defender 365. The decision to consolidate under Microsoft's umbrella proved advantageous, making the adoption process smoother and more efficient for our organization.

The initial setup wasn't overly complicated. We only needed to create a few scripts, which were then executed on our local machines within the environment. This process seamlessly integrated the machines into Defender within our tenant.

We use a third-party software tool for executing scripts and deploying software packages.

We've achieved significant cost savings, primarily in the realm of security. As Microsoft continues to enhance Defender, we anticipate further opportunities to streamline and consolidate various aspects of security monitoring and software under the Microsoft umbrella. I'd estimate the savings to be in the tens of thousands of dollars annually.Considering our relatively small team of around thirty IT professionals, especially those at the first level primarily using security products like Defender, the streamlined access within the same application prevents them from having to navigate through multiple applications. This efficiency translates to a potential saving of around a dozen hours per month per individual.

Understanding the subscription model has been a bit challenging, as every feature or requirement comes with an additional cost.

Overall, I would rate it eight out of ten.

We use 365 Defender to manage organization-level devices and vendor security compliance. We are a retail-focused organization that offers cloud services through Azure, GCP, and AWS, but we manage all the security through 365 Defender. Some of our users are based in other countries, and everything is centralized. We operate in multiple regions. 

We can easily track any other malicious activities or additional applications that will prevent it. We can get it here. It will be a helpful tool once we create policies for DLP and third-party programs. 

365 Defender stops the lateral movement of advanced attacks. It prevents something that happens on the device level from affecting us on the organization level. The solution enables us to track all the details, like the IPs and the device types. 

365 Defender helps us deal with unknown threats by creating custom policies, which enable us to block access by specific unknown sources and unsafe links. 365 Defender has multi-tenant capabilities, and we have multiple tenants, but I'm only involved in the retail part, so I don't have authority over other tenants. 

We were able to discontinue some of our other security products when we implemented 365 Defender, but there are some exceptions. We can use non-Microsoft solutions when the customer requires it. Mostly, we use cloud solutions. We've saved some costs on the security side at the organizational level by reducing equipment costs. Using 365 Defender's automation capabilities, we can cut our vulnerability management time by about 40-50 percent. 

I like 365 Defender's advanced threat hunting. The dashboard is user-friendly with templates for site policies, etc. The most important use case is evaluating the risk links and applications. 

The cost can be high if you want to build custom license packages. Another area for improvement is the policies. In Azure, we need to implement policies in JSON format, but in 365 Defender 365, it would be helpful to use a different format so we can customize the platform.

I have used 365 Defender for more than two years. 

365 Defender can have some performance issues during enrollment. It can take a while at times, but sometimes it's duplicated immediately. That's an issue with some other cloud-based programs like Intune and Azure products. 

I rate Microsoft 365 Defender support nine out of 10. Their support representatives provide solutions based on priorities. They prefer to follow the proper SLA part. 

Positive

The deployment is quick, straightforward, and involves only two people. 

Sometimes 365 Defender is expensive, but it can be moderate, depending on the organization's size and the license type. We're satisfied with the cost because it gives us a product that protects our entire environment with DLP. To compromise some cost, of course, we are to complete the most secure environment. 

I rate 365 Defender nine out of 10. 

We are a Microsoft partner and we have clients who are Microsoft 365 administrators in several companies. They are looking for ways to secure their tenants and make sure that their security is top-notch. That's where Microsoft Defender comes in. We use Microsoft 365 Defender for security and compliance to secure tenants from malicious attacks, including spam and phishing attacks. And when it comes to compliance, it is used for data privacy and data protection to ensure that very sensitive data doesn't go out to the wrong location.

It makes security and protection very seamless.

And Defender saves me time. For instance, if I get notified that a user isn't receiving emails from a particular person, I know that the first thing I have to do is a message trace. It saves me time to an extent because I have a go-to location. With message trace, I'm able to trace emails from, for example, abc@givendomain.com over the past two days. It gives me information about what actually happened in the mail flow. I'd rate the time it saves me as a seven out of 10. 

It has also saved us money, on the order of 50 percent. And our time to respond has improved to the level of a six out of 10.

The features of the solution are vast and wide.

The most valuable feature is the content search feature in the compliance portal. It is very useful because it covers both audit log search and content search. The audit log search is very useful because, most of the time, you see several changes within the admin portal and it's hard to keep track of what happened. Our customers want to get to the root cause and see the activity that must have triggered those changes. That's where the audit log search comes in. They've enhanced the feature in such a way that it has a vast range of search options so that an analyst can carry out a full search.

The content search feature has also advanced to a point where you can carry out several searches with your keywords. You can point it to a certain location, such as Exchange Online or SharePoint Online, or Teams Online. You can narrow the search down to a particular individual or group of individuals. When administrators report that they have lost content or accidentally deleted a mailbox or the mailbox content, the content search feature is a good way to recover the content.

Another top feature is threat management. It helps prioritize threats across the enterprise.

In addition, you can navigate to the security compliance portal and set restrictions to block IP addresses from different locations. You can also choose to flag domains that are sending malicious attacks and block them and update the anti-spam policy to make it more strict to prevent attacks from happening in the future.

Many people don't realize that Microsoft Azure, Exchange Online, and the security and compliance portal all sync together. For instance, within the Azure portal, you can set security restrictions and policies to help secure your tenants, but most administrations do not know about that, including things like multi-factor authentication, conditional access policies, and privileged access.

We've had reports from clients about compromised accounts because someone got access to a password that they shouldn't have. Multi-factor authentication helps eliminate this. As for conditional access policies, you can set certain policy restrictions to certain locations or IP addresses so that emails or sign-ins only come from particular locations. That helps secure your environment against malicious sign-ons to your accounts.

The good part of it is that these products have already been integrated. When you sign on as an admin you have global admin rights and that gives you access to all these features. You will see Exchange Online, security and compliance, and Microsoft Azure. All you need to do is click and it takes you to the portals.

Overall, the comprehensiveness of the threat protection is at 95 percent. It's not 100 percent because of updates not being done on the Knowledge Base and technical know-how.

The alert feature allows you to set the severity of alerts. If there is a malicious or suspicious sign-on, an alert triggers immediately letting you know, as an administrator, to check what's going on in that account. For example, there was a time when one of our users' accounts was about to be compromised. We got an email notification which was sent to all administrators on the tenant. I was able to block that activity in real-time and then set the system to trigger more alerts for such sign-ons in the future. I also blocked the IP address. That particular feature has helped. The alert arrived in real time to prevent the account from being compromised.

When changes are done within either the admin or security and compliance portals, there should be a real-time update to administrators about the changes. Many times I'm supporting a case where someone says, "I used to do this like this, but I'm unable to do it that way anymore. What happened?" And I will have to say, "Oh, sorry. That doesn't work like that anymore. It's now done this way." So there should be a way to notify people about changes like that, and prompt information when changes are done within a portal.

I would also like to see regular updates about new features in the Knowledge Base. There are cases where I'm using a Knowledge Base article to try to educate a customer, but when I check the feature on the admin portal, and in the article, they don't look alike. For instance, it's saying, "Go to settings. From settings, go to options." Meanwhile, on the portal itself, I'm seeing "Settings, go to more settings, then go to options." It would help a whole lot if feature updates were updated in real-time in the documentation.

Also, the message trace feature for investigating mail flow issues should add more detailed information to the summary report. The summary report is what the administrators are able to understand. The extended reports are a very deep dive and the administrators will only understand them if they reach out to support engineers. But if they could extend the summary report a little bit, and make it more descriptive, ordinary administrators could understand what happened and that the emails failed at this or that point. That way they would know the location to go to try to correct it and prevent it from occurring again. Making that summary report more extensive and detailed would be of great help.

I have been using Microsoft 365 Defender for a little over three years.

Overall, it is stable. 

There are a few bugs but they generally don't impact the reliability. The bugs are not the kind that impact the work done by an organization. Processes can continue while they fix the bugs.

It is scalable.

It is used across multiple departments with anywhere between one and 200 endpoints.

Their response time is okay, it works fine, but the time it takes to resolve escalated cases needs improvement. An escalated case is when there is a bug. You could literally have reported a bug and it's still not resolved the following week. Bug fixes take a long time, especially when a very essential feature is not working as expected.

Neutral

It took me three to five months to understand it because it has a vast number of features. If you do not understand it, one click could mess up a whole lot of things.

Microsoft should provide lower-level licensing options. They should do it in such a way that even an individual could purchase a license, and it should be entirely flexible. An individual should be able to access the solution at a very affordable rate.

Most administrators, in my experience so far, are reaching out to third parties for email filtering and to manage threats in their organization. According to them, Microsoft 365 Defender isn't giving them the information they need. And I realize that this is not correct. What they're missing out on is the proper information or technical know-how to utilize the features.

For example, if someone uses Barracuda as their third-party filtering service, I begin to ask questions such as, "Okay, why did you choose to use the Barracuda service when we have the ability to create good anti-spam policies that could help secure your tenant? You can create anti-phishing policies and rules that will help restrict IP addresses." Often, what they say is that Barracuda is better because it gives them more information and real-time data. At that point, I ask them to let me provide a deep dive into the features of Microsoft 365 Defender. I use the documentation and Knowledge Base articles to explain its features, one after the other, and they begin to say, "Oh wow." They didn't know these features actually exist. They'll begin to look at the possibility of utilizing the Microsoft solution since they have paid for it. Why should they pay additional money to a third party to get services that Microsoft provides? They feel very happy about the information I provide.

So far so good. The Microsoft 365 product hasn't given me a reason to want to check for other products and move to something else.

For the best and most seamless user experience, it's best to go with a single vendor because there could be a lot of complications going with a best-of-breed strategy. It's easier to understand things with a single vendor.

When you don't understand a feature, ask questions and reach out for support. There are some features that are being used wrongly or that are underutilized.

Also, test the product beforehand. They provide trials so you can test the solution and see if it meets your expectations.

The solution is primarily used for security response. We work with many government ministries that use Microsoft, Microsoft 365, or security tools like Azure XDR. This solution integrates with other products, helps with detection, and offers quick response times.

The threat-hunting and incident investigation capabilities are very strong. It can investigate and block phishing attacks and monitor them effectively. We can even do endpoint behavior analysis. 

The solution's XDR platform provides unified identity and access management for customers. If the customer is using a Microsoft Enterprise XDR solution, it does. We do have Microsoft Defender for Identity. It's part of the suite itself. Customers can have Defender for Endpoints, Defender for Identity, and Defender for Cloud. All these things combined form the XDR. The main use cases are around identity - to understand whether there is identity hacking, privilege escalation, or some malicious user in the environment. It helps us respond to those events very quickly.

From a coverage point of view, it's good. We are quite happy with it. If we have users with multiple devices, the solution provides comprehensive coverage.

While the solution does cover technology beyond Microsoft, it's strongest when monitoring the Microsoft Suite. We do have servers, and it can monitor them. They don't necessarily have to be Windows servers.

Defender XDR can stop advanced attacks, like ransomware or business email compromise. It depends on how the solution is configured. It does a lot of monitoring and helps the SOC team or the analysis team find issues. 

The solution has the ability to stop attacks and can adapt to evolving threats. It can ingest a lot of threat intel data, which actually gives us the latest information about how the threats are happening. It does a quick analysis of that. 

Some customers use Defender XDR's multi-tenant management capabilities. That said, most of the time, they might not need a multi-tenancy. In one or two cases, customers may have done it, but not very frequently. The multi-tenant management capabilities for investigating and responding to threats across tenants are pretty decent. It provides a very unified view. That's one of the core capabilities of Microsoft XDR - the unification of the view. In a security situation, I might have solutions in multiple places. However, our tenant will be protected, and we will receive alerts. It helps a lot with individual client monitoring. It will help me hunt other tenants as well. It makes it so we have a very cohesive environment. 

Defender XDR has enabled some of our customers to discontinue the use of other security products. However, it's not always based on capabilities. In Qatar, for example, it's a government mandate to use Microsoft as much as possible, so we move a lot of customers over exclusively to Microsoft in those cases. That doesn't mean the other product wasn't performing. It just means there is a heavy preference towards being solely on Microsoft. 

The Microsoft XDR solution has helped some customers to reduce costs. One of the major cost reductions is on the resources side (not on the technology side). As a service provider, we can move to a much leaner team with the XDR setup than with a non-XDR setup. When you have different environments to monitor and different alerts coming in from different devices, then you need more people to do the monitoring and analysis. However, when you have a unified view of the environment, then you can reduce the team to a certain extent. We can do a 25% reduction on a team, which is a considerable reduction since resources are expensive. How much a company can save depends on the environment. If it's small, the reduction in cost may not be significant. It can be as low as 10% or as high as 25%, depending on the size of the environment. 

It's helped us save time. It's difficult to specify how much; however, it's likely up to 25% thanks to the reduction in the analysis needed. 

From a performance standpoint, improvements could be made. 

I've used the solution for one and a half years. 

I'd rate the stability eight or nine out of ten. If it's just a Microsoft environment, the reliability is very good. If it's a mixed environment, I'd rate the stability seven out of ten. 

The solution is highly scalable. 

Technical support is good. We have enterprise support and they are responsive.

Positive

I do not handle the initial setup process. The customer may deploy it across multiple locations. The size of the environment can vary from 100 users to 1,000.

There isn't really any heavy maintenance. You just have to renew the licenses. If it's a small environment, one person can handle that. If it's bigger, there may be two or three people. 

My understanding is that Microsoft is trying to change the pricing. However, right now, it's bundled together. If it could be decoupled a bit, it would help customers be able to afford the solution. 

We are service providers, and we resell Microsoft solutions. 

XDR is basically used for unification. It's more of a dashboard. When you have an XDR, you can monitor the entire environment. You can also see and take actions across the entire environment, which is actually a very big advantage when it comes to a particular software analyst's day-to-day job. They can be monitoring one screen. Typically, if an issue is found, a ticket needs to be made, and that's passed onto an engineer, but with XDR, a lot can be automated. It can help reduce costs related to manpower and make the process more efficient. 

I'd rate the solution nine out of ten and recommend it to others. Smaller companies may not need it; however, if a company is growing fast or is already sizable, it's a good option—especially if it is a mostly homogeneous Microsoft environment.

We use Microsoft Defender XDR for our Microsoft 365 email service.

It helps protect us against ransomware. We were a victim of a malware attack in 2018 before implementation.

Email protection is the most valuable feature of Microsoft Defender XDR.

The price has room for improvement. The price should be adjustable by region.

I have been using Microsoft Defender XDR for almost 5 years.

Microsoft Defender XDR is stable.

Microsoft Defender XDR is scalable.

The technical support is good.

Positive

Microsoft Defender XDR is priced high.

I would rate Microsoft Defender XDR 8 out of 10.

No maintenance is required from our end because it updates with the OS.

We typically use Defender's default settings and are implementing MITRE ATT&CK use cases on Microsoft Defender this year. We do manual threat hunting and check to see if there is a trending attack. We have the latest IOCs and sweep across the organization looking for them. 

When implementing Defender, we usually use its advanced hunting features to determine particular techniques used across the whole environment. We use multiple Microsoft security products, including Defender for Endpoint, Defender for Cloud Apps, Sentinel, email and collaboration, data loss prevention, and Microsoft Purview.

Defender XDR enables us to prioritize threats according to the algorithm or our custom rules. We can prioritize threats and have the option to automate the response. For instance, let's say we are facing a sticky key hijack. When you press shift several times at the login screen, you can open the command prompt of that particular host. That is a vulnerability of Microsoft Windows. When this happens, we can automate a priority alert and also isolate that endpoint from the network immediately. 

The solution reduces our remediation time by enabling our security analyst to respond quickly, make some automations, and edit the rules to detect any potential threats. The extent to which the solution reduces the remediation time depends on the analyst's skill. If the security analyst is good, Defender XDR will help them.

XDR saves money if you are using Microsoft products. XDR is more inclined toward Active Directory, a Microsoft product. No other XDR can integrate with Active Directory so seamlessly and use it to its fullest potential. Microsoft also offers multiple sub-products. If we purchased third-party solutions for email, endpoint, XDR, cloud applications, etc., and managed them on a single platform, it would be more expensive than Microsoft solutions. When we do a cost-benefit analysis, Microsoft Defender XDR offers a better value. 

I like Defender XDR's automation capabilities. XDR isn't automated by default, but you can automate it to respond. If an attack is performed anywhere within the organization, you can isolate that instance from the network. This is what I can figure out for it. When integrated with Sentinel, you can set up playbooks to automate all the alerts gathered on Sentinel from different Microsoft solutions. Sentinel has a wider range of capabilities than XDR. 

Defender XDR has good threat visibility, but it could be better in some areas, like when we are hunting for a specific host. For example, let's say we are investigating email services, and want to trace an email account to its host PCs and investigate the emails in its inbox. We want more visibility into the email side of investigations. It would be better if these features could be more integrated into the console like you could have a tab for Cloud Apps to see the cloud applications a user had communicated with. 

Microsoft's threat analytics are somewhat helpful for anything related to Microsoft products. For instance, it can update us about any single sign-on vulnerabilities or something along those lines. However, Microsoft was very late in terms of the recent LockBit attacks. LockBit compromised some significant organizations, and Microsoft didn't provide the report fast enough. It was reported on my normal cybersecurity information websites first. The site analytics are a bit weak when it comes to non-Microsoft clouds.

Defender XDR is capable of providing intelligence reports about threats specific to Microsoft components, but if we are implementing a Microsoft solution across an organization, many other products and side factors must be considered. I feel like Microsoft falls behind some other vendors in threat intelligence.

When we do investigations, it would be better if Microsoft could populate the host dashboard more. When we open any host for investigation, we want the entire timeline of what is happening on the host, including all the users logging in, their hardware, Windows version, etc. 

I have used Defender XDR for nearly 2 years. 

We haven't faced issues with stability. XDR doesn't lag during investigations. We've seen a few minor bugs in the XDR console but not often. There have been no major issues that disrupted our operation. 

Defender XDR has good scalability. If you want more endpoint visibility, you don't need to scale your organization much. You only need to integrate that particular endpoint by running a script and deploying an agent to it. 

I haven't contacted Microsoft support about XDR, but my client has. One of the alerts was triggering incorrectly based on a default setting. We asked their team to investigate why the solution was excessively triggering. I just disabled the default rules and made custom policies. Now, everything is working fine.

I previously used CrowdStrike EDR. It's hard to compare the two products because CrowdStrike EDR was focused on endpoint detection, so it cannot investigate emails or have any other XDR capabilities. One is an XDR and the other an EDR. 

We compared Microsoft Defender XDR to Trend Micro's Vision One. Defender's advantage over Vision One is ease of use. Managing and enabling policies is much easier on Microsoft Defender. There's a considerable difference between their default rules. In some cases, alerts will trigger in Defender, but not Vision One. Overall, Microsoft Defender XDR is preferable over Vision One.

I rate Microsoft Defender XDR 7 out of 10. It's a useful product for a professional security analyst who knows how to increase the visibility. You only need to make some front-end changes and put the data on host names into XDR. 

If someone asked me whether a best-of-breed or single-vendor approach is better, I would support mixing different products. Each security vendor has its own intelligence base. By including other vendors, I am gaining visibility into more indicators of compromise. Nevertheless, I would still pick Microsoft Defender XDR and Sentinel together because they are well integrated. All the big companies and banks use Microsoft. Windows is a popular operating system across the world. Defender and Sentinel are better integrated with Microsoft systems. 

We're using it for our email filtering to check incoming emails and URLs. We're also using it for vulnerability management to see the status of our assets that are registered on the system. We also check it to see what kinds of threats and campaigns are currently being launched via emails.

It provides us with better insight into what's going on across our platform. It has also given us a very easy way to respond when threats or alerts come through. And when looking for someone in particular, it helps with that. It hugely improved our insight into what's going on inside the company's premises and environments.

365 Defender also helps find high-value alerts, but we haven't used it for complete automation. It has some automation features where it can try to block or quarantine things, but beyond the default automation configuration, we haven't explored deeper into using automation. The default settings work well.

And while we've always used one or two dashboards, this system has made it easier to have a quick overview on a single platform.

In addition, the threat intelligence helps prepare you for potential threats, to a certain limit, because it gives you insights into where your shortcomings are, your vulnerabilities. It also gives you some security recommendations to make improvements.

And the solution has decreased our time to respond because on high alerts you can get a quick response. The system will notify you very quickly if it detects something at a certain thread level or a custom threat level that you set.

Microsoft 365 Defender has a very great interface to help protect registered devices when it comes to web protection, which is very handy.

We also use the alert systems often. It's a great threat intelligence source for us, providing alerts for things it detects on the network and on the machines. We've used it often when there is a potential incident to see what was done on a computer. That works quite nicely because you can see everything that the user has done, including websites accessed, et cetera. And if something was on the machine, we can see what it was trying to do.

I use the alert system on a daily basis. It gives you a very good analysis of where something was found, which employee or which device. And it often gives you a good history on that. The alerts help me to monitor and check what is going on. That's a very valuable system to have.

We've also tried the attack simulation, which sends out phishing emails internally as a test to see how the users respond. We get feedback and use the training simulation as a result. We've only done that once, and it's something we want to work on a little more.

In addition, we're using the assets on the system as well as the inventory functionality. It checks all the machines to see what software is installed on them.

We've used a lot of the features on the cloud, although not everything to its full potential, but we've used 70 to 80 percent of all the features on the cloud.

In the beginning, it's difficult to navigate the system because it is quite large. Just trying to find your way and understand how the system works can be hard. After spending quite a lot of time searching it's a lot easier, but I wish it were a bit more user-friendly when you're trying to find things.

The information it provides is great, but for a newcomer, it is quite tedious and takes a long time to load. Here in South Africa, when you click, oftentimes you have to wait quite some time before you get to the next page. It's not necessarily internet-related. I think it's just that the service is a bit slow.

Also, while the solution does help to prioritize threats, unfortunately, it doesn't do so for the entire environment. The reason is that it only supports full integration from Windows 10 and up. It provides you certain information from your server environment, but when you start going with legacy services, it is a bit lacking.

Another issue that is sometimes a headache is that they constantly make changes. Things will be merged, they will get different names, or be moved around. Things will be added and other things go somewhere else. They do a lot of development to make the product better, but it's very frustrating having to search for stuff after they've moved it, because you don't always know that they have moved things. They might have little banners, but if you're just working and don't read them, you don't know where things have gone. 

I would also really like to see better integration with the server platforms for managing your server environment. That's something it currently doesn't do. For all the server environments, you either need to make use of group policies or SCCM to manage that independently. It can provide you information on the system, but it doesn't have control over your server line.

Also, I make use of 365 Defender on a business level and on a personal level. On the personal level, there is a lot less functionality. Something that would be very nice is that, for the level you are on, you would only see the product you are subscribed to. For instance, if you log on via the business, you have all your action areas, anything you can do and see, on the left. Because you're using it at a corporate level, you can see and do everything. On the personal level, or in a small business where you're only using some of the features, you still have all the same options, but when you click on them, it tells you that you need to upgrade or subscribe. They should only show you what you have access to, and not all the tabs and then say, "You need to subscribe to get access to this." It just clutters the whole area.

We have been using Microsoft 365 Defender for about two years.

Overall, it has 95 percent stability. We don't have any issues with it. It works well. Microsoft does provide frequent information when there are issues or delays. But the stability is very good.

We're still learning a lot about its capabilities. It's more capable than what we use it for. That is due to a restriction on our resources and availability to get to know the system even better.

We have contacted Microsoft tech support multiple times. They are quick to respond to the original request. Sometimes I have been quite surprised because they have replied within 15 minutes. Some of the questions we had were resolved quickly, on the order of 60 minutes. I had one that took almost two years to get resolved. But in general, they are quick to respond. Their support is very good and quick.

Positive

Before 365 Defender, we made use of Avast as our antivirus, which had its own web console. For malware protection, we used an on-prem Cisco IronPort system that was scanning all our emails. And most of our SIEM logging information was done manually. We had much less insight into what was going on in the company.

Because it was a new solution for us, we had a company that works with Microsoft assist us, to make sure that all the configurations were standard. But since then, we've maintained most of it ourselves. On our side there were no more than five people involved.

It's a very expensive product, but for any threat it has definitely stopped or protected us from, in that sense, it has saved money and time, by preventing things that could have happened. But is it affordable? No, it's expensive.

If you look at everything that the solution entails, and the big cost to companies, especially medium-sized companies, one would like to have a bit of a price decrease due to economic circumstances. The functionality is fantastic, but for medium and small-sized companies it's overpriced. It would be better if it were a little bit cheaper.

We did look at other solutions. In the end, we decided on 365 Defender because it was all integrated. It worked to our advantage because all the products that we needed were already on the machines. All the products that you get from the Defender area are part of the built-in Windows 10 features. It gave us a better way of controlling and managing things. Overall, it made more sense to have one central place to manage and control and be alerted.

My advice is don't be frightened when you start getting into the solution. If you are not used to the environment, it is a mouthful, and it can really scare your socks off. There's just so much to it that you won't really know where to start.

The best thing I can recommend to anybody who is starting is to get somebody who knows the system to give you a walkthrough. Also, look at the tutorials to see what the functionalities are. It will be beneficial for any person to get a good overview of what's going on in 365 Defender, the capabilities and how it looks. But getting in contact with somebody who has some experience already in using it will help you to ask where to find things. "Where do I go from here? Show me how you're set up, so I can at least see some of the functionalities."

My very first impression of 365 Defender was that I was looking for something, but I didn't even know where to start. It was too overwhelming. As I spoke to other people who knew about the system, they gave me an overview and that made it easier for me to understand and to know where to go.

365 Defender is our main deployment, but we've got the endpoints also connected on Intune. They work together to deliver coordinated detection and response in our environment. Our complete suite is pretty much all Microsoft. Our environment is a 50/50 hybrid. We use Intune for certain policy changes and some of the deployments. But because our environment has a lot of legacy systems, we make use of the normal, on-prem deployment services as well.

Sentinel is linked to our on-premises Active Directory. It helps identify things that are happening on-prem. For example, when a user's account instance gets locked out, it will show you, on Defender, from which local machine it was locked out. Or if certain things are accessed, it will show that information on the on-prem Active Directory. It works well. For investigating and responding to threats, it definitely helps by dumping the information in a centralized location with the alerts to identify a bit more flow pattern. If something happens that's not on the cloud area, but it's on-prem, it helps track and identify movement. The information from Sentinel is an added bonus.

Overall, Defender 365 has saved us time, compared to the old ways of doing things, but at the same time, I wish the site was faster. Sometimes it can be very slow.

Best-of-breed solutions versus a single vendor's suite comes down to personal experience. With best-of-breed, at least you know that they have been tested in the industry and have a lot of history behind them. Also, the redundancy would be a lot better. Going with a single vendor sometimes makes it a little bit difficult, especially if they are only focusing on one area. It's a difficult question. It might come down to the way someone was "brought up" in the security industry or the way that they trust these companies.

I give Microsoft 365 Defender a nine out of 10. Once you get to know the system, it's really awesome. It provides a lot of insights.

I'm a deployment engineer for Microsoft products, and we work with multiple SMEs. Customers adopting Microsoft products want the same features they had in their third-party solutions. We look at their requirements and the types of features they need. We determine the security mechanism that best addresses their vulnerabilities. We might suggest Defender for Identity,  Defender for Endpoint, 365 Defender, and Defender for Cloud Apps. In addition to those security solutions, we offer device management. We provide everything.

Defender improves our security operations. I've had chances to collaborate with our SOC team. Our customers face many random attacks they don't know how to prevent, and the SOC team handles them remotely. The security engineers can investigate the incident or use the information from the customer's environment to offer a recommendation. If the customer doesn't have the detection mechanism, we can recommend a product or find a solution for them. 

The solution can help customers save money because we can bundle it with all the other Microsoft solutions, like email and Defender for endpoint, identity, and cloud apps. Most of our customers use Windows 10 devices and Microsoft Active Directory, so everything is on the same page. Defender can save time by automating investigation and response. We don't need to spend much time because it'll automatically take action in many cases. 

The best feature is threat hunting. There are a lot of other features I like, such as the alert mechanism. The chain alert mechanism has a huge impact. It combines all the alerts into one incident and automatically correlates them with AI. 

Defender has integrated identity access management, and you can add DLP features through a separate solution called Microsoft Purview. Within the cloud, we can create access policies based on each user's risk. It's integrated with Azure AD and on-prem Active Directory, so all the user identities can be managed in a single portal.

We use the multi-tenant management capability, so we can cover customers that have multiple regions. We can easily investigate across tenants based on severity. For high-priority alerts, we start from scratch and ignore what's happening on the endpoints or emails. We isolate the device and ensure that nothing will be released from it. Next, we check this device and some more details.

There is no common area where we can manage all the policies for the EDR, third-party solutions, devices, servers, Windows, Mac, etc., but it's on the roadmap, and we were waiting for that feature. 

I have used 365 Defender for about four years.

365 Defender is stable. There is no downtime. Still, Microsoft is constantly rolling out features, so there are sometimes bugs after new releases. Our customer experience team is collaborating with Microsoft and sharing feedback with them. 

365 Defender is scalable 

I rate Microsoft support nine out of 10. The support depends on the product and the customer's issues. 

Positive

I work with customers coming to Microsoft from other third-party products, so I try to understand what the product does and suggest a solution. The names are different, but all the technology is the same.

Deploying Microsoft Defender isn't complex if you have experience. The deployment depends on the number of users, apps, and the client's requirements. If the client wants to implement XDR, it takes about a month to achieve full functionality.  Endpoint protection takes around five to ten days. It's a cloud product, so it doesn't require any maintenance. 

Defender XDR is agentless, so you don't need to install an agent anywhere. It's a cost-effective option.

I rate Microsoft 365 Defender nine out of 10. We recommend it to our customers.