Microsoft Defender XDR Reviews

We are yet to use Microsoft Defender XDR for ourselves as we are yet to procure the product.

Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans. Additionally, the threat detection at the OS level is a very good feature of Defender.

Microsoft could improve on threat hunting and build more on threat detection and handling. The cybersecurity and cloud security posture features are a bit lesser than standard security products.

We have not yet used Microsoft Defender XDR as we are yet to procure the product.

I was working with CrowdStrike before Microsoft Defender XDR. CrowdStrike has advantages in terms of threat hunting.

We are doing it for the first time, so I have nothing to compare in terms of ROI.

The pricing is a little high, however, it is on par with other competitive tools in the market.

I have not evaluated other XDR solutions besides CrowdStrike.

I would recommend Microsoft Defender XDR to others as long as they are aligned with Microsoft products, cloud, or on-prem, especially if they are using Microsoft Windows architecture. I would rate Microsoft Defender XDR six out of ten overall.

The product replaced Sophos, a third-party product we used, helping us save money equal to its yearly subscription. The product saves us time. We do not have to interfere. It just keeps running.

Considering we haven't encountered any technical problems since we started using it. It is working as intended. It has great stability.

I don't know if that is Defender's feature, but more active monitoring for data breaches would be beneficial. There could be a way to proactively monitor unusual activity versus just depending on viruses and malware. If the traffic seems unusual, it could detect anomalies and update us. It would help us stop malware attacks ahead of time.

I have been using Microsoft Defender XDR since 2015.

We never encountered stability issues.

Whenever we add a license, it automatically sets the account for a new user.

The initial setup process was fine and similar to Office 365. We had to get our email server lifted externally from the premises to the cloud. It is easy to use once all applications are deployed.

Microsoft Defender XDR is already included in our Office 365 licensing. It is better because we're saving money by using it.

The product was included with the Office 365 licensing that we had. So, we decided to try it out. Before that, we were using Sophos.

I haven't run into that particular instance where the security features have extended beyond Microsoft technologies. The only products we use outside of Microsoft are proprietary lockdown applications, and it's not really an issue there.

During staff training, we've been using Intune to detect phishing attempts. It hasn't detected anything in that aspect. However, it has the ability to check for malicious attacks preemptively.

I rate it a ten out of ten.

We primarily use it for endpoint security. Specifically, it serves as our solution for antivirus detection, malware detection, and related aspects focused on safeguarding individual devices. 

Its single-pane interface is a time-saving feature, as it eliminates the need to check different locations which is excellent for efficiency. It allows us to phase out the use of other security products. For example, we previously ran Sophos on-premises. However, upon transitioning to Microsoft 365 and leveraging the included Defender, we discontinued the use of Sophos. This shift not only streamlined our security approach with a unified solution but also contributed to cost savings, as everything is encompassed within the same license—a concept that aligns with the efficiency of a single-pane interface.

The most valuable aspect is that it comes included with the licensing, which is excellent. It provides a single pane of glass within the 365 admin interface, streamlining our experience by consolidating information in one place and eliminating the need to navigate through multiple interfaces.

It would be highly beneficial if CoPilot could identify anomalies within the network and notify the IT team. For instance, if a user typically accesses around a hundred megabytes of data daily from familiar files and locations but suddenly diverges to an uncommon destination, uploading ten gigabytes of data to an unfamiliar website, that would be a significant anomaly. Pausing such activity and alerting the IT team for a human assessment would be a valuable feature to ensure security.

I have been working with it for three years.

No stability issues noted, and there haven't been any concerns regarding false positives. Overall, the experience has been positive.

Scalability is straightforward; no issues are encountered. We predominantly use Windows 10, and so far, I haven't observed any issues. Some of us have transitioned to Windows 11, and it appears to function well.

We haven't contacted their tech support, which I consider a positive indicator.

In terms of ROI, our expectation is to gain a comprehensive analytical perspective by upgrading to E5, activating Sentinel, and deploying other products like Entra. This move aims to provide a more extensive understanding of user activities, login details, and other relevant metrics. Currently on a three-year Microsoft term set to end on April 1st, we've inquired with our vendor about transitioning from E3 to E5 immediately.

In our security solution evaluation, we considered Trend Micro and Sophos, focusing more on Sophos due to its cloud version. However, challenges in patching the on-premises Sophos led us to choose Microsoft Defender. The simplicity, inclusion in our package and regular patching made Defender more attractive. Additionally, our decision was influenced by community adoption, as no other law enforcement agencies in Canada were using Trend Micro. Defender's seamless integration and zero additional cost aligned with our strategy of opting for solutions without extra expenses.

Overall, I would rate it eight out of ten.

We implemented Defender two and a half years ago, utilizing it in a passive mode with only the sensor active for data collection and basic EDR results. Although it has been running on all devices, we are currently in the process of making the final transition from the existing setup to fully leverage Defender as our EDR solution.

We utilize analytics on both iOS and Android platforms, and it holds significant importance for us. Compliance with mandates, often stemming from executive orders, requires meeting specific contract requirements. In response, we employ analytics to implement and maintain controls consistently across various device types. The capability to adapt to emerging threats is of utmost importance to us. We lack the time and resources to constantly learn about new indicators and threat actors. We expect that the threat intelligence from Microsoft and other providers seamlessly integrates into the system, enabling automatic updates based on the current global threat landscape. The unified single pane of glass is a significant benefit. It consolidates everything into one interface, eliminating the need to navigate through multiple portals for information.

The greatest value lies in integration, I believe. The ability to integrate and observe a more cohesive narrative across the products is crucial.

There are still some components, such as vulnerability management within the vendor product, where improved integration would be beneficial. Currently, it's not visible in the same interface, requiring us to search elsewhere to access that information. While it has streamlined data collection and retrieval, there's still room for improvement in terms of user-friendliness for certain individuals. While the ultimate goal is to enhance security, there's room for improvement in terms of pricing.

We are currently in the migration process from Sophos to Microsoft Defender.

It offers high stability.

The backend infrastructure and structure in place seem to be easily scalable to meet our requirements.

Customer service and technical support vary. Opening support cases for different components within the security stack or Microsoft entity often reveals that first-level support is lacking. It typically takes two or three weeks to get an escalation, and by then, the issue may have resolved itself. Escalations are challenging, as first-level support struggles to comprehend the problem, leading to repetitive discussions. I would rate it four out of ten.

Neutral

We transitioned from Sophos to Microsoft Defender primarily due to cost reduction and the elimination of duplicated technologies.

The initial setup used to be complex, but now it's much more streamlined.

We follow a phased approach for deployment, beginning with a proof of concept pilot. However, our main deployment cycle revolves around Defender, facilitated via Intune, where all devices are managed. Building the package and incorporating scripts into Intune is the key process for the sequential implementation, which has evolved over time. Maintenance involves keeping pace with changes, not just patching. Microsoft has significantly improved patch cycle management, but dealing with the constant stream of changes they introduce remains a challenge.

It proved to be effective in cost savings. Our return on investment is tied to the existing investment in the current SKU. We anticipate not only recouping the dollars spent but also gaining the advantage of a unified interface, a single pane of glass. This consolidation allows us to streamline our operations, saving valuable time and effectively reclaiming productivity that would otherwise be spent navigating between different platforms on a daily basis.

When seeking a security suite, even with an E5 enterprise license, additional purchases are still necessary. The license cost for a year is approximately forty-four thousand, and this annual saving is a significant factor in our decision to switch.

In the past, we explored alternatives such as Carbon Black and Cylance, particularly for their machine learning and AI components, which were quite innovative at that time, approximately three years ago. However, our approach has evolved, and we've shifted significantly towards the Microsoft Stack. The decision is influenced by our existing environment, where we can readily assess the capabilities available within Microsoft.

The critical aspect is comprehending your existing setup. During our migration, we opt for a like-for-like transition instead of going for something entirely new, as the latter could be disruptive to some processes. Defender offers extensive capabilities, but understanding where to begin is crucial to avoiding disruption. Start with a like-for-like migration and plan the subsequent ramp-up to align with its capabilities. Overall, I would rate it eight out of ten.

I'm a deployment engineer for Microsoft products, and we work with multiple SMEs. Customers adopting Microsoft products want the same features they had in their third-party solutions. We look at their requirements and the types of features they need. We determine the security mechanism that best addresses their vulnerabilities. We might suggest Defender for Identity,  Defender for Endpoint, 365 Defender, and Defender for Cloud Apps. In addition to those security solutions, we offer device management. We provide everything.

Defender improves our security operations. I've had chances to collaborate with our SOC team. Our customers face many random attacks they don't know how to prevent, and the SOC team handles them remotely. The security engineers can investigate the incident or use the information from the customer's environment to offer a recommendation. If the customer doesn't have the detection mechanism, we can recommend a product or find a solution for them. 

The solution can help customers save money because we can bundle it with all the other Microsoft solutions, like email and Defender for endpoint, identity, and cloud apps. Most of our customers use Windows 10 devices and Microsoft Active Directory, so everything is on the same page. Defender can save time by automating investigation and response. We don't need to spend much time because it'll automatically take action in many cases. 

The best feature is threat hunting. There are a lot of other features I like, such as the alert mechanism. The chain alert mechanism has a huge impact. It combines all the alerts into one incident and automatically correlates them with AI. 

Defender has integrated identity access management, and you can add DLP features through a separate solution called Microsoft Purview. Within the cloud, we can create access policies based on each user's risk. It's integrated with Azure AD and on-prem Active Directory, so all the user identities can be managed in a single portal.

We use the multi-tenant management capability, so we can cover customers that have multiple regions. We can easily investigate across tenants based on severity. For high-priority alerts, we start from scratch and ignore what's happening on the endpoints or emails. We isolate the device and ensure that nothing will be released from it. Next, we check this device and some more details.

There is no common area where we can manage all the policies for the EDR, third-party solutions, devices, servers, Windows, Mac, etc., but it's on the roadmap, and we were waiting for that feature. 

I have used 365 Defender for about four years.

365 Defender is stable. There is no downtime. Still, Microsoft is constantly rolling out features, so there are sometimes bugs after new releases. Our customer experience team is collaborating with Microsoft and sharing feedback with them. 

365 Defender is scalable 

I rate Microsoft support nine out of 10. The support depends on the product and the customer's issues. 

Positive

I work with customers coming to Microsoft from other third-party products, so I try to understand what the product does and suggest a solution. The names are different, but all the technology is the same.

Deploying Microsoft Defender isn't complex if you have experience. The deployment depends on the number of users, apps, and the client's requirements. If the client wants to implement XDR, it takes about a month to achieve full functionality.  Endpoint protection takes around five to ten days. It's a cloud product, so it doesn't require any maintenance. 

Defender XDR is agentless, so you don't need to install an agent anywhere. It's a cost-effective option.

I rate Microsoft 365 Defender nine out of 10. We recommend it to our customers. 

I primarily use the solution as an engineer. I use the product to protect the endpoint and I use it to protect my customer's environment. 

The web protection on offer is very good. For a company that doesn't have a firewall, it's quite useful.

It gives feedback and helps protect internet access. It provides you with analysis on the state of the environment and you have a direct link to Microsoft which is doing its own research on security. You're constantly getting feedback from Microsoft resources so that you can be up to date in your own environment and you'll have a better understanding of the security landscape. 

The solution is great for companies on a budget.

Defender provides helpful visibility into threats. It covers a lot and comes with a next-gen antivirus. With that, you can register to the cloud, and, if you have cloud protection, your environment is protected even more. 

It helps us prioritize the threats across our enterprise. It covers all of our devices. You can cover your entire operation with the license you purchase.

Microsoft 365 Defender is easy to integrate with other products. You just have to configure some things in order to integrate everything and you are SDR compliant. We currently have it integrated natively, so we don't have to worry about configurations.

The comprehensiveness of Microsoft's threat detection is good. Microsoft provides a lot of security. It gives you visibility and IT has a lot of control over everything. You can see your environment, including clouds. You can block things within your environment as needed. The applications are easy to manage. It also has app governance to be able to gain visibility into permissions.

The product has helped automate routine tasks and the finding of high-value alerts. It has an automatic investigation feature that you can enable. It's great for automation. Thanks to automation, it has helped reduce the time it takes to analyze security events and alerts. You don't have to wait to take action. If there is a threat, you can neutralize it faster and it will record everything for audit records. While I know it has saved us time, I can't quantify that into a specific amount of hours.

We no longer need to look at multiple dashboards. Now, everything is centralized under one dashboard. 

The product's threat intelligence helps us prepare for potential threats and take proactive steps. Since we've been using it, we've had no security incidents.

The only issue I've had is, when it comes to deployment, the steps I must take around policy setup. That is challenging. We're working on the onboarding and configuration policies. We're collecting feedback from customers and partners in hopes of refining the future design for deployment.

I've used the solution for about two years.

The feedback I have received from customers is that the stability is very good. 

The product scales well.

If you have a license through a partner, it's the partner that will support you.

The only issue with Microsoft is the response times. They are very competent, however, sometimes you will send an email and get no response. 

Neutral

I previously used Sophos. I then switched to Microsoft Defender. The Sophos deployment is quite easy in comparison. You can do everything from a single portal. They had already achieved effective centralization. 

Right now, there are two different ways to onboard. You might have to have a different partner to configure policies. However, right now, you can also create policies from the activity center, so you don't have to do it from the device itself.

How long a deployment takes depends on your scope and the number of devices you are covering. 

If you do not get a license for the portal, you'll have to use the manual to deploy. If you have an older server you may encounter some issues. However, if you upgrade the server at the same time, you'll have fewer problems.

We do use more than one Microsoft security product. We've integrated with other products. 

I do not make use of the directional sync capabilities at this time. I'm also not using Microsoft Sentinel.

I'd rate the solution eight out of ten. If the deployment of the agent was better, I'd move my grade closer to ten. It should be more automatic. You also shouldn't have to install the logs. 

We use Microsoft Defender XDR for our Microsoft 365 email service.

It helps protect us against ransomware. We were a victim of a malware attack in 2018 before implementation.

Email protection is the most valuable feature of Microsoft Defender XDR.

The price has room for improvement. The price should be adjustable by region.

I have been using Microsoft Defender XDR for almost 5 years.

Microsoft Defender XDR is stable.

Microsoft Defender XDR is scalable.

The technical support is good.

Positive

Microsoft Defender XDR is priced high.

I would rate Microsoft Defender XDR 8 out of 10.

No maintenance is required from our end because it updates with the OS.

We typically use Defender's default settings and are implementing MITRE ATT&CK use cases on Microsoft Defender this year. We do manual threat hunting and check to see if there is a trending attack. We have the latest IOCs and sweep across the organization looking for them. 

When implementing Defender, we usually use its advanced hunting features to determine particular techniques used across the whole environment. We use multiple Microsoft security products, including Defender for Endpoint, Defender for Cloud Apps, Sentinel, email and collaboration, data loss prevention, and Microsoft Purview.

Defender XDR enables us to prioritize threats according to the algorithm or our custom rules. We can prioritize threats and have the option to automate the response. For instance, let's say we are facing a sticky key hijack. When you press shift several times at the login screen, you can open the command prompt of that particular host. That is a vulnerability of Microsoft Windows. When this happens, we can automate a priority alert and also isolate that endpoint from the network immediately. 

The solution reduces our remediation time by enabling our security analyst to respond quickly, make some automations, and edit the rules to detect any potential threats. The extent to which the solution reduces the remediation time depends on the analyst's skill. If the security analyst is good, Defender XDR will help them.

XDR saves money if you are using Microsoft products. XDR is more inclined toward Active Directory, a Microsoft product. No other XDR can integrate with Active Directory so seamlessly and use it to its fullest potential. Microsoft also offers multiple sub-products. If we purchased third-party solutions for email, endpoint, XDR, cloud applications, etc., and managed them on a single platform, it would be more expensive than Microsoft solutions. When we do a cost-benefit analysis, Microsoft Defender XDR offers a better value. 

I like Defender XDR's automation capabilities. XDR isn't automated by default, but you can automate it to respond. If an attack is performed anywhere within the organization, you can isolate that instance from the network. This is what I can figure out for it. When integrated with Sentinel, you can set up playbooks to automate all the alerts gathered on Sentinel from different Microsoft solutions. Sentinel has a wider range of capabilities than XDR. 

Defender XDR has good threat visibility, but it could be better in some areas, like when we are hunting for a specific host. For example, let's say we are investigating email services, and want to trace an email account to its host PCs and investigate the emails in its inbox. We want more visibility into the email side of investigations. It would be better if these features could be more integrated into the console like you could have a tab for Cloud Apps to see the cloud applications a user had communicated with. 

Microsoft's threat analytics are somewhat helpful for anything related to Microsoft products. For instance, it can update us about any single sign-on vulnerabilities or something along those lines. However, Microsoft was very late in terms of the recent LockBit attacks. LockBit compromised some significant organizations, and Microsoft didn't provide the report fast enough. It was reported on my normal cybersecurity information websites first. The site analytics are a bit weak when it comes to non-Microsoft clouds.

Defender XDR is capable of providing intelligence reports about threats specific to Microsoft components, but if we are implementing a Microsoft solution across an organization, many other products and side factors must be considered. I feel like Microsoft falls behind some other vendors in threat intelligence.

When we do investigations, it would be better if Microsoft could populate the host dashboard more. When we open any host for investigation, we want the entire timeline of what is happening on the host, including all the users logging in, their hardware, Windows version, etc. 

I have used Defender XDR for nearly 2 years. 

We haven't faced issues with stability. XDR doesn't lag during investigations. We've seen a few minor bugs in the XDR console but not often. There have been no major issues that disrupted our operation. 

Defender XDR has good scalability. If you want more endpoint visibility, you don't need to scale your organization much. You only need to integrate that particular endpoint by running a script and deploying an agent to it. 

I haven't contacted Microsoft support about XDR, but my client has. One of the alerts was triggering incorrectly based on a default setting. We asked their team to investigate why the solution was excessively triggering. I just disabled the default rules and made custom policies. Now, everything is working fine.

I previously used CrowdStrike EDR. It's hard to compare the two products because CrowdStrike EDR was focused on endpoint detection, so it cannot investigate emails or have any other XDR capabilities. One is an XDR and the other an EDR. 

We compared Microsoft Defender XDR to Trend Micro's Vision One. Defender's advantage over Vision One is ease of use. Managing and enabling policies is much easier on Microsoft Defender. There's a considerable difference between their default rules. In some cases, alerts will trigger in Defender, but not Vision One. Overall, Microsoft Defender XDR is preferable over Vision One.

I rate Microsoft Defender XDR 7 out of 10. It's a useful product for a professional security analyst who knows how to increase the visibility. You only need to make some front-end changes and put the data on host names into XDR. 

If someone asked me whether a best-of-breed or single-vendor approach is better, I would support mixing different products. Each security vendor has its own intelligence base. By including other vendors, I am gaining visibility into more indicators of compromise. Nevertheless, I would still pick Microsoft Defender XDR and Sentinel together because they are well integrated. All the big companies and banks use Microsoft. Windows is a popular operating system across the world. Defender and Sentinel are better integrated with Microsoft systems.