We are yet to use Microsoft Defender XDR for ourselves as we are yet to procure the product.
Security Consultant at G.Network
Effective OS threat detection with room for enhanced threat hunting capabilities
Pros and Cons
- "Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans."
- "Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans."
- "Microsoft could improve on threat hunting and build more on threat detection and handling."
- "Microsoft could improve on threat hunting and build more on threat detection and handling. The cybersecurity and cloud security posture features are a bit lesser than standard security products."
What is our primary use case?
What is most valuable?
Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans. Additionally, the threat detection at the OS level is a very good feature of Defender.
What needs improvement?
Microsoft could improve on threat hunting and build more on threat detection and handling. The cybersecurity and cloud security posture features are a bit lesser than standard security products.
For how long have I used the solution?
We have not yet used Microsoft Defender XDR as we are yet to procure the product.
Buyer's Guide
Microsoft Defender XDR
March 2025

Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.
Which solution did I use previously and why did I switch?
I was working with CrowdStrike before Microsoft Defender XDR. CrowdStrike has advantages in terms of threat hunting.
What was our ROI?
We are doing it for the first time, so I have nothing to compare in terms of ROI.
What's my experience with pricing, setup cost, and licensing?
The pricing is a little high, however, it is on par with other competitive tools in the market.
Which other solutions did I evaluate?
I have not evaluated other XDR solutions besides CrowdStrike.
What other advice do I have?
I would recommend Microsoft Defender XDR to others as long as they are aligned with Microsoft products, cloud, or on-prem, especially if they are using Microsoft Windows architecture. I would rate Microsoft Defender XDR six out of ten overall.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Last updated: Nov 24, 2024
Flag as inappropriate
Senior IT at a security firm with 201-500 employees
Easy-to-use product with good stability
Pros and Cons
- "It has great stability."
- "There could be a way to proactively monitor unusual activity ."
How has it helped my organization?
The product replaced Sophos, a third-party product we used, helping us save money equal to its yearly subscription. The product saves us time. We do not have to interfere. It just keeps running.
What is most valuable?
Considering we haven't encountered any technical problems since we started using it. It is working as intended. It has great stability.
What needs improvement?
I don't know if that is Defender's feature, but more active monitoring for data breaches would be beneficial. There could be a way to proactively monitor unusual activity versus just depending on viruses and malware. If the traffic seems unusual, it could detect anomalies and update us. It would help us stop malware attacks ahead of time.
For how long have I used the solution?
I have been using Microsoft Defender XDR since 2015.
What do I think about the stability of the solution?
We never encountered stability issues.
What do I think about the scalability of the solution?
Whenever we add a license, it automatically sets the account for a new user.
How was the initial setup?
The initial setup process was fine and similar to Office 365. We had to get our email server lifted externally from the premises to the cloud. It is easy to use once all applications are deployed.
What's my experience with pricing, setup cost, and licensing?
Microsoft Defender XDR is already included in our Office 365 licensing. It is better because we're saving money by using it.
What other advice do I have?
The product was included with the Office 365 licensing that we had. So, we decided to try it out. Before that, we were using Sophos.
I haven't run into that particular instance where the security features have extended beyond Microsoft technologies. The only products we use outside of Microsoft are proprietary lockdown applications, and it's not really an issue there.
During staff training, we've been using Intune to detect phishing attempts. It hasn't detected anything in that aspect. However, it has the ability to check for malicious attacks preemptively.
I rate it a ten out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Microsoft Defender XDR
March 2025

Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.
Manager of IT Services at a government with 51-200 employees
Streamlined endpoint security offering comprehensive threat protection, unified identity and simplified operations within a single-pane interface
Pros and Cons
- "It provides a single pane of glass within the 365 admin interface, streamlining our experience by consolidating information in one place and eliminating the need to navigate through multiple interfaces."
- "It would be highly beneficial if CoPilot could identify anomalies within the network and notify the IT team."
What is our primary use case?
We primarily use it for endpoint security. Specifically, it serves as our solution for antivirus detection, malware detection, and related aspects focused on safeguarding individual devices.
How has it helped my organization?
Its single-pane interface is a time-saving feature, as it eliminates the need to check different locations which is excellent for efficiency. It allows us to phase out the use of other security products. For example, we previously ran Sophos on-premises. However, upon transitioning to Microsoft 365 and leveraging the included Defender, we discontinued the use of Sophos. This shift not only streamlined our security approach with a unified solution but also contributed to cost savings, as everything is encompassed within the same license—a concept that aligns with the efficiency of a single-pane interface.
What is most valuable?
The most valuable aspect is that it comes included with the licensing, which is excellent. It provides a single pane of glass within the 365 admin interface, streamlining our experience by consolidating information in one place and eliminating the need to navigate through multiple interfaces.
What needs improvement?
It would be highly beneficial if CoPilot could identify anomalies within the network and notify the IT team. For instance, if a user typically accesses around a hundred megabytes of data daily from familiar files and locations but suddenly diverges to an uncommon destination, uploading ten gigabytes of data to an unfamiliar website, that would be a significant anomaly. Pausing such activity and alerting the IT team for a human assessment would be a valuable feature to ensure security.
For how long have I used the solution?
I have been working with it for three years.
What do I think about the stability of the solution?
No stability issues noted, and there haven't been any concerns regarding false positives. Overall, the experience has been positive.
What do I think about the scalability of the solution?
Scalability is straightforward; no issues are encountered. We predominantly use Windows 10, and so far, I haven't observed any issues. Some of us have transitioned to Windows 11, and it appears to function well.
How are customer service and support?
We haven't contacted their tech support, which I consider a positive indicator.
What was our ROI?
In terms of ROI, our expectation is to gain a comprehensive analytical perspective by upgrading to E5, activating Sentinel, and deploying other products like Entra. This move aims to provide a more extensive understanding of user activities, login details, and other relevant metrics. Currently on a three-year Microsoft term set to end on April 1st, we've inquired with our vendor about transitioning from E3 to E5 immediately.
Which other solutions did I evaluate?
In our security solution evaluation, we considered Trend Micro and Sophos, focusing more on Sophos due to its cloud version. However, challenges in patching the on-premises Sophos led us to choose Microsoft Defender. The simplicity, inclusion in our package and regular patching made Defender more attractive. Additionally, our decision was influenced by community adoption, as no other law enforcement agencies in Canada were using Trend Micro. Defender's seamless integration and zero additional cost aligned with our strategy of opting for solutions without extra expenses.
What other advice do I have?
Overall, I would rate it eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
It security manager at a construction company with 1,001-5,000 employees
Powerful security operations with advanced threat detection and comprehensive integration capabilities
Pros and Cons
- "The ability to integrate and observe a more cohesive narrative across the products is crucial."
- "There are still some components, such as vulnerability management within the vendor product, where improved integration would be beneficial."
What is our primary use case?
We implemented Defender two and a half years ago, utilizing it in a passive mode with only the sensor active for data collection and basic EDR results. Although it has been running on all devices, we are currently in the process of making the final transition from the existing setup to fully leverage Defender as our EDR solution.
How has it helped my organization?
We utilize analytics on both iOS and Android platforms, and it holds significant importance for us. Compliance with mandates, often stemming from executive orders, requires meeting specific contract requirements. In response, we employ analytics to implement and maintain controls consistently across various device types. The capability to adapt to emerging threats is of utmost importance to us. We lack the time and resources to constantly learn about new indicators and threat actors. We expect that the threat intelligence from Microsoft and other providers seamlessly integrates into the system, enabling automatic updates based on the current global threat landscape. The unified single pane of glass is a significant benefit. It consolidates everything into one interface, eliminating the need to navigate through multiple portals for information.
What is most valuable?
The greatest value lies in integration, I believe. The ability to integrate and observe a more cohesive narrative across the products is crucial.
What needs improvement?
There are still some components, such as vulnerability management within the vendor product, where improved integration would be beneficial. Currently, it's not visible in the same interface, requiring us to search elsewhere to access that information. While it has streamlined data collection and retrieval, there's still room for improvement in terms of user-friendliness for certain individuals. While the ultimate goal is to enhance security, there's room for improvement in terms of pricing.
For how long have I used the solution?
We are currently in the migration process from Sophos to Microsoft Defender.
What do I think about the stability of the solution?
It offers high stability.
What do I think about the scalability of the solution?
The backend infrastructure and structure in place seem to be easily scalable to meet our requirements.
How are customer service and support?
Customer service and technical support vary. Opening support cases for different components within the security stack or Microsoft entity often reveals that first-level support is lacking. It typically takes two or three weeks to get an escalation, and by then, the issue may have resolved itself. Escalations are challenging, as first-level support struggles to comprehend the problem, leading to repetitive discussions. I would rate it four out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We transitioned from Sophos to Microsoft Defender primarily due to cost reduction and the elimination of duplicated technologies.
How was the initial setup?
The initial setup used to be complex, but now it's much more streamlined.
What about the implementation team?
We follow a phased approach for deployment, beginning with a proof of concept pilot. However, our main deployment cycle revolves around Defender, facilitated via Intune, where all devices are managed. Building the package and incorporating scripts into Intune is the key process for the sequential implementation, which has evolved over time. Maintenance involves keeping pace with changes, not just patching. Microsoft has significantly improved patch cycle management, but dealing with the constant stream of changes they introduce remains a challenge.
What was our ROI?
It proved to be effective in cost savings. Our return on investment is tied to the existing investment in the current SKU. We anticipate not only recouping the dollars spent but also gaining the advantage of a unified interface, a single pane of glass. This consolidation allows us to streamline our operations, saving valuable time and effectively reclaiming productivity that would otherwise be spent navigating between different platforms on a daily basis.
What's my experience with pricing, setup cost, and licensing?
When seeking a security suite, even with an E5 enterprise license, additional purchases are still necessary. The license cost for a year is approximately forty-four thousand, and this annual saving is a significant factor in our decision to switch.
Which other solutions did I evaluate?
In the past, we explored alternatives such as Carbon Black and Cylance, particularly for their machine learning and AI components, which were quite innovative at that time, approximately three years ago. However, our approach has evolved, and we've shifted significantly towards the Microsoft Stack. The decision is influenced by our existing environment, where we can readily assess the capabilities available within Microsoft.
What other advice do I have?
The critical aspect is comprehending your existing setup. During our migration, we opt for a like-for-like transition instead of going for something entirely new, as the latter could be disruptive to some processes. Defender offers extensive capabilities, but understanding where to begin is crucial to avoiding disruption. Start with a like-for-like migration and plan the subsequent ramp-up to align with its capabilities. Overall, I would rate it eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Consultant at a tech services company with 501-1,000 employees
The chain alert mechanism combines all the alerts into one incident and automatically correlates them with AI
Pros and Cons
- "The best feature is threat hunting. There are a lot of other features I like, such as the alert mechanism. The chain alert mechanism has a huge impact. It combines all the alerts into one incident and automatically correlates them with AI."
- "There is no common area where we can manage all the policies for the EDR, third-party solutions, devices, servers, Windows, Mac, etc., but it's on the road map, and we ware waiting for that feature."
What is our primary use case?
I'm a deployment engineer for Microsoft products, and we work with multiple SMEs. Customers adopting Microsoft products want the same features they had in their third-party solutions. We look at their requirements and the types of features they need. We determine the security mechanism that best addresses their vulnerabilities. We might suggest Defender for Identity, Defender for Endpoint, 365 Defender, and Defender for Cloud Apps. In addition to those security solutions, we offer device management. We provide everything.
How has it helped my organization?
Defender improves our security operations. I've had chances to collaborate with our SOC team. Our customers face many random attacks they don't know how to prevent, and the SOC team handles them remotely. The security engineers can investigate the incident or use the information from the customer's environment to offer a recommendation. If the customer doesn't have the detection mechanism, we can recommend a product or find a solution for them.
The solution can help customers save money because we can bundle it with all the other Microsoft solutions, like email and Defender for endpoint, identity, and cloud apps. Most of our customers use Windows 10 devices and Microsoft Active Directory, so everything is on the same page. Defender can save time by automating investigation and response. We don't need to spend much time because it'll automatically take action in many cases.
What is most valuable?
The best feature is threat hunting. There are a lot of other features I like, such as the alert mechanism. The chain alert mechanism has a huge impact. It combines all the alerts into one incident and automatically correlates them with AI.
Defender has integrated identity access management, and you can add DLP features through a separate solution called Microsoft Purview. Within the cloud, we can create access policies based on each user's risk. It's integrated with Azure AD and on-prem Active Directory, so all the user identities can be managed in a single portal.
We use the multi-tenant management capability, so we can cover customers that have multiple regions. We can easily investigate across tenants based on severity. For high-priority alerts, we start from scratch and ignore what's happening on the endpoints or emails. We isolate the device and ensure that nothing will be released from it. Next, we check this device and some more details.
What needs improvement?
There is no common area where we can manage all the policies for the EDR, third-party solutions, devices, servers, Windows, Mac, etc., but it's on the roadmap, and we were waiting for that feature.
For how long have I used the solution?
I have used 365 Defender for about four years.
What do I think about the stability of the solution?
365 Defender is stable. There is no downtime. Still, Microsoft is constantly rolling out features, so there are sometimes bugs after new releases. Our customer experience team is collaborating with Microsoft and sharing feedback with them.
What do I think about the scalability of the solution?
365 Defender is scalable
How are customer service and support?
I rate Microsoft support nine out of 10. The support depends on the product and the customer's issues.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I work with customers coming to Microsoft from other third-party products, so I try to understand what the product does and suggest a solution. The names are different, but all the technology is the same.
How was the initial setup?
Deploying Microsoft Defender isn't complex if you have experience. The deployment depends on the number of users, apps, and the client's requirements. If the client wants to implement XDR, it takes about a month to achieve full functionality. Endpoint protection takes around five to ten days. It's a cloud product, so it doesn't require any maintenance.
What's my experience with pricing, setup cost, and licensing?
Defender XDR is agentless, so you don't need to install an agent anywhere. It's a cost-effective option.
What other advice do I have?
I rate Microsoft 365 Defender nine out of 10. We recommend it to our customers.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Cloud Productivity and Security Engineer at a tech consulting company with 11-50 employees
Good automation, nice centralized dashboard, and very helpful threat intelligence
Pros and Cons
- "The comprehensiveness of Microsoft's threat detection is good."
- "The only issue I've had is, when it comes to deployment, the steps I must take around policy setup. That is challenging."
What is our primary use case?
I primarily use the solution as an engineer. I use the product to protect the endpoint and I use it to protect my customer's environment.
What is most valuable?
The web protection on offer is very good. For a company that doesn't have a firewall, it's quite useful.
It gives feedback and helps protect internet access. It provides you with analysis on the state of the environment and you have a direct link to Microsoft which is doing its own research on security. You're constantly getting feedback from Microsoft resources so that you can be up to date in your own environment and you'll have a better understanding of the security landscape.
The solution is great for companies on a budget.
Defender provides helpful visibility into threats. It covers a lot and comes with a next-gen antivirus. With that, you can register to the cloud, and, if you have cloud protection, your environment is protected even more.
It helps us prioritize the threats across our enterprise. It covers all of our devices. You can cover your entire operation with the license you purchase.
Microsoft 365 Defender is easy to integrate with other products. You just have to configure some things in order to integrate everything and you are SDR compliant. We currently have it integrated natively, so we don't have to worry about configurations.
The comprehensiveness of Microsoft's threat detection is good. Microsoft provides a lot of security. It gives you visibility and IT has a lot of control over everything. You can see your environment, including clouds. You can block things within your environment as needed. The applications are easy to manage. It also has app governance to be able to gain visibility into permissions.
The product has helped automate routine tasks and the finding of high-value alerts. It has an automatic investigation feature that you can enable. It's great for automation. Thanks to automation, it has helped reduce the time it takes to analyze security events and alerts. You don't have to wait to take action. If there is a threat, you can neutralize it faster and it will record everything for audit records. While I know it has saved us time, I can't quantify that into a specific amount of hours.
We no longer need to look at multiple dashboards. Now, everything is centralized under one dashboard.
The product's threat intelligence helps us prepare for potential threats and take proactive steps. Since we've been using it, we've had no security incidents.
What needs improvement?
The only issue I've had is, when it comes to deployment, the steps I must take around policy setup. That is challenging. We're working on the onboarding and configuration policies. We're collecting feedback from customers and partners in hopes of refining the future design for deployment.
For how long have I used the solution?
I've used the solution for about two years.
What do I think about the stability of the solution?
The feedback I have received from customers is that the stability is very good.
What do I think about the scalability of the solution?
The product scales well.
How are customer service and support?
If you have a license through a partner, it's the partner that will support you.
The only issue with Microsoft is the response times. They are very competent, however, sometimes you will send an email and get no response.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I previously used Sophos. I then switched to Microsoft Defender. The Sophos deployment is quite easy in comparison. You can do everything from a single portal. They had already achieved effective centralization.
How was the initial setup?
Right now, there are two different ways to onboard. You might have to have a different partner to configure policies. However, right now, you can also create policies from the activity center, so you don't have to do it from the device itself.
How long a deployment takes depends on your scope and the number of devices you are covering.
If you do not get a license for the portal, you'll have to use the manual to deploy. If you have an older server you may encounter some issues. However, if you upgrade the server at the same time, you'll have fewer problems.
What other advice do I have?
We do use more than one Microsoft security product. We've integrated with other products.
I do not make use of the directional sync capabilities at this time. I'm also not using Microsoft Sentinel.
I'd rate the solution eight out of ten. If the deployment of the agent was better, I'd move my grade closer to ten. It should be more automatic. You also shouldn't have to install the logs.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
IT Manager at Zubair Feeds
Is stable, scalable, and protects against ransomware
Pros and Cons
- "Email protection is the most valuable feature of Microsoft Defender XDR."
- "The price should be adjustable by region."
What is our primary use case?
We use Microsoft Defender XDR for our Microsoft 365 email service.
How has it helped my organization?
It helps protect us against ransomware. We were a victim of a malware attack in 2018 before implementation.
What is most valuable?
Email protection is the most valuable feature of Microsoft Defender XDR.
What needs improvement?
The price has room for improvement. The price should be adjustable by region.
For how long have I used the solution?
I have been using Microsoft Defender XDR for almost 5 years.
What do I think about the stability of the solution?
Microsoft Defender XDR is stable.
What do I think about the scalability of the solution?
Microsoft Defender XDR is scalable.
How are customer service and support?
The technical support is good.
How would you rate customer service and support?
Positive
What's my experience with pricing, setup cost, and licensing?
Microsoft Defender XDR is priced high.
What other advice do I have?
I would rate Microsoft Defender XDR 8 out of 10.
No maintenance is required from our end because it updates with the OS.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Analyst II at COMMTEL
It lets us prioritize threats and automate responses, but the threat intelligence could be better
Pros and Cons
- "I like Defender XDR's automation capabilities. XDR isn't automated by default, but you can automate it to respond. If an attack is performed anywhere within the organization, you can isolate that instance from the network. This is what I can figure out for it. When integrated with Sentinel, you can set up playbooks to automate all the alerts gathered on Sentinel from different Microsoft solutions. Sentinel has a wider range of capabilities than XDR."
- "When we do investigations, it would be better if Microsoft could populate the host dashboard more. When we open any host for investigation, we want the entire timeline of what is happening on the host, including all the users logging in, their hardware, Windows version, etc."
What is our primary use case?
We typically use Defender's default settings and are implementing MITRE ATT&CK use cases on Microsoft Defender this year. We do manual threat hunting and check to see if there is a trending attack. We have the latest IOCs and sweep across the organization looking for them.
When implementing Defender, we usually use its advanced hunting features to determine particular techniques used across the whole environment. We use multiple Microsoft security products, including Defender for Endpoint, Defender for Cloud Apps, Sentinel, email and collaboration, data loss prevention, and Microsoft Purview.
How has it helped my organization?
Defender XDR enables us to prioritize threats according to the algorithm or our custom rules. We can prioritize threats and have the option to automate the response. For instance, let's say we are facing a sticky key hijack. When you press shift several times at the login screen, you can open the command prompt of that particular host. That is a vulnerability of Microsoft Windows. When this happens, we can automate a priority alert and also isolate that endpoint from the network immediately.
The solution reduces our remediation time by enabling our security analyst to respond quickly, make some automations, and edit the rules to detect any potential threats. The extent to which the solution reduces the remediation time depends on the analyst's skill. If the security analyst is good, Defender XDR will help them.
XDR saves money if you are using Microsoft products. XDR is more inclined toward Active Directory, a Microsoft product. No other XDR can integrate with Active Directory so seamlessly and use it to its fullest potential. Microsoft also offers multiple sub-products. If we purchased third-party solutions for email, endpoint, XDR, cloud applications, etc., and managed them on a single platform, it would be more expensive than Microsoft solutions. When we do a cost-benefit analysis, Microsoft Defender XDR offers a better value.
What is most valuable?
I like Defender XDR's automation capabilities. XDR isn't automated by default, but you can automate it to respond. If an attack is performed anywhere within the organization, you can isolate that instance from the network. This is what I can figure out for it. When integrated with Sentinel, you can set up playbooks to automate all the alerts gathered on Sentinel from different Microsoft solutions. Sentinel has a wider range of capabilities than XDR.
What needs improvement?
Defender XDR has good threat visibility, but it could be better in some areas, like when we are hunting for a specific host. For example, let's say we are investigating email services, and want to trace an email account to its host PCs and investigate the emails in its inbox. We want more visibility into the email side of investigations. It would be better if these features could be more integrated into the console like you could have a tab for Cloud Apps to see the cloud applications a user had communicated with.
Microsoft's threat analytics are somewhat helpful for anything related to Microsoft products. For instance, it can update us about any single sign-on vulnerabilities or something along those lines. However, Microsoft was very late in terms of the recent LockBit attacks. LockBit compromised some significant organizations, and Microsoft didn't provide the report fast enough. It was reported on my normal cybersecurity information websites first. The site analytics are a bit weak when it comes to non-Microsoft clouds.
Defender XDR is capable of providing intelligence reports about threats specific to Microsoft components, but if we are implementing a Microsoft solution across an organization, many other products and side factors must be considered. I feel like Microsoft falls behind some other vendors in threat intelligence.
When we do investigations, it would be better if Microsoft could populate the host dashboard more. When we open any host for investigation, we want the entire timeline of what is happening on the host, including all the users logging in, their hardware, Windows version, etc.
For how long have I used the solution?
I have used Defender XDR for nearly 2 years.
What do I think about the stability of the solution?
We haven't faced issues with stability. XDR doesn't lag during investigations. We've seen a few minor bugs in the XDR console but not often. There have been no major issues that disrupted our operation.
What do I think about the scalability of the solution?
Defender XDR has good scalability. If you want more endpoint visibility, you don't need to scale your organization much. You only need to integrate that particular endpoint by running a script and deploying an agent to it.
How are customer service and support?
I haven't contacted Microsoft support about XDR, but my client has. One of the alerts was triggering incorrectly based on a default setting. We asked their team to investigate why the solution was excessively triggering. I just disabled the default rules and made custom policies. Now, everything is working fine.
Which solution did I use previously and why did I switch?
I previously used CrowdStrike EDR. It's hard to compare the two products because CrowdStrike EDR was focused on endpoint detection, so it cannot investigate emails or have any other XDR capabilities. One is an XDR and the other an EDR.
Which other solutions did I evaluate?
We compared Microsoft Defender XDR to Trend Micro's Vision One. Defender's advantage over Vision One is ease of use. Managing and enabling policies is much easier on Microsoft Defender. There's a considerable difference between their default rules. In some cases, alerts will trigger in Defender, but not Vision One. Overall, Microsoft Defender XDR is preferable over Vision One.
What other advice do I have?
I rate Microsoft Defender XDR 7 out of 10. It's a useful product for a professional security analyst who knows how to increase the visibility. You only need to make some front-end changes and put the data on host names into XDR.
If someone asked me whether a best-of-breed or single-vendor approach is better, I would support mixing different products. Each security vendor has its own intelligence base. By including other vendors, I am gaining visibility into more indicators of compromise. Nevertheless, I would still pick Microsoft Defender XDR and Sentinel together because they are well integrated. All the big companies and banks use Microsoft. Windows is a popular operating system across the world. Defender and Sentinel are better integrated with Microsoft systems.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner

Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Product Categories
Extended Detection and Response (XDR) Endpoint Detection and Response (EDR) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
SentinelOne Singularity Complete
Cortex XDR by Palo Alto Networks
IBM Security QRadar
Elastic Security
Trellix Endpoint Security
Intercept X Endpoint
Trend Vision One
Forescout Platform
Vectra AI
Rapid7 InsightIDR
Mandiant Advantage
Stellar Cyber Open XDR
Buyer's Guide
Download our free Microsoft Defender XDR Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the best EDR or XDR product for a company with 9000 employees?
- When evaluating Extended Detection and Response (XDR), what aspect do you think is the most important to look for?
- How do you decide about the alert severity in your Security Operations Center (SOC)?
- Which is better for Endpoint Security: EDR or XDR solutions?
- What are the main differences between XDR and SIEM?
- Why is Extended Detection and Response (XDR) important for companies?
- How do you use the MITRE ATT&CK framework for improving enterprise security?
- What tools and solutions do you use for automated incident response in an enterprise in 2022?
- FortiXDR vs Cortex Pro - which is the best?
- What is Cognitive Cybersecurity and what is it used for?