Microsoft Defender XDR Reviews

We use the solution for endpoints. 

What I like most about the product is its all-in-one solution. With Microsoft Defender XDR, we get coverage for various aspects like endpoint security, cloud security, and image-related cases, all within a single platform. This eliminates the need for multiple products or technical controls to address incidents. The main benefit became evident immediately after deployment, especially in its ability to analyze files and phishing emails quickly. By submitting suspicious files or emails, we receive quick results on whether they are legitimate, suspicious, or malicious, saving time. 

The solution could enhance the threat Intelligence feature by making it more relevant to specific industries. Much of the threat intelligence information isn't directly applicable to our environment. It would be beneficial if the threat intelligence were tailored to the industry, such as healthcare or fintech, where the solution is being used.

Additionally, the MDCA feature could be improved to provide more accurate data on how much data is uploaded or downloaded from the cloud. This might involve better implementation from our infrastructure team, but clearer and more precise reporting on cloud data activities would be valuable.

I have been using the product for eight to ten months. 

The solution works smoothly. 

The tool's scalability is good. 

If we open a case on the Microsoft portal, a support person from Microsoft helps resolve the queries. From our side, it usually involves two or three people. The Microsoft support person sometimes brings in another expert to resolve technical queries.

We've submitted our queries, and a tech support engineer comes through on a chat, a Zoom call, or another type of call. We discuss the queries with them, and they usually resolve the issues in one or two sessions.

Sometimes, if one engineer can't resolve the query, they will bring in another engineer, which can take an additional one or two days. 

Neutral

We chose Microsoft Defender XDR because it provides a one-stop solution. Everything related to endpoint security, email security, or cloud applications is integrated and visible in a single window. If we were to use other solutions, we would need to implement three different products to achieve the same level of integration and functionality.

We had some issues while deploying the tool's on-prem version. Support helped us resolve them. The cloud version is easy to deploy, while the on-prem version takes one month and doesn't require any maintenance.  

I rate the overall product an eight out of ten. If a new customer is going to buy Microsoft Defender XDR, they should clearly state their needs in front of the Microsoft team. They need to specify what they want and what features they require. It's good for the Microsoft team and the customer to understand all the requirements before deployment clearly. This way, any potential issues can be addressed beforehand, making the deployment smoother.

Microsoft Defender is used for email protection. 

Microsoft Defender helps stop advanced attacks. We use PII disclosure, we track sensitive data in emails, ransomware, and phishing emails.

Microsoft Defender has saved us costs. 

Microsoft Defender has helped save us investigation time.

Microsoft Defender is slow to adapt to evolving threats.

I was using Microsoft Defender for one and a half years until a month ago when I switched to a different team.

Microsoft Defender is stable. 

Microsoft Defender is scalable.

I previously used Rapid7 InsightIDR for Security Information Event Management and Extended Detection and Response. While InsightIDR offered a user-friendly dashboard for managing detected incidents, its limitation of creating only around 25 custom rules restricted our ability to identify emerging threats. With the ever-evolving threat landscape, I believe a solution with a more adaptable defense system, like Microsoft Defender, is necessary to keep up with the pace of new incidents.

Microsoft Defender was straightforward to set up. It came with a lot of useful documentation to help.

The deployment took almost two months. 

Microsoft Defender falls within a mid-tier price range compared to other security solutions.

I would rate Microsoft Defender eight out of ten.

Microsoft Defender is well-documented and we can find answers to our questions from the user community.

I recommend Microsoft Defender for organizations that are already using other Microsoft products. Since they're likely within the same ecosystem, integrating Defender for antivirus protection should be a smooth process.

I use 365 Defender to protect against phishing attacks and filter out our email to pick up certain vulnerabilities. For example, if someone sends out their credentials, it triggers an alarm. 

Features like filtering and phishing simulation increase our email security. The main purpose is to protect employees and sensitive company information. Everything is connected, so an intruder can potentially access sensitive, confidential information by breaching just one account. 365 Defender is a good way to protect the entire environment. 

Defender helped us automate tasks because we had everything preconfigured. We create alerts and automated responses, which save us some time. Threat intelligence is helpful. For example, if there is a suspicious IP address based in Russia, we can block that address. I didn't do much of that, but it's possible.

365 Defender provides solid visibility because we can map out what's happening and get a good overview of the intelligence. The timeline feature is excellent. I also like the phishing simulation. We have phishing campaigns to educate employees and warn them about these threats. 

I also like that Microsoft has a lot of resources online. It's easy to Google information about the tool and what it can do for your organization. 

The interface could be improved. For example, if you want to do a phishing simulation for your employees, it can take a while to figure out what to do. The interface is a bit messy and could be updated. It isn't too bad, but doing some things can be a long process. 

I used Microsoft 365 Defender for 10 weeks during an internship. 

365 Defender is highly stable. I've never had any issues with it. It can be slower at times, but that may not be product's fault. Maybe there's too much traffic or an issue with the connection. 

365 Defender can scale. More than a thousand people work for this company, and some of them have multiple endpoints, like laptops, workstations, phones, etc. 

I've used CrowdStrike and some other tools for endpoint and email security. Microsoft Defender is excellent because it covers everything in one place, including endpoint protection, email security, phishing simulation, spam filtering, etc.  

365 Defender is billed per account. I don't know the exact price, but my supervisor told me that Microsoft Defender is cheaper than the alternatives. It's bundled, so you get all the features in one place. 

I rate Microsoft 365 Defender a nine out of ten. It's an excellent product that protects employees and organizations from attacks. If you have it configured correctly, you should be good. It's an ideal solution for new companies that are starting up and need protection. 

If I were asked to pick between a best-of-breed strategy or getting all of my solutions from one company, I would say that it depends on the product. Many companies have products that offer the same quality as others. The Microsoft family covers so much, but you can also try CrowdStrike for endpoint protection or Proofpoint for email security. 

Each platform offers flexibility, and some can be better than Microsoft, but when it comes to creating configurations, I feel that it's a better option. Also, you can get a better price by purchasing all your solutions from one company. 

We primarily use the solution for email protection to scan incoming emails and attack simulation. Attack simulation allows our users to practice detecting phishing emails without any risk. The product also gives us an overview of our security situation. 

We operate a hybrid environment with a wide variety of users around the world. 

We use multiple Microsoft security products, including Defender for Endpoint, Sentinel, and Defender for Cloud Apps.  

We have integrated all our Microsoft security solutions, and the integration is easy and seamless, though an Azure account is required to connect Sentinel with other products. 

The solutions work natively together to deliver coordinated detection and response across our environment.  

The multiple Microsoft security products provide comprehensive threat protection, especially by combining 365 Defender and Defender for Cloud Apps, Endpoint, and Identity.  

The solution allows us to remediate threats better, and the Microsoft Secure Score tells us where we need to improve the security of our organization.

365 Defender saves us time in the region of 10%.

With security products, it can be hard to determine how much money they save us by protecting us from attacks, but I would say our cost savings are around 15%. 

The tool decreased our time to detect and respond, as we can quickly navigate to the required dashboard to get on top of unfolding threats. It reduced the time by 5% for each.  

The attack simulation is excellent; initially, this feature wasn't very robust, but Microsoft improved what we could achieve with it. We can now customize our practice phishing emails and include our company logo, for example. Attack simulation also helps integrate with third-party solutions where applicable and provides an overview of our security architecture through testing. The summary includes areas for improvement in our protection and what steps we need to take to get there.

365 Defender works seamlessly with other Microsoft products like Defender for Endpoint, and once we've onboarded a device, it's easy to see the entire progression of a malicious email. This includes the IP origin, and these are some of the things I love about the product.

The solution provides us with excellent visibility into threats; there are various features that clearly show when our organization is under attack, which country the attack originates from, and what we need to do to mitigate it. 

365 Defender prioritizes threats across the enterprise, which is essential because it gives us an overview of what we need to do to improve our security. We don't need to think of what we must do which is significant for us. 

The solution's threat intelligence helps us prepare for potential threats and take proactive steps before they hit. Over time, the threat intelligence learns and gets better, much like an AI.  

A simple dashboard without having to use MS Sentinel would be a welcome improvement. 

We sometimes get false alerts, and Microsoft told us the issue was with them and that they were aware of it. They were supposed to remediate it, but we had to do much ourselves. The false positives need to be reduced. 

We've been using 365 Defender for four years. 

The stability isn't bad, but we get too many false positives.

Microsoft has been able to scale up the solution over time, so it's scalable. All we need to do is purchase licenses according to our requirements. We have around 1,000 users.

The customer support is good, but there is room for improvement. 

Neutral

The deployment was straightforward and quick; it took minutes. Onboarding the other solutions can take a little longer, depending on the environment and migration methods.

The setup can be done by one or two staff. In a scenario with many thousands of users and a proficient security admin, the deployment could be done in 15 to 20 minutes. The solution doesn't require any maintenance on our end, as it's cloud-based. 

The product gives us an ROI as it protects our organization from potentially costly attacks. Our ROI is around 5%.

The product is fairly priced for what we get from it. 

I rate the solution seven out of ten. 

We use MS Sentinel, but I wouldn't say it ingests data from our entire ecosystem. It's straightforward to integrate, but getting the most out of Sentinel requires a lot of configuration, which needs significant expertise and time.

Sentinel enables us to investigate threats and respond holistically from one place, and that's important for us. The process is primarily automatic once the logic hub and configuration are set up.  

Regarding the comprehensiveness of Sentinel's security protection, it's less a tool for protection and more of a solution for providing an overview, management, and optimization of security processes. The most significant security features are found in the Defender line of products. 

We can automate some aspects of 365 Defender, but MS Sentinel is required for more complete automation.

365 Defender doesn't eliminate having to look at multiple dashboards; we still need to click through numerous dashboards for a complete security overview. Sentinel allows management from a single XDR dashboard.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor's security suite, I'd say, why not save the stress of dealing with multiple vendors? You can have one vendor one click away and seamless integration between your products. 

I recommend the solution; I've worked with it in three different organizations and realized how seamless it is to use the Microsoft suite. They integrate well and help us protect all the services in Microsoft 365.

The main use case has been for threat hunting, not in the sense of actively looking for the threat, but in terms of analyzing the ongoing process within clients' machines. I was looking into what kind of changes happen when you install any new software and it asks for so many permissions. I wanted to analyze the criticality of the permissions being asked and so on. Usually, when we install any software, we just click next, next, and next. We don't look at the details. So, my role was to check how it behaves within a system. For that reason, I used Microsoft Defender. 

I used the query language to do advanced threat hunting. I ran different queries to collect the data. The data was then brought into Power BI. We had data coming from different channels. So, we used Power BI to collect it at a single point.

My usage of it was on a very small scale. I am not aware of its overall impact on the organization, but it did help us a lot to know and achieve what we wanted to achieve. Without Microsoft 365 Defender, the detection for our use case would have been impossible.

It provided more visibility into threats, and it came with some of the default functions from Microsoft, which was an advantage. They had already defined different tables in advanced threat hunting, which was very helpful. I am not aware of other vendors providing that.

Its threat intelligence helped to prepare for potential threats before they hit and to take proactive steps. That was my target for that project. We were actively looking for vulnerabilities inside the software, and we wanted to detect the software supply chain aspect. That was a difficult task, but we wanted to be ahead before any attack happened. That's why we were using Microsoft 365 Defender.

It saved time. They had already defined different tables to identify different artifacts within the system, which saved about 50% of our time.

Within advanced threat hunting, the tables that have already been defined by Microsoft are helpful. In the advanced threat hunting tab, there were different tables, and one of the tables was related to device info, device alert, and device events. That was very helpful. Another feature that I liked but didn't have access to was deep analysis.

I liked its portal a lot. I am currently using a different vendor, and there is a big difference between them. Microsoft had a very good portal, and its user interface was good. Irrespective of where I was, with a click, I could see comprehensive details about something on the right side. The related information was always on the right side. So, I didn't have to jump over different tabs and functionalities. The information was always there on the right side, which is something I liked in Microsoft 365 Defender portal.

The documentation on their website is somewhat outdated and doesn't show properly. I wanted to try a query in Microsoft Defender 365. When I opened the related documentation from the security blog on the Microsoft website, the figures were not showing. It was difficult to understand the article without having the figures. The figures were there in the article, but they were not getting loaded, which made the article obsolete. They should refresh all their articles and see that the steps and figures aren't missing. They can also provide more documentation.

I used it just for four months in a previous company.

I never had any problems with it. It was always stable.

It's scalable. You can query each and every machine in the company.

I was working for a client, and that client had more than 50,000 people.

I never contacted them directly, but based on what I heard during the meetings, they seemed to be quite helpful and good.

I didn't use any other similar solution before Microsoft 365 Defender. That was the first time I used Microsoft 365 Defender. That was my first experience. Now, I'm using a different product, and I can see that Microsoft 365 Defender was much better than the current product.

Microsoft 365 Defender is very good for analyzing something. There are multiple types of data and multiple ways to utilize that data. With a single click, you can have all the related data for a particular topic. That's really good, and that is what I'm missing in the current product.

I did not use Microsoft Defender for Cloud, but I saw the cloud part for monitoring cloud applications. It was nice, and it had some added functionalities. For example, application risk scoring was very good. It shows what data has been considered to give a particular risk score, which is useful for a new learner like me. It was helpful to know the criteria for scoring. They also included so many applications. There were more than 24,000 cloud applications inside their catalog. That's a really good catalog.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would agree that multiple vendors are better than a single vendor because every vendor has different capabilities. It's always better to use the best products from different vendors than to use all the products from the same vendor.

I would rate Microsoft 365 Defender a nine out of ten. 

We make use of Microsoft Defender for Office 365 for endpoint security and email and we use Defender umbrella for impersonation and sales. Under Defender umbrella, we use a lot of products depending on the customer requirements. As a company, we use Defender for email as well as for endpoint security.

We are able to consolidate licences and make use of many Microsoft products using this solution. If we have any Microsoft customers, we encourage them to use this solution for enterprise defence. 

This solution could be improved if it included features such as those offered by Malwarebytes. 

We have used this solution for many years and we are a Microsoft partner. We use this solution on a daily basis.

This is a stable solution. 

This is a scalable solution.

We have not yet needed to contact Microsoft for support with Defender. 

We have previously used a number of different solutions including Trend Micro, Symantec, Sophos Intercept X and Malwarebytes. Overall, we are more comfortable using Defender.

The initial setup was straightforward. 

I would rate this solution a nine out of ten. 

We are using it for incidents and alerts. It is helpful for threat hunting.

We have tied it to Azure AD or Microsoft Entra, and we are trying to implement it for Linux.

It saves the investigation time. There is a lot of information about the threats and other things.

Advanced hunting is good. I like that. We can drill down to lots of details.

It is user-friendly. It has a lot of parts. For me, it was pretty quick to get a sense of it.

It protects from phishing emails, but sometimes, some of the emails are not detected. They are getting delivered into the inbox, not in a junk folder or spam folder. Users are reporting them as phishing emails.

At times, when we have an incident email and we click on the link for that incident, it opens a pop-up, but there is nothing. It has happened a couple of times. 

In terms of additional features, it is too early for me. I am still learning all the parts. I am just scratching the surface of the tool. One year is not enough to get every detail of it.

I have been using Microsoft Defender XDR for about a year.

It is stable, but sometimes, we experience an issue. Clicking the link in an incident email opens a small window, but we cannot find anything there. This has happened a couple of times. There is a bug.

Other than that, we have not experienced any downtime or any big issues. It is pretty stable.

We have plans to maximize its usage. We are trying to see how to get the most out of it, but my older colleagues would know more about it. I am still learning it.

I have not contacted them.

I am not sure. I am relatively new. I have only been working here for a year. They already had it in place.

I have not worked on a similar tool before. This is my first XDR tool.

It is on the cloud. I am not aware of its deployment because it was already deployed before I joined.

I cannot recommend it because this is the only tool for XDR that I have used. I have not used any other tool, but it is a good tool.

I would rate Microsoft Defender XDR a nine out of ten.

We use Microsoft Defender XDR for endpoint protection.

We have integrated Microsoft Defender XDR with 365 for identity and access management.

Microsoft Defender XDR protects against ransomware, business, and mail compromise. Microsoft offers the MITRE ATT&CK framework through its Defender XDR platform. This integration is particularly beneficial for Microsoft Office environments. It's a common practice to use Sentinel to investigate potential security incidents. For instance, we can check logs, examine hunting patterns, and review queries in Sentinel. Additionally, I've encountered situations where clients have lost their conditional access policies due to various factors, such as country-based rules, MSA-related rules, or application-based roles. Clients need to maintain these specific policies to ensure optimal security.

Multi-tenant management is a relatively new concept. I currently work with GCP, Microsoft 365, AWS, and Azure, where I access and perform assessments.

Microsoft Defender XDR helps replace other security products in our environment.

Microsoft Defender XDR helps save us time.

The common and advanced security policies for threat hunting and blocking attacks are valuable.

The UI is user-friendly. 

Microsoft frequently changes the names of its products, sometimes even renaming entire portals or features. This can make it difficult for users to keep track of the latest changes and find the information they need. For example, every month, Microsoft might rename a product, change a portal, or update a feature. This can lead to confusion and frustration for users.

I have been using Microsoft Defender XDR for seven years.

I would rate the stability of Microsoft Defender XDR eight out of ten.

I would rate the scalability of Microsoft Defender XDR eight out of ten.

The few times I have contacted technical support, they have been helpful.

Positive

The initial setup is straightforward. Depending on the size of the environment, two to three people are involved in the installation.

Purchasing Microsoft Defender XDR as part of a Microsoft 365 bundle can be cost-effective, but acquiring it as a standalone product may be more expensive.

I would rate Microsoft Defender XDR eight out of ten.