Microsoft Defender XDR Reviews

Microsoft 365 Defender has many use cases. It includes four different services: Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Microsoft Defender for Cloud Apps.

Microsoft Defender for Identity protects on-premises identities and synchronized identities from on-premises to the cloud. It ensures that identities are not compromised and that domain controllers are protected. This service is especially helpful for large enterprise customers who cannot move to the cloud entirely.

Microsoft Defender for Endpoint ensures that endpoints, such as laptops and mobile phones, are managed and protected. It is important that all four Microsoft 365 Defender services are integrated and share signals with each other. This allows for more comprehensive security and threat detection.

Microsoft Defender for Cloud Apps focuses on application-related issues. It allows us to sanction or unsanctioned applications, manage shadow IT and prevent users from uploading documents to external cloud storage or sending emails with unapproved documents.

Microsoft 365 Defender Portal integrates all four Microsoft 365 Defender services into a single portal. This makes it easier for security engineers to view logs, events, and incidents from all four services in one place.

In addition to Microsoft 365 Defender, it is recommended to have a Security Orchestration, Automation, and Response solution. Microsoft's cloud-native SOAR solution is called Sentinel. Sentinel is a powerful tool that can be customized to meet the specific needs of our organization. It is also cost-effective because we only pay for the features we use.

KQL is a powerful tool that can be used to create custom queries for Microsoft 365 Defender. CQL is similar to the PowerShell language, so it is easy to learn for IT professionals who are already familiar with PowerShell.

The visibility into threats is good. We can see all the information we need using the Microsoft 365 portal. There are recommendations that we need to follow, as well as explanations and descriptions of the threats. These descriptions explain what the threats can do, how they can scale, and how to protect our environment against them. I think that Microsoft is doing a very good job of sharing knowledge with customers, even about zero-day activities that are just being discovered by security researchers. I really appreciate Microsoft's openness and willingness to share this knowledge with its customers.

Microsoft 365 Defender helps us prioritize threats across our environment. This is important because if there is a known threat that we can find within the portal, we can see the information that the threat is trying to access, such as domain contrast. Microsoft 365 also provides us with numbers, values, risks, and scores that point to our environment and indicate which threats are vulnerable. For example, if there are ten Windows server machines that need to be patched, Microsoft 365 will tell us. If we do not patch these servers, they will remain vulnerable and we could be in trouble. Microsoft 365 provides us with a lot of information about our environment, which is very useful. This information helps us to identify and prioritize threats, and to take action to mitigate them.

We integrated Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Cloud Applications, and Microsoft 365 Defender.

With a Microsoft E5 license, all the Microsoft 365 Defender suite services are available. Once we purchase those services, we can get the best value by integrating the solution. This is a one-click process that should be the first step for everyone who has the license and is taking the security solution.

The solutions work together seamlessly to provide coordinated detection and response across our environment. This is important because small and medium-sized businesses cannot afford to have thousands of security analysts monitoring their environments for threats. With these integrations and Microsoft cloud-based solutions, SMBs can outsource their security teams to Microsoft. Microsoft's security team is constantly monitoring for new threats, vulnerabilities, and risky activities. They deliver this information to SMBs through email and other channels. This allows SMBs to focus on their core business activities without having to worry about security.

The comprehensiveness of the threat protection provided by these Microsoft security products is important. It is important to understand how they work, how they are configured, and how they share information with each other. It is also important to understand the activities that they perform and to be able to highlight the important aspects of those activities. This includes understanding what happens, why it happens, what could happen, and what mitigation steps are being taken. All of this information is key to understanding how these products can protect our organization from threats.

Microsoft Sentinel enables us to ingest data from our entire ecosystem. Without being able to share data from our different solutions and products into one data storage, we cannot really monitor that data. If we have visibility on one data storage on one product, and we have visibility on a different product that stores data in different storage, we have to control both separately. With Sentinel, we can have Log Analytics. We have a single Log Analytics workspace where we can ingest data from any solutions, products, external third parties, network appliances, cloud-based solutions, or on-premise-based solutions. We can ingest all this data into Log Analytics sources. Within the Linux workspace, something is based on top of that and is capable of monitoring the logs and finding suspicious activities.

Microsoft Sentinel enables us to investigate threats and respond holistically from a single location. This is the most important feature of any cloud-based SIEM solution. We must be able to take action immediately, and with Sentinel, we can do just that.

Given Microsoft Sentinel's built-in SOAR capabilities, UEBA, and threat intelligence, the security protection provided is comprehensive. The integrations and AI-based, machine learning-based features built into Sentinel are the main pillars of the cloud-based security solution. This is how a next-generation security solution should be built. It should help prepare and maintain security by integrating with other services. It is not enough to simply configure Sentinel wisely. Microsoft must also continue to improve the service by adding new features. Thanks to these basic pillars, Microsoft can continuously improve Sentinel.

When we first set up Microsoft Sentinel, we can define which logs we want to ingest and how long we want to keep them. We can configure the retention period for each log type. The retention period determines how long Microsoft Sentinel will store the data before it is deleted. There are three types of logs that we can ingest into Microsoft Sentinel without paying for them, Audit logs, Microsoft 365 change logs, and Microsoft 365 online logs. For all other log types, we will be charged for storing the data after 90 days. If we have a Microsoft 365 subscription and we have integrated Microsoft Sentinel with our environment, we can monitor Exchange service for free for 30 days. This is because we can ingest the data for free and we can store the data for 30 days without being charged. It is important to test our environment and configure the retention periods for our logs so that we can understand how much Microsoft Sentinel will cost us. Microsoft Sentinel provides detailed workbooks that we can use to analyze our costs.

Microsoft 365 Defender includes four services and four products, which can help organizations a lot. We don't need to hire as many security analysts. What we need to work on is making sure that the security engineers who are working with the Microsoft 365 Defender suite are up to date on the technology. We need to allow them to study, keep studying, improve, share knowledge, and gain hands-on experience, not just theoretical knowledge. Thanks to the Microsoft 365 developer tenant, we can set up a tenant for testing purposes for free. This is great, and we can all use these developer tenants to test different business use cases and see how they work. Microsoft Defender can help organizations a lot if they are really paying attention to how it should be configured. They should follow Microsoft guidelines on how to prepare each service and how to prepare the environment. 

Microsoft 365 Defender helps automate routine tasks and the findings of high-value alerts. It has a configuration capability that allows us to automate different tasks, which can be very helpful. Automation is always a key goal when purchasing a new product or service, as it can help to streamline processes and save time. When automating a new product or service, it is important to consider the expected results and how they can be best resolved.

When configured correctly, automation can have a significant impact on our security operations. Automation plays a big part in Microsoft 365 and Sentinel Integration. Once we can access the portal, there are services where we can use more automation than in other services. For example, we can configure Microsoft Defender Cloud Apps to automatically block risky applications with a risk score under five. This can be very useful, as it frees us up from having to manually monitor new applications and manually block risky applications. This automation is one of the main goals of the security department. It can take some time and effort to implement, but it is worth it in the long run. With Microsoft, automation is a cost-effective solution.

Microsoft 365 Defender helped eliminate the need for multiple dashboards by providing a single XDR dashboard. In 2020, there were different portals and different dashboards for each service within Microsoft 365 Defender. These services are now being migrated into a single portal, the Microsoft 365 Defender portal. This allows users to view all of their security data in one place, without having to switch between different portals. The integration process is still ongoing, and some features have been removed from the old portals. However, users can still access all of their data by following the new updates and how they are being integrated into the Microsoft 365 Defender portal. Overall, the new Microsoft 365 Defender portal provides a more unified and user-friendly experience for managing security data.

Microsoft 365 Defender Threat Intelligence helps us prepare for potential threats before they hit. Microsoft shares threat-related information they gather from different sources and vendors. They not only describe the threat, but they also recommend activities within our environment to help us protect ourselves. This is a valuable service because it allows us to take steps to mitigate threats before they impact our organization.

Microsoft 365 Defender saves us time. I used to have to open multiple portals to check for threats, but now I can do everything in one place. This has freed up my time so I can focus on other tasks. In addition, Microsoft 365 Defender has helped us to reduce the number of security analysts we need to hire. This is because the solution is able to detect and respond to threats more effectively than we could on our own. Overall, Microsoft 365 Defender has been a valuable addition to our security team. It has helped us to save time.

Microsoft 365 Defender helps us save costs by providing all the information we need in one place. The ability to monitor and respond from one place is a key element of the entire threat investigation process.

We are a security consulting company that assists clients with their Microsoft 365 and Azure security and workloads. We can help optimize the use of their purchased feature sets and licensing, ensuring they get the most out of their investment for security and other workloads and features within the 365 and Azure environments. As information flows between their 365 and Azure environments, we offer expertise to ensure clients are utilizing all available resources effectively.

The majority of our deployments follow a hybrid model, which is currently the norm. Although there have been instances where organizations have fully migrated to the cloud, many larger enterprise solutions in the industry are still in the process of transitioning from on-premise to cloud-based infrastructure. Consequently, most of these solutions are currently in a hybrid state.

The visibility provided by Azure is multi-dimensional, and one aspect that I appreciate is the Microsoft 365 Defender portal. It not only offers Azure security but also a single-pane-of-glass experience where we can view our SaaS applications, email hygiene, and threats and alerts, all on the same page. The monitoring is exceptional, and the quality and depth of the telemetry are impressive. Clients appreciate the fact that we can access incident or alert details, including the affected entities and the timeline of events. For instance, we can identify where an email was opened, a link was clicked, and how malware or viruses spread across the network, causing damage. Additionally, the portal's ability to provide automated responses is second to none, and we can see how Microsoft's AI technology can isolate or stop these instances from further propagation. In summary, Microsoft 365 Defender is a powerful tool.

Microsoft 365 Defender assists in prioritizing threats within our enterprise by utilizing CVE security, a standard security prioritization method. This means that the product has incorporated industry standards into the Microsoft tenant, providing prioritized threats and best practice remediation. With the help of Defender, we gain insights on how to remediate and prevent future threats from similar malware or incidents.

We utilize several security products to ensure the protection of our data and identity. Our product offerings include Defender for Identity, Defender for Cloud, built-in tools for data governance and data protection, as well as compliance and monitoring through the compliance portal. Typically, clients with E5 or A5 licenses can benefit from these products, which cover a wide range of features for protecting data, and identity, and detecting risky behavior such as risky sign-ins and user behavior analytics. The behavior analytics feature, which is a part of our Defender product, has been particularly crucial for federal governments and other organizations with highly sensitive data. While all of our products are valuable and important, we believe that identity is the most crucial foundation to start with since it feeds into everything else.

The integration of Microsoft products is almost seamless, as long as we have the licensing piece. To enable sharing or maintaining telemetry across different solutions, we turn on Connect and switches for products like SharePoint, OneDrive, Teams, and Exchange. Setting up connectors for SharePoint on-premise or Exchange online may be necessary, but Microsoft provides setup wizards and good documentation on their website, making it easy to implement solutions. Any difficulties usually arise from user error or trying to integrate insecure legacy third-party software. However, most modern authentication and protocol software integrate seamlessly within the Microsoft environment. The Microsoft documentation site is excellent, with built-in training and links to assist with implementation.

The security solutions work together seamlessly to provide coordinated detection and response across our environment. One of the things I appreciate about these products is that the Defender products share telemetry across the board. For instance, if we set up Defender for Identity on our domain controllers, we need to grant permissions for that telemetry to be accessible from Microsoft 365 Defender in the cloud. This means we may have to give permissions to our on-premise domain controllers. While the integration is simple, it is essential to follow the documentation to ensure a seamless and easy-to-maintain setup, monitoring, and management of our Microsoft 365 and Azure ecosystems.

Microsoft covers all current threats that have been identified by various security organizations and standards. These threats are typically integrated into the Microsoft ecosystem, including zero-day detections. Microsoft is plugged into world-class cybersecurity organizations, ensuring that all vulnerabilities and updates are current and available in the Microsoft portals. The comprehensiveness of Microsoft's security coverage is top-notch, with seamless integration with other clouds and on-premise products. While there are other products competing in this space, Microsoft 365 users and organizations should not rely on third parties when Microsoft already has integrated solutions available.

Microsoft Defender for Cloud's bi-directional sync capability is crucial as it enables the transmission of telemetry data regarding SaaS application usage from client systems, on-premise devices, and any other systems that access the Microsoft 365 cloud. This feature ensures that real-time data is accessible for managed systems, providing immediate access to any detection of sanctioned or unsanctioned applications. The bi-directional sync capability offers immediate data feedback, which is essential for prompt action.

Microsoft Sentinel enables us to gather data from our entire ecosystem. However, it is important to note that using Sentinel requires a Microsoft subscription and a storage account. Therefore, it is necessary to consider the cost of data ingestion and aggregation. It is crucial to only ingest data that is relevant and beneficial for our security monitoring and data log aggregation. Simply collecting data without a specific purpose is not advisable. I advise our clients to focus on maintaining a lean monitoring and data log aggregation approach that yields security benefits. We can detect and query threats using the crystal query language that is integrated with Sentinel, making it a key component of our Microsoft security journey with our clients. Sentinel connects with everything and has native connectors and third-party options available. Additionally, Sentinel can be set up as a provider of security operations center capability by connecting it to another cloud.

Microsoft Sentinel allows us to investigate threats and respond to them in a comprehensive manner, all from one platform. What I find particularly impressive about Sentinel is its ability to provide both reporting and analysis through workbooks, and actionable response strategies through playbooks. In addition, Sentinel includes UEBA and threat intelligence capabilities. This raises the question of how we can evaluate the effectiveness of Sentinel's security protection. One advantage of Sentinel is that it not only detects threats but also responds to them using advanced DAI and intelligence technology. This allows us to take proactive measures and set up playbooks and other capabilities that integrate seamlessly with Sentinel. By taking telemetry from different products and environments, Sentinel provides a three-dimensional perspective that other products may lack. This helps us take the right steps toward risk mitigation or remediation by giving us current, broad coverage. With telemetry, we can take a holistic approach to secure entities affected by any type of alert or environmental compromise. Sentinel's ability to bring together reporting, analysis, and actionable response strategies makes it a superior product in terms of security protection.

The cost of Sentinel depends on the amount of data being processed. This is likely true for other similar products as well. Typically, the cost of using these products is associated with ingesting and aggregating data logs. However, I believe Sentinel's cost is competitive and provides an advantage, as it offers more than just a SIEM or SOAR solution. Sentinel includes response capabilities, which is where it excels. Therefore, I believe the cost is reasonable considering the benefits it provides.

After implementing Microsoft 365 Defender, our organization has observed a significant improvement in our security measures. We have noticed a substantial decrease in compromised accounts, access issues, and entry problems resulting from phishing attempts, emails, and other security threats. This improvement can be attributed to the robust exchange of online protection capabilities. The impact has been remarkable and has made a noticeable difference in our overall security. Additionally, addressing insecure applications operating within our environment and managing data governance has been a challenge. Data governance, in particular, can be time-consuming since data is ubiquitous and it takes time to establish the appropriate tools, labels, and policies to protect it. It requires a marathon-like approach rather than a sprint and Microsoft 365 Defender has helped reduce the time.

Our Microsoft security solutions automate routine tasks and aid in detecting high-value alerts. The ranking of these alerts is customizable, allowing us to adjust their priority based on our industry or organization's specific needs. While the default settings are effective, we appreciate the ability to modify them to better suit our purposes. This customization feature is particularly valuable as it allows us to tailor the alerts and detections to our particular use case.

The solution has helped our clients by eliminating the need for multiple dashboards and providing one comprehensive XDR dashboard. This has been the most significant feedback from our clients who prefer to have all information in one place instead of having to navigate through multiple portals. With the integration of Microsoft tools like Power BI, our telemetry can be displayed in different views and graphics, making it easily understandable for all stakeholders and users. Power BI can also import Sentinel queries, allowing for customized dashboards with a unique look and feel. I appreciate the flexibility and versatility of Power BI in creating informative and visually appealing dashboards.

The solution's threat intelligence helps us prepare for potential threats before they strike, allowing us to take proactive measures. I have witnessed some excellent updates that are posted on the Microsoft Defender portal. These updates have enabled us to stay ahead of any potential threats. When there is an attack, Microsoft is quick to disable affected services, such as service principals or services, across many servers and other devices, taking affirmative action ahead of time. I have observed many proactive notifications, including day-one or zero-day notifications, that are promptly released on the Defender side. This approach allows us to get ahead of the potential issues and prevent any significant impact.

The amount of time saved by using automation tools is significant and exceeds our expectations. While we sleep, these tools perform tasks such as deleting phishing and malicious emails and conducting automated investigations. This has resulted in a substantial reduction in the number of man-hours needed for Microsoft security and Defender product tasks, which has more than justified their cost.

Microsoft 365 Defender has saved our organization money.

Microsoft 365 Defender has significantly reduced our detection and response times. The proactive nature of the software alerts us to suspicious activity, such as a user logging in from an unknown location, allowing us to trigger conditional access responses accordingly.

Microsoft 365 Defender works together with Exchange Online is my area of specialty.

Microsoft 365 Defender incorporates a capability to identify potentially malicious emails or emails originating from suspicious senders.

Previously, we encountered a significant number of spam emails and suspicious emails, and users were inadvertently interacting with them. However, we have made progress in addressing this issue. We have conducted attack awareness training to educate users on identifying suspicious emails, and Microsoft Defender has played an important role in preventing such emails from reaching our inboxes. As a result, we have noticed a reduction in the volume of spam emails and an increase in the delivery of trustworthy emails. Considering these improvements, I can confidently state that we are in a better position now in terms of email security compared to the past before the implementation of Microsoft 365 Defender.

Within Microsoft 365 Defender, specifically using Advanced Threat Protection, you have the ability to define rules and actions for high-value alerts. 

By using Advanced Threat Protection, you have the capability to conduct thorough investigations and delve deeper into the search for specific threats that you suspect may be present within your organization. 

Within the Microsoft 365 Defender suite, you have access to numerous features that enable you to effectively track and investigate potential threats within your organization.

Automation significantly impacts our security operations in a highly beneficial way. It revolutionizes our approach by providing a centralized IT vendor admin center where we can execute all our search queries and obtain the desired information from a single interface. This unified platform streamlines the entire process by consolidating various components and their respective search processes into one, eliminating the need to navigate through multiple individual interfaces. With Microsoft 365 Defender, we have the convenience of accessing and investigating different areas of interest from a single standpoint. This not only saves us substantial time but also reduces effort and enhances overall efficiency in our security operations.

The consolidation of security operations has had a significant impact on our effectiveness and efficiency. It has resulted in improved response times, enabling us to swiftly pinpoint the potential sources of threats. We have observed a reduction in incident response time, allowing us to address security incidents more promptly. Additionally, the consolidation has enhanced the efficiency of our deployment processes, streamlining our overall security operations. These notable impacts have greatly contributed to our organization's ability to proactively identify and mitigate threats, ultimately bolstering our security posture.

Threat intelligence is an essential component in proactively preparing for potential threats and implementing proactive measures. While I have not personally engaged with this particular feature, it is widely acknowledged that staying informed about current threat intelligence is essential.

Although preventive measures are in place to minimize maintenance issues, there can be instances where threats successfully circumvent those safeguards. However, the capability to detect and identify threats before they cause harm to the system remains a valuable advantage. Anticipating the effects of this specific feature in Microsoft Defender is something I am eager to experience, as it appears to be a fascinating addition to the security measures.

Microsoft 365 Defender is used for our threat policies, configuration, and security protection.

The current level of threat visibility is good.

Microsoft 365 Defender helps prioritize threats across our enterprise which is important for our organization.

The mail component within our organization is the most critical part and Microsoft 365 Defender plays a big part in protecting that component. 

We have integrated Microsoft 365 Defender with Defender for Cloud, and Sentinel. Integrating the solution with Defender for Cloud is easy. 

The integrated solutions work natively together to deliver a coordinated detection and response across our environment which is important for our organization.

The comprehensiveness of the threat-protection that Microsoft products provide is good.

The bidirectional sync capability of Defender for Cloud is important for our organization.

The bidirectional sync of Defender for Cloud helps us secure our network.

Microsoft Sentinel allows us to investigate data from our entire ecosystem.

The ingestion of data to our security operations is critical and Sentinel does a better job than the other solutions we tried.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place which is important for us.

The built-in UEBA and threat intelligence capabilities are good.

Microsoft 365 Defender helps our organization by detecting false positives.

Our Microsoft security solutions help automated to retain tasks and help automate the finding of high-value alerts.

The automation has helped us with our playbook.

The solution has helped eliminate multiple dashboards by providing one XDR dashboard.

Having one XDR dashboard allows us to react to threats faster.

Microsoft 365 Defender's threat intelligence helps us prepare proactively for potential threats before they hit.

Microsoft 365 Defender has saved us between one and three months of time.

Microsoft 365 Defender has saved us time to detect and respond.

We have saved a significant amount of money with the implementation of Microsoft 365 Defender. Prior to using this solution, we encountered costly incidents.

I work for a managed security service provider, where a dedicated team at our Security Operations Center manages the entire 365 Security Stack for our clients. This means we're constantly monitoring alerts, prioritizing incidents, and responding actively, leveraging automation features where possible. We also play a crucial role in the onboarding process, setting up and integrating security solutions with our platforms for efficient alert management and incident response. Furthermore, we handle policy configuration and hardening, ensuring effective security controls are in place. We actively maintain these policies, fine-tune them as needed, and adapt them to new features and updates, collaborating closely with clients throughout the process. In essence, we own and manage the security platform for our clients, providing them with comprehensive protection and peace of mind.

Microsoft Defender XDR is working towards a unified identity and access management system. While currently, separate role-based access controls exist for different Defender XDR components, a major challenge is that some solutions remain tenant or subscription-based. However, Microsoft has a migration plan in place to address this. We can currently utilize both centralized and individual RBAC models, though it's important to note that the centralized approach is still under development and may not be as user-friendly as the individual models. Nonetheless, the centralized model offers fine-grained control over access permissions, which can be beneficial for organizations with specific requirements or concerns. For instance, we can grant or deny specific analysts the ability to automate remediation or isolation events or to modify security settings. While the level of detail can be overwhelming for those unfamiliar with granular access control lists, it ultimately provides powerful capabilities for managing access to Defender XDR. Overall, Microsoft is actively working to centralize all IAM under a single portal, demonstrating a commitment to improving user experience and access control.

Microsoft Defender offers two main identity protection solutions. Defender for Identity: This is their on-premise Active Directory security solution. It's essential for organizations with on-premise identities and helps analyze specific events within our local Active Directory. Microsoft has been investing heavily in this product, and it has improved significantly in the past year. The second is Microsoft Entra Identity, formerly Azure Active Directory Identity Protection: This is a cloud-based service ideal for organizations with cloud identities in the Office 365 ecosystem. It's almost a mandatory service if we want strong security controls for our open and centrally accessible platform. It excels with risk-based security settings, conditional access policies, and risk-based situations based on device type, compliance, location, and more. It's one of the best solutions within Microsoft 365 SAC due to its ease of implementation, rapid risk reduction, and extensive security features.

Microsoft Defender for Cloud's security reach extends beyond just Microsoft technologies. It analyzes data from various cloud platforms, including AWS and GCP, not just Microsoft Azure. This data feeds into the centralized 365 XDR dashboard, bringing together telemetry, alerts, and advanced features like AI, machine learning, and KQL query support for hunting threats. Defender for Cloud acts as a gateway to this broader security, integrating with individual solutions like app protection for Zoom, Dropbox, and ShareFile. These protected applications generate alerts and data that also flow into the 365 XDR dashboard, providing a unified view of our security posture.

The effectiveness of detecting lateral movement depends on the specific solutions in place and their proper configuration. I have a background in penetration testing, so I've witnessed this firsthand in various environments. Microsoft Defender for Endpoint, an EDR solution, offers a strong chance of preventing initial access, suspicious commands, and remote code execution. This, in turn, helps hinder lateral movement at its earliest stages. It also detects suspicious activity originating from external sources and even alerts on potentially compromised devices that aren't yet onboarded. Microsoft Defender has made significant advancements, providing both active monitoring and passive detection capabilities. For lateral movement specifically involving domain accounts, Defender for Identity, an Active Directory monitoring solution, is adept at detecting similar attacks. These include extracting golden tickets, keys, DCSync attacks, and more. Notably, recent advancements in October introduced artificial intelligence and machine learning capabilities to detect hands-on keyboard threat attacks. This feature is remarkably effective. In my most recent engagement, I successfully identified a known attacker who had compromised a high-profile account and promptly contained that user account. Containment restricts the account's ability to connect to external services. For instance, if the attacker logs in as that user, they're unable to access file shares, Outlook, or other services. This level of protection is challenging to achieve in today's complex organizational environments, as general detection methods often fall short. Behavioral analysis is crucial, and Microsoft has invested heavily in developing these capabilities within its solutions.

Defender's core strength against attacks lies in its ability to adapt to ever-changing threats. Specifically for endpoints, Defender Endpoint serves as the main defense line. It analyzes a wealth of data, beginning with endpoint detection and response through the Defender for Endpoint solution. This solution identifies suspicious activity, generates alerts, and analyzes them. Certain criteria, undisclosed by Microsoft, trigger incident creation when the likelihood of a real threat is high. Properly configured, these incidents automatically trigger investigations, replicating manual SOC analyst work. Investigation packages are collected, analyzing network connections, files, processes, and real-time entities for suspicious activity. Processes can be automatically executed or terminated, quarantined, and files isolated. Continuous monitoring persists until the investigation concludes and is marked as resolved. Additionally, Microsoft Defender continuously searches for and investigates potentially impacted devices related to the original incident, adapting its response as the situation evolves.

Many organizations are replacing their EDR solutions with Microsoft Defender, or upgrading from paid antivirus solutions. While I won't mention specific vendors, consider a common antivirus platform costing two to ten dollars per month for basic protection. We recommend leveraging the free Windows Defender Antivirus included with supported operating systems and adding an EDR solution. Defender Endpoint works seamlessly with native Windows Defender Antivirus, being embedded in the Windows TCP/IP stack, making it an excellent pairing. However, in most cases, both are still desirable. Generally, Defender for Endpoint catches 90 percent of threats, while antivirus covers specific signatures. Defender has made significant strides in endpoint security, so there's no need to underestimate its capabilities. The built-in Defender Antivirus offers many valuable features, and Defender for EDR further enhances them. Although numerous EDR players exist, and individual assessments are crucial, I find Defender for Endpoint very intuitive with excellent incident management. It also boasts a significantly shorter learning curve compared to other EDR solutions I've used.

I'm not utilizing Microsoft Defender XDR in the traditional sense for my organization. Primarily, it's our clients who are using it. It's a bit of a mixed bag. Some clients choose to use the solution even though it might be more expensive, but they gain enhanced protection for their investment. Others can reduce costs because they were previously overpaying for separate EDR solutions, antivirus platforms, and cloud monitoring tools without enjoying their full benefits. For these clients, leveraging the included features within their licensed package proves advantageous. It's fantastic that organizations with the E5 or E5 Security add-ons have access to these powerful features, often without even realizing it. We help bring them to light and enable clients to get them up and running effectively. So, in that sense, they're gaining significant protection and technically saving money.

The centralized dashboard is a huge time saver for several reasons. Previously, each security solution had its dashboard, making it tedious and time-consuming to jump between them and remember all the different URLs. Onboarding new team members was also a hassle, requiring me to curate a list of all the necessary URLs. Combining everything into a single unified dashboard eliminates these issues. Consolidating alerts into distinct categories (alerts and incidents) is another significant advantage. Simply dumping all alerts into one view is ineffective, as many organizations have discovered. Categorization saves valuable time by making it easier to identify and prioritize critical issues. Furthermore, the automated investigation capabilities of XDR in Defender for Endpoint offer significant time savings from an operational perspective. Features like user containment, device auto-quarantine, and native incident investigation workflows streamline the process of reviewing, analyzing, and responding to alerts. Additionally, the ability to collect investigation packages further expedites the incident response process. 

We use 365 Defender with Outlook, Teams, and SharePoint. Our organization extensively uses these products as do the clients we serve. Our goal is to secure those email, SharePoint, and Teams environments.

Our Microsoft security solution has helped eliminate having to look at multiple dashboards. For a wholesale view over the entire infrastructure, Sentinel is the place to go. But M365 Defender alone only covers 30 to 40 percent of the infrastructure.

We have saved a lot of time compared to having to do tasks with other tools. With Microsoft, it's easier for us to manage and handle them. It saves us about 40 percent of the time it would have taken us. That includes the automating of detection and response.

We use the standard Microsoft services and solutions for our entire IT infrastructure, so we leverage most 365 Defender services, including Sentinel, Defender for Identity, Defender for Endpoint, Defender for Cloud, Defender for Cloud Apps, and Defender for O365. We use all those solutions to secure our IT infrastructure and environments.

We deliver Microsoft services to users worldwide, including SharePoint and Exchange Online. Gmail is the one minor exception where we do something slightly different. 365 Defender currently covers 5,000 endpoints and between 10,000 to 15,000 identities. There are more identities than endpoints because we don't give everyone a company laptop. 

A larger organization absorbed my company that moved to Microsoft security products a little while ago, so it was natural to do the same at my company. The biggest benefit of going with Microsoft is that it's a huge company with lots of resources to put into security.

Most devices use the Microsoft's operating system and products these days. They get a lot of data from all those users, which helps them stay ahead of the competition. They process a few billion security-related signals daily, helping them deliver a better solution to us.

Introducing 365 Defender and Sentinel was the best decision we ever made. Many organizations have most of these components in place but aren't effectively leveraging them. 

They might be using a managed services provider that forces them only to use products from their partners. Still, they have an enterprise license with Microsoft that includes Microsoft Defender for Endpoint, which is part of the 365 solution. I think it makes more sense for people to use Microsoft security solutions too.

We can automate security tasks to a degree. There are several automation options, but it depends on the definitions of analytics rules, queries, etc. Microsoft provides many of those in its out-of-the-box catalog with many additional third-party queries that you can use. You can fully automate things as soon as you have your queries defined. Getting there might be a little difficult. 

Microsoft 365 Defender saved me from looking at multiple dashboards. There are still separate dashboards for Sentinel and 365 Defender, but the same alerts and incidents are generated on both consoles. The only difference is that 365 Defender won't show you anything you've customized on Sentinel. 

There is a separate Microsoft-specific intelligence dashboard that Microsoft keeps up to date. As soon as there is a specific threat that may affect our organization, it shows up on the dashboard, and we can see the sources of the attack, the path, and all the other information you need. It's useful, but I don't think our security operations center is using it. They only rely on third-party threat intelligence resources. 

We've saved time using 365 Defender because rolling it out is easy. The hardest thing is pushing it out to all the devices you are managing. Using a third-party device management solution might be slightly more complicated, but it's straightforward within the Microsoft ecosystem. 

I'm not sure how much money we've saved overall, but they previously used McAfee EDR for antivirus, which was costly. Most of our existing solutions are Microsoft, so we were already entitled to use Microsoft Defender for Endpoint. We weren't using Microsoft security solutions because someone decided they preferred McAfee many years ago. 

The McAfee contact was around a few million, and the full Microsoft enterprise license was also a few million. Using the security solutions bundled with the Microsoft license probably cut our costs in half.

It's hard to say how much our detection and response time decreased because we didn't have a comparable solution. Instead of going to a portal for McAfee or making Splunk ingest all kinds of profiles, we could dump all the data into a more analytical tool to get all these alerts.

We provide MXDR services. Initially, they are professional services such as setup and deployment, and then after that, we provide Day 2 services, which include working on the incidents and alerts the products generate, determining which one is a true positive and which one is a false positive, taking response actions, and maintaining a steady state.

We are expanding use cases with Defender for IoT integration. Now that the E5 license includes the enterprise IoT sensors, we are getting more of that telemetry to our SOC. Because most SOCs do not have that telemetry, it is something that we have had a couple of clients invest in. 

In terms of our in-house usage of this solution, there is not a lot of in-house infrastructure when it comes to workstations and things like that. As a security company, we are pretty infrastructure-light.

It helps with the well-rounded investigation where it does the automated investigations and does a lot of enrichment for you, so the SOC analyst does not have to play run and go fetch as much. They can go deeper into an investigation in a shorter amount of time.

It does not necessarily provide unified identity and access management. Most of that comes from Entra ID, but it absolutely provides security visibility. For identity protection, the combination of Azure Identity Protection and Defender for Identity in the same place is the most powerful part because it is your on-prem identity world and your cloud identity world. Those two things are connected in most environments. Most of the people who have issues or most Microsoft customers have hybrid environments. That means they have two IMs and a bidirectional trust. One is the old-school one, which is Active Directory, and that lets everybody in with a username and password, whether you are good or bad, and then the newer one is the one that has conditional access, and that is Entra ID. Most corporate environments have both, so you have all of the weaknesses of both systems in one nice little package. From a defensive monitoring standpoint, we get a lot of cases, and most clients have that situation. Most clients that we see for incident response, and who are dealing with whether they are going to have our business online tomorrow, are in that hybrid situation.

In terms of covering more than just Microsoft technologies, most of 365 Defender is focused on its own technologies. There is that extensibility to be able to bring in threat indicators. The Zeek integration in Windows provides a lot of functionality, but most of the time, when we are getting that third-party signal, it is via a SIEM. That is where we go look for that third-party cross-correlation signal. The XDR signal is in that 365 Defender portal, and using things like custom detections is helpful there, so you can do SIEM-like functionality, but not on a third-party data set. This third-party correlation is the logical place for Sentinel. Some of the federated search between the two and being able to see both datasets in both places relieves that pain. The vast majority of our MDR clients are using 365 Defender and Sentinel, but there are definitely people who have E5 licensing but still have QRadar, Splunk, or something like that. Sometimes, we have somebody who starts with just 365 Defender but has a Sentinel adoption plan because they have a year left on their QRadar contract. The cool part about Sentinel is that it is software as a service, so you can start small and then add to it. You can start with what we call Sentinel Light, which is basically just the free data connectors. A lot of times what people do is that they have E5 licensing in their contract, and they start with 365 Defender. They then start with free data sources in Sentinel and incrementally add server logs or Palo Alto logs as their budget allows them.

365 Defender has enabled us to discontinue the use of other security products. There is always realization in terms of whether we still need, for example, Tenable agents with 365 Defender TVM. The answer is probably not. Normally, it is building out that process where we are going to remove Tanium because we now have Intune, so everybody has that adoption roadmap. Typically, you go for the things that create the least amount of friction when you are going through that adoption roadmap and you save the things that are going to be painful, such as DLP, for the end. It is always about dollars. When it comes to security budgets, potentially, you are replacing five to six line items on your security budget with one. I have been getting extra functionality on top of it for Teams and things like that. When you make the business case to the decision-makers and you get all of the information at the table, it is normally a pretty overwhelming case.

The savings depend on what their actual spending is and how many other security vendors they are purchasing. For most information security professionals, half of their day goes into vendor meetings and maintaining those vendor relationships. You have active relationships, contract relationships, etc. You have all these different relationships, and you have to go out to their conferences, their dinners, and things like that, so you end up dealing with vendors all day instead of actually doing the work. There are two types of costs. There is that hard cost, which is pretty easy to define, and there is also that soft cost of what if you had this common security fabric that you could take, customize, and then add to it. That is what the Microsoft security play is. Instead of bolt-on security, it is built-in security, and then you can still add to it. You can still add custom tools like Velociraptor and all the other tools that complement the Microsoft security suite, but what you do not have to do is play with vendors all day and do the bolt-on security play, which is, "Install our agent and everything will be good. There will be 99% ransomware protection." That is not how real life works.

It saves time and brings operational efficiency. As threat hunters, looking for an initial compromised assessment, going into a SIEM, and looking through a SIEM can take a lot of time. With 365 Defender, I can run four or five queries on you, and if they light up, I know you have problems. If they do not light up, you are probably alright. It is about being able to get there relatively quickly and assess the situation. Should we go ahead and send out the notice and call the general counsel, or is this just a little thing we need to run down and keep traps on? The time saved depends on where they are coming from. If it is a relatively old school company that has got an old school SIEM, and then they have a next-gen antivirus and a separate EDR solution, they could be doing 100% manual investigation, so it is saving them 300% because the chances are that they were not even investigating all their alerts.