Microsoft Defender for Cloud Reviews

Defender for Cloud is used for scenarios, including internal threats, threat hunting, in-depth analysis, and scanning the environment. We don't use Microsoft Defender for ATP or Sentinel for our security score, we have a third-party solution.

Defender helps us evaluate our security posture and make it more secure by providing a wider overview of endpoint security and anti-malware technology. We have greater visibility into all the activity happening within the infrastructure and better oversight.

It helps us catch threats that we wouldn't have noticed and also enables us to be more proactive. For example, we can run a script within the environment and provide better insights. Defender increased the efficiency of our SOC by around 65 to 80 percent.

At my previous company, the environment was 100% cloud, so having a cloud-native solution was critical. Also, in a cloud environment, you are exposed to many users with different user behavior patterns also, so it's good to have UEBA features that look at patterns in user behavior.

The unified portal provides a gap analysis of what's going on across the environment with users, and what they do across the environment every day. Having that single pane of glass is essential.

Defender is occasionally unreliable. It isn't 100% efficient in terms of antivirus detection, but it isn't an issue most of the time. It's also somewhat difficult to train new security analysts to use Defender.

I used Microsoft Defender for two years at my previous company.

Defender for Cloud is stable.

Defender for Cloud is scalable. It's easy to use and manage for large environments.

When I joined my last company, they were already using Defender. However, I've worked at several companies that use other solutions such as ESET, CrowdStrike, etc. I've previously worked with EDR and XDR solutions. 

I've done a couple of POCs for Microsoft Defender with the company, and the process is always the same. We don't deploy everything into live environments. It is deployed to a testing environment. After we test a couple of times, we undergo a complete training process. Finally, we organize and deploy it to a section of the company. We usually deploy one segment at a time, like finance, marketing, etc. 

If you have ATP Defender, you must set up a data lake. After deployment, there isn't much maintenance on our end besides managing the logs. You must create scripts for your use cases to inject into the solution. The deployment team typically consists of two people from security, two from infrastructure, and the service desk manager. 

I don't typically handle the licensing. I do POCs and product evaluations. However, I know that Defender for Cloud is packaged with other Microsoft solutions. Most people with Defender ATP also have the E5 or F5 license. It comes with the package, so you only need to activate and configure the solution.

I rate Microsoft Defender for Cloud a seven out of ten. Most of the time, it isn't the most advanced antivirus software on the market. It isn't a highly complex solution. It's something that a lot of analysts can use. Defender gives you a broad overview of what's happening in your environment, and it's a great solution if you're a Microsoft shop. 

Defender acts as a CSPM solution, a post-share management solution for cloud security. We use it to find weak spots in our cloud configuration and strengthen the overall security posture of our cloud environment. With this particular tool, we seek to protect workloads across various environments. We have about 3,000 endpoints and 100 users in the United States alone. 

Defender gave us more substantial visibility into our security, helping us increase our overall security posture and manage risks throughout the entire organization. It helps us make decisions about specific kinds of risks. If we see a glaring vulnerability, we can determine whether this is an acceptable risk or something that requires urgent action. The risk level determines our investment and budgeting, and the amount of work needed to remedy that. It provides a lot of valuable information for informing our comprehensive risk management strategy.

The solution does a pretty good job of finding previously unknown threats. It helps keep us aware of the kinds of threats that are out there and how we could potentially be impacted. Defender gives us a high level of information about unknown or zero-day threats. It's sometimes hard to gauge whether everything is there because the report is customized based on our infrastructure and what might be pertinent to us.

They've always notified us when there was a zero-day threat. I think there have been a few instances where they altered us about a new threat before it was publicized, which is a good sign that they value us as a customer. They've warned us about something before releasing it to the wider public.

Defender improved our SOC efficiency and saved us from having to add more personnel on the SOC side. It definitely improved that whole area, giving us the bandwidth to work on other things. Defender reduced our detection time because they are proactive about notifying us. I haven't seen too much of a time lag. There were a few instances, but it was never something critical where we had to call them out and ask if this was an issue or something. 

Time-to-response has also gone down. The sooner we get the notification, the quicker we can jump on something. It helped us respond to any potential breach or attack faster. 

It also saved us money because we don't need to deploy a second product to get some additional coverage. It also saved us from adding more security staff. Overall, it has had a positive financial impact on the company. 

The vulnerability reporting is helpful. When we initially deployed Defender, it reported many more threats than we currently see. It gave us insight into areas we had not previously considered, so we knew where we needed to act.

Defender's ability to protect multi-cloud environments is essential for us. Our company's offerings are based on tasks, and these cloud service providers are critical infrastructure for us. If anything bad happens, it compromises our services. We need to understand and improve our posture.

It also seamlessly integrates with Sentinel. It was fairly easy because we already leveraged Microsoft 365 earlier, so adding the Sentinel piece was pretty quick. It took a day to figure out and go ahead with the actual deployment. This integration with 365 and Sentinel provided timely intelligence over time. It becomes a problem if we don't get a threat notification in time. They are highly proactive about delivering that information in the initial alert and backing it up with more details as the situation develops.

Microsoft has a relatively sizeable threat-hunting group constantly digging up many things. That helps because it gives us confidence if we face some threats that not many other players are exploring. With this particular product, we're confident they'll let us know where we stand. 

Microsoft sources most of their threat intelligence internally, but I think they should open themselves up to bodies that provide feel intelligence to build a better engine. There may be threats out there that they don't report because their team is not doing anything on that and they don't have arrangements with another party that is involved in that research. 

Opening up to more collaboration with different entities in the private or public sector would help them feed more information to the customers and improve their security posture. More partnerships with other players who can feed them intelligence will help them develop the engine powering this product, ultimately benefiting every customer who uses it. 

I have been using Defender for Cloud for about a year and a half. 

We've had a positive experience overall with Defender's unified portal. We seldom see any bugs. Sometimes, there is a lag in the reporting and some inconsistencies with our searches, but it's rare. There were some periods when their service was not running properly.

While there hasn't been a significant outage, we've experienced some performance degradation where Microsoft notified us that they were having a problem. They informed us ahead of time when there are issues, but I've never had a complete outage thus far. 

Defender for Cloud is scalable, given the licensing model. The performance doesn't suffer under a heavy workload. Many organizations I know have a massive workload, and they're still leveraging Defender without any issues. I rate Defender an eight out of ten for scalability.

I rate Microsoft support an eight out of ten. Their support is great, so we have no complaints. They were responsive when we had issues.

Positive

We used SentinelOne only for endpoint threat detection. That's probably the closest competitor. We haven't used any other solutions besides that. 

Setting up Defender for Cloud was relatively straightforward. We worked with a person assigned from Microsoft, who gave us a walkthrough of the steps we needed to take.

Defender doesn't require much maintenance after deployment other than a few pieces of infrastructure we have internally. We need to monitor the solutions to check alerts and security advisories, but we've never had to deal with any maintenance.

We ended up using a reseller. They were good. I used them for other vendors, and we've had a productive relationship working on multiple initiatives. This one was nothing new. 

They have a free version, but the license for this one isn't too high. It's free to start with, and you're charged for using it beyond 30 days. Some other pieces of Defender are charged based on usage, so you will be charged more for a high volume of transactions. I believe Defender for Cloud is a daily charge based on Azure's App Service Pricing. 

It's a negligible cost if your usage isn't that high, like a few cents. It's appealing for people to try it. If you don't plan to use it much, you won't have a high bill.

Other options were considered, but it came down to the level of value we would get from a holistic vulnerability intelligence product like Defender for Cloud. Also, Microsoft products are pervasive, with a much broader customer base. That was a deciding factor. We saw much more potential from Defender compared to the alternatives. Even though the competition solutions may have functioned better in terms of providing more intelligence, other factors weighed in favor of Microsoft Defender.

I rate Microsoft Defender for Cloud an eight out of ten. I recommend doing a PoC. You shouldn't implement something after only reviewing the documentation and marketing materials. Put it through a PoC for a month at least to get a feel for how it functions and whether it satisfies your requirements. 

We use Microsoft Defender for Cloud security, including endpoint detection and response, and user monitoring. We utilize every feature and functionality that Defender provides.

The threat detection capabilities of Microsoft Defender for Cloud have positively impacted our overall security posture. We can sleep soundly at night knowing that it is causing the system.

The most valuable features are the monitoring of users, endpoint detection and response, and the adaptability of the AI threat intelligence engine, which quickly adapts to customizations.

The pricing could be better. Additionally, while Microsoft Defender for Cloud adapts well to customizations, it does generate a lot of false positives if the agent is not running. We would also appreciate portion management specifically for Microsoft 365.

We have been working with Microsoft Defender for Cloud for three years.

Most of the features are in preview, which sometimes causes issues, but overall, it works well.

Microsoft Defender for Cloud is highly scalable. We have not faced any challenges with scalability.

Microsoft's documentation is very comprehensive, resolving 95% of issues. Thus, we haven't had much need to engage their support team. The documentation is sufficient for resolving most issues.

Positive

We handled the installation in-house with a team of two engineers.

The solution is subscription-based, and while it is generally affordable, there are often hidden costs. The overall pricing could be more competitive.

I highly recommend the product due to its comprehensive features and easy management, especially if your stack is on Microsoft. I'd rate the solution eight out of ten.

I use it for managing our customers' server vulnerability assessments for regular and SQL servers. I also use it to get a security score for the resources of our customers that are on Azure, as well as security posture management. 

We also have regulatory benchmarks to audit our customers' resources that are on Azure to check whether they're meeting regulatory standards like ISO 27000.

It has enabled our organization to have an organized approach to, and quick visibility, or a bird's-eye view, of the current security portion. The way the portal organizes things has allowed us to focus on the specific vulnerabilities and security gaps that have to be fixed quickly. It gives us flexibility on what we should be checking on.

Defender for Cloud has helped us reduce or close some of the key security gaps of our main assets on the cloud. It has also helped us comply with some of the regulatory compliance standards, like CIS and ISO 27000 because of its main features. And it has also helped us in terms of threat detection and vulnerability management.

Another benefit is that it has really helped detect some of the Zero-day-model threats. We've also been able to utilize the automation features to investigate and remediate some of the threats that have been discovered. It has improved the time it takes to remediate threats, mainly because of automation. The logic apps that we've been able to set in either Sentinel or Defender for Cloud are the main components that have really improved that efficiency, and the time needed for remediating threats.

The time to respond is near real time, if the logic apps are in use, because it's just a matter of putting the playbooks into action. This is something that we've tested and found is quite effective for remediation.

The solution has also saved us money over going with a standalone solution where you purchase licenses for servers for a whole year. Now, we pay only for the servers in use. With the subscription-based model for servers, you're only paying per hour and only when the server is being utilized.

The main feature is the security posture assessment through the security score. I find that to be very helpful because it gives us guidance on what needs to be secured and recommendations on how to secure the workloads that have been onboarded.

Another component, although I can't say it's specific to Defender for Cloud, is that the onboarding process is easy. I find that helpful compared with the competitors' solutions. Onboarding the resources into Defender for Cloud is quite easy.

Also, we have integrated Microsoft 365 and Microsoft Defender for Cloud with Microsoft Sentinel and the integration is actually just a click of a button. It's very easy. You just click to connect the data sources and Microsoft Sentinel. Having them work together is an advantage. I like the fact that the main threat notification console has moved to Security Center so that we don't have to go into each of these solutions. It's beneficial having the three solutions working together in terms of the investigations that we have been doing with them.

The threat intelligence is quite good at detecting multi-level threats. If, for example, you integrate Defender for Endpoint and 365 and Defender for Identity, the threat intelligence is able to grab these two signals and provide good insights into, and a good, positive view of the threats.

The solution's portal is very easy to use, but there's one key component that is missing when it comes to managing policies. For example, if I've onboarded my server and I need to specify antivirus policies, there's no option to do that on the portal. I will have to go to Intune to deploy them. That is one main aspect that is missing and it's worrisome.

Defender for Cloud, as a solution, allows you to manage and protect servers from vulnerabilities without using Defender for Servers. I find it a bit weird, if you are to manage the antivirus for servers on the portal, that you can't deploy the antivirus policies on the same portal. For instance, if you want to exclude a particular folder from an antivirus scan or if you want to disable the antivirus from the portal, you'll not ideally do it on the portal. That's a huge part that is currently missing.

Also, some thought has to be put into the issue of false positives. We've been seeing false positives that are related to Sentinel through the integration. We have been giving them this feedback, but I don't know if that is something that Microsoft is working on.

The time for detection is one of the things that we were also supposed to raise with the Microsoft team. There is a slight delay in terms of detection. That "immediate" factor isn't there. There's a need to improve the time to detection. When malware has been detected by Defender for Endpoint, we find that it takes approximately one to two minutes before the signal reaches Defender for Cloud. If that could be reduced to near-real-time, that would be helpful. That's one of the key areas that should be improved because we've done some simulations on that.

I have been using Microsoft Defender for Cloud for three years.

It's quite stable. In my experience, there have been no issues with the stability.

Because we have Premium Support, the support is quite okay. We are able to get answers to most of the queries that we raise.

Positive

The initial setup is quite easy, especially if it's for non-servers. It's just a matter of enabling and disabling servers, using the Azure app.

And the solution doesn't require any maintenance on our side.

There are improvements that have to be made to the licensing. Currently, for servers, it has to be done by grouping the servers on a single subscription and that means that each server is subject to the same planning. We don't have an option whereby, if all those resources are in one subscription, we can have each of the individual servers subject to different planning.

There's no option for specifying that "Server A should be in Plan 1 and server B should be in Plan 2," because the servers are in the same subscription. That's something that can be fixed. 

Also, there needs to be a clear description by Microsoft for those customers who have Defender for Endpoint for Servers and Defender for Servers because now they don't know which subscription they should purchase.

I've used many solutions, but Defender for Cloud is in its own class. You can't compare it with third-party solutions because those solutions either have a third-party antivirus or they're not integrated in the same way as Defender for Cloud is. Because Defender for Cloud integrates multiple solutions within it, like Defender for Endpoint, other workloads, and the firewall manager, it stands on its own as a single solution that contains all these solutions. 

We use Microsoft Defender for Cloud as one of the sources for our Azure environment. We have a managed detection response solution, and we add data sources to it, like SOC, SIEM, and SOAR solutions. We also want to have data in our Azure cloud environment.

We deploy this solution in multiple regions like Europe and Oceania.

We have multiple solutions like our data analytics platform and our system development platform. Our web shops use it. Almost everything is in the cloud.

We have approximately 2,000 end users.

The solution is deployed on the Microsoft Azure cloud.

The solution helps our teams to be more aware of security and protects our environment.

Most importantly, it's an integrated solution. We also use Defender for Endpoint. For Office 365, we use Defender for Identity. 

We have integrated some of these products into our MDR solution. It's not a Microsoft Sentinel SOC, but we have a SOC/SIEM from a third party.

It's really easy to integrate because it's just an interface, a Microsoft Graph security API. We can collect all the data and forward it to our solution.

This solution is for detection and response, so it helps us prepare for potential threats. We have special teams for threat hunting the data.

We use this solution for extra security in our environment. We secured our Azure cloud environment with firewalls and application gateways, but we also want to have trust in our resource groups. That's an extra line of defense for our security.

We don't use the interface a lot because we use it as a data source for our MDR solution. The MDR solution is our main interface.

These solutions work natively together because we don't just use Microsoft products as a data source. We use all kinds of security products as data sources, like our firewalls, gateways, and event collections from Windows and Unix.

Threat protection is comprehensive and simple. We have an enterprise agreement with Microsoft itself, but we also have CSP contracts with several parties, so we can easily get the licenses we need. It's very easy to install.

Sometimes it's very difficult to determine when I need Microsoft Defender for Cloud for a special resource group or a special kind of product.

In Defender for Endpoint, the software is capable of acting immediately if something occurs. If an attacker wants to encrypt the disc, for instance, we're able to react immediately. I don't know if Defender for Cloud has the same capabilities.

I have used this solution for about a year and a half.

At the moment, I think it's a very stable solution. We haven't had any problems with it.

It's scalable.

From Microsoft's perspective, it's fine. We don't have any issues at the moment.

I would rate technical support an eight out of ten. 

The initial setup is straightforward. It took 10 seconds.

We have a Cloud Security Provider, so I don't know how much time they spent on deployment.

The solution hasn't required any maintenance yet. We are trying to innovate each solution. It's an ongoing business process to innovate.

We haven't seen ROI yet, but we plan to. The first sign is safety first. Safety will cost money, so it shouldn't be too much.

Pricing is difficult because each license has its own metrics and cost.

We evaluated other options. We have a lot of other products like McAfee, but we are changing everything to Microsoft Defender.

We decided to switch because we want to have an overall standard that's enterprise-wide so that everything is easier to manage and the data it delivers is all the same. We wanted to have one view of everything.

I would rate this solution an eight out of ten because we don't use all of the capabilities yet. At the moment, we still only use the data sources. I'm happy with it so far.

Instead of a single vendor security suite, I like having at least two so that they can challenge each other.

Microsoft Defender helps us prioritize threats across our enterprise, but we only prioritize our high-risk resources with Defender products.

It's difficult to say if the solution saved us time because we use it for our Azure cloud environment, so we're working in the cloud.

At the moment, we're not saving money. The solution costs our company money. It's like having insurance: It doesn't save costs, but it might save us costs if something happens. It's about risk.

It hasn't decreased our time to detect and respond yet, but it should be because we have our data source on Endpoint and in the cloud. It's an integrated solution. When we find something anywhere, we can act everywhere. We have more possibilities.

We use Microsoft Defender for Cloud for our cloud security.

I like Defender's bidirectional sync. It's a behind-the-scenes feature, but it's very important. I like how it's integrated with and collaborates with other products by design. This is especially true between Sentinel, Security Center, and Defender.

The entire Defender Suite is tightly coupled, integrated, and collaborative. This allows me to have more flexibility in the roles and responsibilities of my teams, the access to their tooling, and the ability to report accurately on the current threat posture. For example, if I have Sentinel and CloudApp, and someone closes an incident in CloudApp, it will also close in Sentinel. However, if I had CloudApp in Splunk, this would not be the case. This integration is what I like.

The documentation could be much clearer. I also think that Microsoft should stop rebranding everything constantly. I'm tired of every name changing every 90 days. It's ridiculous. I understand that they're coupling tools together but look at AIP. It has had over 14 names in the last five years. That's absurd. Microsoft needs to stop rebranding everything and stick with one brand. They can build them out from there.

I like the fact that the dashboards are integrated, but I don't like that the CloudApp is now mapped to the Security dashboard. I hate that. I should be able to map dashboards myself. Having one dashboard is great for some people, but I have people who do Endpoint Management and they don't do Incident Management. They're two different groups. I should be able to send them to different portals if I want to. They're not all working out of the same portal. I do like that the dashboards have the option to be put into one portal, the Security portal, but I don't like that now I have to figure out where Microsoft moved everything. I liked it better when they were separate, so I could isolate and assign groups to each tool. Now that they're putting all the portals together, it's more complicated. I like the idea of a single pane of glass, but I think they're adding too much change too quickly without explaining the main purpose or mission of each product. And they're not making a clear distinction between them. When we put them all in one portal, it just adds more confusion. For example, in CloudApps, I see incidents in the "Incidents" section, but in the new Security portal, incidents are not in the CloudApp section. People don't need to search for stuff. They knew how to do it before. Microsoft needs to stop changing things so often. I believe in change, but not every other month.

Defenders threat intelligence is useless, I think, because it didn't see SolarWinds coming. After SolarWinds, if we even mention their analytics and threat intelligence, it's just evidence that it doesn't exist. It didn't even see SolarWinds coming. The only value I see in their threat intelligence, from a marketing perspective, is that it allows me to leave logs in their native location and tell clients to leave them longer. So if they find something like SolarWinds later on, they can go back and look through older logs and find it again. After SolarWinds, I'm not impressed at all by anything Microsoft says about their multi-billion dollar login.

I have been using Microsoft Defender for Cloud for over ten years since it was part of the Defender Suite.

We have not had any complaints from our clients about the stability of Microsoft Defender for Cloud.

I've questioned Microsoft's claims about the scalability of Defender for Cloud. I don't think their claims are accurate. I don't think we could scale Defender for Cloud to the level that Microsoft claims. Microsoft tells me that I could let my Log Analytics scale, but I think there must be a limit.

We have always had good experiences with the technical support through the portal.

Positive

The deployment is easy as long as we understand the licensing and what we are doing. The deployment was completed as a team.

Our clients complain about the cost of Microsoft Defender for Cloud. Microsoft needs to bring the cost down. What we're doing to their detriment is simply lowering the amount of log retention we're keeping, which is not what I want to do. Storage is so cheap in every other aspect of Azure except for Log Analytics, which makes it even more difficult to explain to clients why we're charging them so much for terabytes of storage. In comparison, data lakes and storage accounts store terabytes of data for much less cost.

I would rate Microsoft Defender for Cloud eight out of ten, mostly because of documentation and availability of information. The difference between the Azure Active Directory Premium P1 and P2 licenses lies not only in their capabilities but also in the amount of logging that is performed for each user. I need to know what is and is not being logged, and which security events are not being logged. I can't find a list of these events anywhere. What is the difference between a one-year retention license and a 180-day license? What additional logging is performed with the one-year license? Microsoft has mentioned that advanced auditing is occurring, but I don't know which events they are getting. I would like to see a list of all the events that are logged, from least to most. This list would probably look like a triangle, with a few items at the top and more and more items as we go down. I would like to see this list for both the AAD Premium P1 and P2 licenses. I can't get this list. My client has asked me what events we are not capturing, and my answer is that I don't know because I can't find it. Microsoft won't give me a list of the events that are logged, either. They can only reference the services that the events map to. I want to know the events. The uncertainty and doubt around this is a security feature. Microsoft is trying to make me buy the product because they know that if I get hacked, I could be liable for malpractice. But I'm not going to buy it without more details. I'm very upset that they didn't provide more information.

Our use case for the solution is focused on cost management and security in a multi-cloud environment. We use it alongside solutions like SIEM tools and deploy it as part of a broader security strategy.

The platform has improved our security posture by providing comprehensive threat detection and response capabilities. It helps in managing security across various environments effectively. However, we occasionally encounter issues when on-site products conflict with this solution.

The product's most valuable features offer the latest threat detection and response capabilities. These features are crucial for our SMB customers, especially given the high inflation in Turkey, which impacts cost considerations.

The product's advanced analytics and reporting features could be improved.

I have been using Microsoft Defender for Cloud for about three to four years.

The product performs reliably across various environments.

The platform's scalability is excellent. It is well-suited for both small and large organizations.

The support team is responsive and offers valuable assistance.

Positive

The initial setup can vary in complexity depending on the existing environment and the number of users. It's relatively straightforward for smaller setups, but larger deployments can be more complex.

We handle the deployment and integration ourselves.

The solution's ROI is positive, given its comprehensive security features and integration capabilities, which justify the investment.

The product's pricing policy is generally favorable.

We evaluated other options, but Microsoft Defender for Cloud was chosen for its strong integration with other Microsoft products and comprehensive feature set.

The solution is robust, but staying updated with the latest features and best practices is crucial to maximize its benefits.

Overall, I rate it a nine out of ten. 

We use Microsoft Defender for Cloud primarily for cloud security management, which includes vulnerability management. In a security environment, managing vulnerabilities is a top priority. Defender for Cloud helps identify and mitigate these vulnerabilities and protect against threats like viruses, worms, and spyware.

It offers virus management and addresses threats such as viruses, worms, spyware, and other critical security concerns.

Support needs to be highly responsive, especially in large enterprise environments. When support is required, it must be immediate, as there could be urgent situations. For instance, prompt resolution is essential if there's a critical issue like a global cyber threat that impacts networks worldwide.

If our team encounters such a problem and needs assistance, we require a support team that can provide immediate, hands-on help to resolve the issue effectively. Quick and expert support is crucial for managing high-level emergencies and ensuring smooth operations.

I have been using Microsoft Defender for Cloud for 25 years.

It is useful for small companies as well. It provides robust security without requiring a dedicated, highly qualified team to manage it.

The solution is scalable. It is suitable for large enterprises. 

I rate the solution’s scalability a ten out of ten.

The solution is easy to setup and configure.

Deployment of Microsoft Defender for Cloud is typically based on the infrastructure size, including factors such as the footprint, network, and devices that need protection. When deploying Microsoft Defender for Cloud, agents must be installed on various devices within the network, including servers, desktops, and other appliances that require protection.

Specific government protocols and security standards must be followed in a secure environment. Microsoft Defender for Cloud helps manage vulnerabilities in your cloud infrastructure. It offers protection against threats such as worms, spyware, and viruses. The tool provides continuous monitoring and real-time threat detection, which is essential for maintaining a secure network environment.

Overall, I rate the solution an eight out of ten.