Microsoft Defender XDR Reviews

We implemented Defender two and a half years ago, utilizing it in a passive mode with only the sensor active for data collection and basic EDR results. Although it has been running on all devices, we are currently in the process of making the final transition from the existing setup to fully leverage Defender as our EDR solution.

We utilize analytics on both iOS and Android platforms, and it holds significant importance for us. Compliance with mandates, often stemming from executive orders, requires meeting specific contract requirements. In response, we employ analytics to implement and maintain controls consistently across various device types. The capability to adapt to emerging threats is of utmost importance to us. We lack the time and resources to constantly learn about new indicators and threat actors. We expect that the threat intelligence from Microsoft and other providers seamlessly integrates into the system, enabling automatic updates based on the current global threat landscape. The unified single pane of glass is a significant benefit. It consolidates everything into one interface, eliminating the need to navigate through multiple portals for information.

The greatest value lies in integration, I believe. The ability to integrate and observe a more cohesive narrative across the products is crucial.

There are still some components, such as vulnerability management within the vendor product, where improved integration would be beneficial. Currently, it's not visible in the same interface, requiring us to search elsewhere to access that information. While it has streamlined data collection and retrieval, there's still room for improvement in terms of user-friendliness for certain individuals. While the ultimate goal is to enhance security, there's room for improvement in terms of pricing.

We are currently in the migration process from Sophos to Microsoft Defender.

It offers high stability.

The backend infrastructure and structure in place seem to be easily scalable to meet our requirements.

Customer service and technical support vary. Opening support cases for different components within the security stack or Microsoft entity often reveals that first-level support is lacking. It typically takes two or three weeks to get an escalation, and by then, the issue may have resolved itself. Escalations are challenging, as first-level support struggles to comprehend the problem, leading to repetitive discussions. I would rate it four out of ten.

Neutral

We transitioned from Sophos to Microsoft Defender primarily due to cost reduction and the elimination of duplicated technologies.

The initial setup used to be complex, but now it's much more streamlined.

We follow a phased approach for deployment, beginning with a proof of concept pilot. However, our main deployment cycle revolves around Defender, facilitated via Intune, where all devices are managed. Building the package and incorporating scripts into Intune is the key process for the sequential implementation, which has evolved over time. Maintenance involves keeping pace with changes, not just patching. Microsoft has significantly improved patch cycle management, but dealing with the constant stream of changes they introduce remains a challenge.

It proved to be effective in cost savings. Our return on investment is tied to the existing investment in the current SKU. We anticipate not only recouping the dollars spent but also gaining the advantage of a unified interface, a single pane of glass. This consolidation allows us to streamline our operations, saving valuable time and effectively reclaiming productivity that would otherwise be spent navigating between different platforms on a daily basis.

When seeking a security suite, even with an E5 enterprise license, additional purchases are still necessary. The license cost for a year is approximately forty-four thousand, and this annual saving is a significant factor in our decision to switch.

In the past, we explored alternatives such as Carbon Black and Cylance, particularly for their machine learning and AI components, which were quite innovative at that time, approximately three years ago. However, our approach has evolved, and we've shifted significantly towards the Microsoft Stack. The decision is influenced by our existing environment, where we can readily assess the capabilities available within Microsoft.

The critical aspect is comprehending your existing setup. During our migration, we opt for a like-for-like transition instead of going for something entirely new, as the latter could be disruptive to some processes. Defender offers extensive capabilities, but understanding where to begin is crucial to avoiding disruption. Start with a like-for-like migration and plan the subsequent ramp-up to align with its capabilities. Overall, I would rate it eight out of ten.

It is, of course, an antivirus tool. I work as a lead for a SOC team, and it's our job to monitor all the endpoints in our organization. We are looking for any unusual activity happening on the devices, and Defender monitors them.

If there are any changes or unusual activities, it triggers an alert. An analyst will pick up the alert from the Microsoft 365 Defender and go through the timeline to understand what triggered that alert and whether to categorize it as a security incident or not. Some of them turn out to be false positives, and some turn out to be true positives.

We use it for other tasks like IOC management. In the cyber world, different applications have different vulnerabilities. If an application is used in our organization, we make sure all the IOCs, whether hash values, malicious IP addresses, or malicious domains, are blocked in the Microsoft 365 Defender.

It has given us a very wide range of visibility over the endpoints and it's easy to manage. If I see a threat or an attack pattern emerging from a certain location, I can easily isolate those endpoints at a very quick pace. That has pretty significantly improved our proactive measures when it comes to security in the last three years.

Apart from that, it gives us an overall picture, and not just of the endpoints. It has identity and access management and an email security module as well. If there is anything related to phishing or spam emails, we can analyze that in the same portal. We don't have to rely on multiple portals. It's just a single pane of glass where everything is visible. It gives us a clear picture and our visibility has increased a lot.

Another thing I like about Defender is that if a threat is detected, it starts the investigation by itself, by running the scans on itself, trying to isolate the device, and determining which IP addresses or websites it is connecting to. It gives us a detailed picture. All we have to do is make sure all these are blocked. But the initial triage and investigation are pretty much done by Defender itself. That is one of the significant areas of improvement for us, which I definitely like about this product. Automation is one of the key features in Defender, which saves us a lot of time. Sometimes, we don't need manual intervention. It does its job automatically.

If an analyst would take 40 to 45 minutes just to understand what was going on with respect to the alerts that were coming in with the product we were using previously, 365 Defender has reduced that time by half, by 20 to 25 minutes. That is a pretty good improvement. When you're working in a cyber security environment, you need to be very quick to respond because, in a matter of minutes, you'll be firefighting. And that's not what you want.

Among the most valuable features are the alert timeline, the alert story, which is pretty detailed. It gives us complete insight into what exactly happened on the endpoint. It doesn't just say, "Malware detected." It tells us what caused that malware to be detected and how it was detected. It gives us a complete timeline from beginning to end. It gives us a pretty detailed overview of the timeline of the attack.

Another benefit is that Defender absolutely stops lateral movement or advanced attacks like ransomware. The MITRE ATT&CK framework is pre-integrated, and all the use cases or categories that have been defined in Microsoft Defender are based on that framework. Lateral movement is part of that. There are multiple cases of lateral movement available in Defender, and ransomware, of course, is one of them.

We also have threat analytics in the solution. If there is a zero-day attack, it gives us the information. As of now, we haven't seen any impact on our devices. If there is any impact, it shows us, and we can take action accordingly. Those aspects work pretty well.

The only problem I find is that the use cases are built-in. There is no template available that you can modify according to your organization's standards. What they give is very generic, the market standard, but that might not be applicable to every organization. For example, an organization might look into an alert in a different way, not in the way Microsoft provides. There is no way to modify a template according to your needs, and that is something that I really don't like.

Those kinds of alerts are generating too many false positives for us, creating additional overhead. For example, part of the identity and access management is called "impossible travel activity." It generates false positives for us but there is no way I can modify the rule they have given that causes alerts. I cannot use that template or create a new one using that template, which I then modify to fit my organization's standards.

When we raised the issue with Microsoft, they said, "It's a product feature. What you are requesting is a product enhancement. We can take your request, but we are not sure when it's going to happen."

I have been using Microsoft 365 Defender for almost three years.

I have not observed even one time that the tool has lagged or crashed.

It is pretty scalable and user-friendly. There are no issues with the scalability.

We have raised a few tickets for cases we needed assistance with. Their support is good. The response is good. Sometimes, the challenge is that an issue might be a high priority for us, but they might not consider it a high priority based on their understanding. Their severity levels vary compared to ours. That's fair, of course. It's not something I am complaining about. Overall, the response from their support is always positive.

Positive

We were using McAfee ePO, but we have completely stopped using it now that we have 365 Defender. Discontinuing McAfee has definitely reduced manual correlation. Most things are automated in the Defender portal, so if a high-severity alert comes in, an automated investigation is triggered. That is one of the key features.

Irrespective of whether your organization is a mid-sized company or a big company, Defender is pretty scalable and very easy to use. As a cloud solution, you don't have to worry about it crashing. The alert timeline is pretty detailed. It catches most of the threats out there. You don't have to worry too much if there is a new threat because Microsoft makes sure that it is already addressed by Defender. If something comes up, it will sound an alert.

If you are looking for a nice antivirus product that doesn't take up many of your endpoint resources—compared to other antivirus software on the market, some of which take huge resources from your machine—it comes built-in with Microsoft. You don't have to install anything.

It's a cloud deployment, so I don't think there is any maintenance required from our end, unless there is a policy change requested at the organization level.

The platform provides unified identity and access management. When I started using it three years ago, that was a separate product. It was under Azure Cloud App Security. Now, they have integrated into Microsoft 365 Defender. We can see identity and access management-related alerts in Defender. Identity protection is something we have not explored that much. Our main focus lies on the endpoint.

Still, it's good to have it in Defender itself because it comes as a complete package. Just because we are not actively using it doesn't mean it's bad. It gives us detailed information, but we are working on the endpoints, focused on the device side. But if a brute-force attack is happening, it comes from a specific device. We don't have to rely on multiple portals to get that information. Everything is available in a single window, because we have that user information. You also see user access to devices and check if there are any malware-related alerts on that device. And that information is in the same portal. Integrating identity and access management in the same portal is a pretty good feature rather than having a separate feature altogether.

It has helped us identify a lot of loopholes within our environment and mitigate risk. It has improved user experience as well.

The visibility into threats provided by the solution is amazing. If you have Sentinel, you can integrate it with Microsoft 365 Defender. You can then access all of the logs at once with a code. You would be able to quickly analyze and react to any threat.

We are able to prioritize threats with this solution. Depending on the type of license you have, you will be able to access different capabilities. We place very high importance on prioritizing threats because the easiest way to get attacked is through the user or the endpoint. You must have multiple layers of security.

We use several Microsoft security products such as Sentinel, Defender for Office 365, and Microsoft Defender for Cloud Apps (Cloud App Security). Microsoft has the highest form of integration, so these solutions integrate in a straightforward manner. Once Microsoft Defender for Cloud Apps is unlocked, you can connect to third-party applications as well.

These solutions work natively together to deliver coordinated detection and response. The threat protection that these Microsoft security products provide is comprehensive and very effective.

We use Microsoft Defender for Cloud and make use of its bi-directional sync capabilities. It gives us access to reports and makes reporting much easier as well.

Microsoft Sentinel enables us to ingest data from our entire system. Data ingestion is very important to our security operations because it makes it easy for us to know if there are any vulnerabilities or threats. It flags it, and we can analyze it and also create a query, which brings to light threats. We can then mitigate the threat or attack breach on the device.

Sentinel enables us to investigate threats and respond holistically from one place. It makes life easier for us and helps us not to be caught unaware. There are many forms of alerts that notify you immediately of any threats. You can set up automations, which might even fix the issue or mitigate the issue immediately without the need for intervention. That is, you can create a rule to automatically fix a particular problem.

Sentinel captures a lot of logs, and you'll be able to create action plans through the application to directly handle particular threats. The integration has been done already, so automatically it will send a signal to the environment or to the solution you have integrated with to carry out a particular action.

The cost of Sentinel is on the higher side compared to that of other standalone solutions.

We can automate routine tasks and write scripts to carry out difficult tasks, which makes things easier for us.

This solution has helped us to save 60% to 70% of our time.

Microsoft 365 Defender provides one XDR dashboard, so we don't have to look at multiple dashboards. In the Import Center, all you need to do is to select the solutions that you want, and it will give you multiple options on different categories and different data. It's amazing and straightforward, and you won't need to open other tabs.

We have been able to prepare for potential threats before they hit and take corrective steps. We can immediately identify users or systems that have viruses or malware. We can also find scripts that have errors underneath them. We can discover each element from the history and delete it. It covers a lot of aspects, and the integration with Sentinel helps as well.

Because there's someone actually monitoring everything, when there is a threat or any form of abnormality, all they would need to do is to create a rule or a query to create a particular section and add the action that needs to be carried out. It's easy to get to reports as well. Overall, the solution has decreased our time to detection and our time to respond by 60% to 70%.

Microsoft tends to provide too many features, which makes the solution prone to bugs.

Also, 365 Defender needs to be more flexible during deployment. When it comes to causal admittance, at times it seems slow.

We have been using this solution for about three years.

The stability is okay. Microsoft has evolved a lot, so they tend to make sure that the solution is up to date and up to par with best practices in the environment. They add new features as well.

It's very scalable.

The level of support you get depends on the knowledge of the engineer who has picked up your ticket. I'd rate technical support at seven out of ten.

Neutral

The initial deployment is straightforward as long as you meet the prerequisites. 
It doesn't really take a lot of time to deploy. All you need to do is to set up the policy, then assign the license to the users. Microsoft handles the maintenance of the solution.

Defender Plan 1 is tenant-wise, and Defender Plan 2 is per-user, which makes it more expensive. To have certain features, you would need to purchase the E5 license. For all of the capabilities that the tool provides, the price, though it can be high, is fair. 

I don't think having a single vendor's security suite is the best because once the threat actors are in through the surface, it's easy for them to penetrate. This is because they'll know all the cracks in that particular product. However, if you have another vendor protecting you as well with a different signature database that is separate, then the attackers have multiple walls that need to be cracked.

An average-sized organization can go for the Business Premium plan. Larger organizations can go with E5, which comes with the full functionalities of Microsoft 365 Defender. Overall, I'd give this solution a seven out of ten.

We mainly use this solution for security reasons. We use it for the complete stack of email security so we don't have to use a third-party tool, and we use the extended security features that are included in M365, like sandboxing.

The solution is deployed on the Azure cloud. We're a cloud-only company, so we only deploy cloud workloads, but we also have customers with legacy systems. If we're not able to migrate them to Azure, Defender for the server can be deployed on-premise.

The solution is deployed across Germany in four regions: Munich, Cologne, Bremen, and Hamburg. However, most people work from home.

There are about 50 endpoint users, but we have customers with thousands of users. We focus on customers with a thousand seats or more.

We use the entire M365 E5 license for everything that's going on in the M365 world. We try to accomplish everything we need with Microsoft products.

It was very easy to integrate the solutions. We integrated them so we could have an overall good view of our assets. The installation was fully automated via Intune.

Overall, the solution has decreased our time to detect and respond. If there is any issue, it's not complicated to get the information we need and respond quickly. We offer managed services to some customers, and we have a very clear view of what's going on in their security environments.

One of our main focuses is IT security. This solution has a huge impact on how we use tools and what we do in IT.

One of the biggest points is that Defender is included in the license. It's integrated fully into the M365 world. There's no need to have a third party, which is more complex and includes additional costs. Especially because we're partners, it's very good to have 100 free licenses. We're able to distribute all the information to our customers and integrate it into our projects in a very streamlined way.

We saw all of these benefits instantly. It's different with customers because they are often heterogeneous in the software they use. There's a little bit of explaining and promoting, but it's a huge benefit for most of our customers when they understand that they can have a centralized view of all these security topics. If we are able to deploy the solution to new customers, the benefits are realized in about six months because we have to train them and implement all of the security.

The solution helps with finding high alerts. I wouldn't say it helps with automation because we are piping the problem into the Jira automation, so our managed service kicks in. I would say that it's half-automated.

It helps save time when it comes to the operation and receiving information because we don't have to skip around with different products and customer situations.

This solution enabled our security operations. The legacy approach, in which the tools are in place and someone occasionally checks them, is not secure as it's meant to be today. 

It eliminates the need to look at multiple dashboards and gives us one XDR dashboard. The consolidated dashboard helps our customers get a faster view, which wasn't possible with the former solution.

The solution's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. Our security team is able to work well with it, and a lot of information is getting to our internal users. We distribute everything we learn to our customers.

Sentinel enables us to ingest data from our entire ecosystem because we're cloud-only, so there is no other architecture to monitor.

I would say the logging and analyzers are about 80% of our security operations. The ability to have a clear view of the security information is a big win. For legacy implementations, it's normal to have the security installed but not be able to monitor, detect anything, or get the information to the right people.

For the most part, Sentinel enables us to investigate threats and respond holistically from one place. Today, there are different views, different websites, and different portals to use in order to drill down and get to the real problem. It's a good starting point.

I like the easy integration and advanced possibilities. We can implement it at customer sites in a few clicks, but we can also dive deep and drill down to extended features. There's a very good starting point to get into this product and all the features from Defender. We use Plan 1 for email security because it's a common vector for phishing and attacks. The Plan 2 version goes more into advanced features and logging, which we also use for our internal security operations center.

The solutions work natively together to deliver coordinated detection and response across our environment by about 80%. There should be something to get a consolidated view, which doesn't exist at the moment. We have a known tool in place to consolidate all the information into one view for us. That would be a perfect function to have in the future.

I have more than 15 years of experience in IT security, so I have a very good understanding of the tools we need for a use case. I think the documentation helps us and all of our customers comprehend the product. For cloud products, it's normal that something new today is almost outdated tomorrow. Company-wide, we have a very good view of all these products, and we're very firm in deploying them.

I would like more of the features in Defender for 365 to be included in the smaller licenses. Even if I buy a small license and don't need everything, security shouldn't be a question. Security is one of the main aspects of all projects from our side, so it would be nice to have more features in the smaller licenses.

I would also like a more aesthetically pleasing dashboard. For German customers, it's important that the solution is in German. Multi-language support should be in all the features if possible. In many projects, we want to use digital signatures on emails. It would be perfect to have better integration of digital signing in a standard way.

In the last few months, the dashboard changed very often. When they restructure it, it's a little bit painful. Otherwise, the technology is very helpful.

The visibility into threats could be better. For the last six months, getting information from the access points has been difficult. However, the newest version fits very well. It's easy if you've found the right spot to view what's happening.

For legacy organizations or legacy customers, I would say it's possible to save time, but time-saving isn't always the best with security because it needs to be deployed and managed.

It can be installed quickly, but it takes time to check out false positives, have everything in place, and train each end user.

We have been using this solution for five years since our company started. The solution had a different name, but we have been using it since it's been available. We use company-wide E5 licenses.

The solution is stable.

We haven't had any scalability problems.

I haven't had a lot of contact with technical support.

For my personal project, I used many other legacy projects, but not at my company. We aren't selling anything other than the new Microsoft solution at the moment.

The solution doesn't require any maintenance.

We have seen ROI in project situations because we removed legacy email gateways and legacy antivirus on-premise solutions.

I would like to have more security features in the lower licenses because not every customer is able to buy E5 licenses. The bundling isn't always easy for our customers to understand. Compared to other tools, it's a good price.

I would rate this solution as eight out of ten. 

My advice to those who are looking to implement this solution is to get help from the right company so you can use the solution properly.

Defender helps us prioritize threats, but I would say it's a combination of all the information that we're getting from the internet and from other resources.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor security suite, I would say that it depends on the customer. If someone has their own VSOCK implemented and many security guys on board, then maybe best-of-breed is what they need. 

If someone is a classic customer who doesn't know a lot about security, then they should stick to a one-vendor strategy.

I am the head of IT of the police force in the Madrid municipality. I have deployed the product to all 6,000 policemen and police women here and we are trying to protect all our devices with it.

It has helped eliminate having to look at multiple dashboards. This is a part of the benefit of the integration. It's quite helpful to receive information and data that is correlated with other information, in the form of a graph or chart. It's a good added value. We are provided with consolidated information, which is very valuable for making decisions and moving forward in improving our devices and our security.

It's very well known by all our technicians and it has helped to decrease the time to detection and response.

And while I can't demonstrate it with metrics, my intuition is that we have saved money. Because we are a very large organization, we have very large needs in IT systems. Perhaps the best thing we did, years before, was to have everything, all applications and the operating system, come from Microsoft. Perhaps that means potential money savings.

The most valuable feature of all is the full integration with the rest of the software in the operating system and Office 365, as well as Microsoft SCCM. It is quite easy for us to work with the whole instance of Microsoft products. This integration improves the benefits of the whole suite of products. Even the desktop devices seem more productive by having all these products integrated. That's the best advantage.

I'd like to see a wider solution that includes not only desktop devices but also other devices, such as servers, storage cabinets, switching equipment, et cetera. That is where they should put in more effort. I don't have a global risk solution coming from Microsoft, one that could help me in all these different IT areas.

I have been using Microsoft 365 Defender for about two years.

I would rate its stability at seven or eight out of 10. It's quite good. Up until today, we haven't had any big problems with the solution. I'm quite comfortable with it.

The solution is deployed to more than 25,000 in the municipality, but my responsibility is only over 6,000 people in the police corps.

Microsoft provides quite good support across their different areas of activity. The people attending to your requests are quite professional. They take care of your requests and respond to your needs. They try to help you. The documentation is not the best in the world, but it's quite sufficient for our needs.

Positive

Years ago we had solutions from other companies, such as Trend Micro for the desktop devices, and Trend Micro and Sophos for servers.

We used to work in different ways. Some people were in the office with desktop devices, but most of our people work outside with mobile devices. The latter group is at much more risk and we wanted to protect all these devices from potential damage and risks.

The switch was a company decision made by higher management within the municipality. We started to work with Microsoft Office 365 years ago, and then a decision came down imposing the use of Microsoft 365. I feel comfortable with the decision, but I know inside our organization that we've had plenty of problems deploying all facilities given by M365.

I'm not aware of having more or fewer problems with this product than the ones we had before, when it comes to deployment or interfaces. It's quite standard and the deployment was quite easy, but it was equally easy to deploy all the products years ago.

It has been easy to integrate with the rest of our devices and software. In addition, there was no impact on the user experience. The solution is transparent. The users may not even know of the existence of this product. There was no problem deploying and starting to use Microsoft 365 Defender. We have some other products, beyond the desktop level, that work in a coordinated way Defender.

The deployment took a few months, but we needed at least a year to stabilize our organization. The first days were awful because people couldn't understand the change in mentality required to work with this paradigm of software. During the first year, we had to cope with plenty of incidents and problems. Having passed the one-year mark since we deployed, we have started to see some of the benefits.

I generally use an "onion" deployment methodology. I start deploying new solutions in desktops that are quite close to my area of activity in the IT department. We implement, let's say, 50 to 100 desktops per day and we wait for a week to see if everything is okay and whether there are incidents. Once we are assured everything is fine, we implement by regional police units in different locations.

We had 10 to 12 operations technicians involved in the deployment.

Every software solution requires maintenance. In this case, there isn't a lot of maintenance. We have to keep an eye on the status of the solution every day. That process involves two or three people.

As most software companies have done during the last few years, they have moved from a licensing model to pay-per-use. It was difficult to understand and accept this change. When we had to accept that model, it had a great risk for companies like ours that always have to cope with annual budgets. The question is: What happens if, for any reason, there's not enough budget to accept this model? That could be a great problem.

There was a possibility of continuing with the solutions we had been working with.

But we cannot compare them because the other solutions were built eight years ago. Technology has changed so much.

Fortunately, we haven't had the chance to see if the solution's threat intelligence helps prepare us for potential threats before they hit. But I'm quite sure that it's working together with other tools to help us to stop potential breaches and risks.

Give this product a chance. Is it the best in the market? I don't know. Is it the worst? I don't know. But what is quite good is the integration with the rest of Microsoft's software products. That's the added value.

Try it, prove it, and see how it integrates. It depends on the situation. If a colleague is using Linux in their data center and desktops, of course, I wouldn't recommend this solution. But here in Spain, most companies have Microsoft products.

The product replaced Sophos, a third-party product we used, helping us save money equal to its yearly subscription. The product saves us time. We do not have to interfere. It just keeps running.

Considering we haven't encountered any technical problems since we started using it. It is working as intended. It has great stability.

I don't know if that is Defender's feature, but more active monitoring for data breaches would be beneficial. There could be a way to proactively monitor unusual activity versus just depending on viruses and malware. If the traffic seems unusual, it could detect anomalies and update us. It would help us stop malware attacks ahead of time.

I have been using Microsoft Defender XDR since 2015.

We never encountered stability issues.

Whenever we add a license, it automatically sets the account for a new user.

The initial setup process was fine and similar to Office 365. We had to get our email server lifted externally from the premises to the cloud. It is easy to use once all applications are deployed.

Microsoft Defender XDR is already included in our Office 365 licensing. It is better because we're saving money by using it.

The product was included with the Office 365 licensing that we had. So, we decided to try it out. Before that, we were using Sophos.

I haven't run into that particular instance where the security features have extended beyond Microsoft technologies. The only products we use outside of Microsoft are proprietary lockdown applications, and it's not really an issue there.

During staff training, we've been using Intune to detect phishing attempts. It hasn't detected anything in that aspect. However, it has the ability to check for malicious attacks preemptively.

I rate it a ten out of ten.

I'm a deployment engineer for Microsoft products, and we work with multiple SMEs. Customers adopting Microsoft products want the same features they had in their third-party solutions. We look at their requirements and the types of features they need. We determine the security mechanism that best addresses their vulnerabilities. We might suggest Defender for Identity,  Defender for Endpoint, 365 Defender, and Defender for Cloud Apps. In addition to those security solutions, we offer device management. We provide everything.

Defender improves our security operations. I've had chances to collaborate with our SOC team. Our customers face many random attacks they don't know how to prevent, and the SOC team handles them remotely. The security engineers can investigate the incident or use the information from the customer's environment to offer a recommendation. If the customer doesn't have the detection mechanism, we can recommend a product or find a solution for them. 

The solution can help customers save money because we can bundle it with all the other Microsoft solutions, like email and Defender for endpoint, identity, and cloud apps. Most of our customers use Windows 10 devices and Microsoft Active Directory, so everything is on the same page. Defender can save time by automating investigation and response. We don't need to spend much time because it'll automatically take action in many cases. 

The best feature is threat hunting. There are a lot of other features I like, such as the alert mechanism. The chain alert mechanism has a huge impact. It combines all the alerts into one incident and automatically correlates them with AI. 

Defender has integrated identity access management, and you can add DLP features through a separate solution called Microsoft Purview. Within the cloud, we can create access policies based on each user's risk. It's integrated with Azure AD and on-prem Active Directory, so all the user identities can be managed in a single portal.

We use the multi-tenant management capability, so we can cover customers that have multiple regions. We can easily investigate across tenants based on severity. For high-priority alerts, we start from scratch and ignore what's happening on the endpoints or emails. We isolate the device and ensure that nothing will be released from it. Next, we check this device and some more details.

There is no common area where we can manage all the policies for the EDR, third-party solutions, devices, servers, Windows, Mac, etc., but it's on the roadmap, and we were waiting for that feature. 

I have used 365 Defender for about four years.

365 Defender is stable. There is no downtime. Still, Microsoft is constantly rolling out features, so there are sometimes bugs after new releases. Our customer experience team is collaborating with Microsoft and sharing feedback with them. 

365 Defender is scalable 

I rate Microsoft support nine out of 10. The support depends on the product and the customer's issues. 

Positive

I work with customers coming to Microsoft from other third-party products, so I try to understand what the product does and suggest a solution. The names are different, but all the technology is the same.

Deploying Microsoft Defender isn't complex if you have experience. The deployment depends on the number of users, apps, and the client's requirements. If the client wants to implement XDR, it takes about a month to achieve full functionality.  Endpoint protection takes around five to ten days. It's a cloud product, so it doesn't require any maintenance. 

Defender XDR is agentless, so you don't need to install an agent anywhere. It's a cost-effective option.

I rate Microsoft 365 Defender nine out of 10. We recommend it to our customers. 

I primarily use the solution as an engineer. I use the product to protect the endpoint and I use it to protect my customer's environment. 

The web protection on offer is very good. For a company that doesn't have a firewall, it's quite useful.

It gives feedback and helps protect internet access. It provides you with analysis on the state of the environment and you have a direct link to Microsoft which is doing its own research on security. You're constantly getting feedback from Microsoft resources so that you can be up to date in your own environment and you'll have a better understanding of the security landscape. 

The solution is great for companies on a budget.

Defender provides helpful visibility into threats. It covers a lot and comes with a next-gen antivirus. With that, you can register to the cloud, and, if you have cloud protection, your environment is protected even more. 

It helps us prioritize the threats across our enterprise. It covers all of our devices. You can cover your entire operation with the license you purchase.

Microsoft 365 Defender is easy to integrate with other products. You just have to configure some things in order to integrate everything and you are SDR compliant. We currently have it integrated natively, so we don't have to worry about configurations.

The comprehensiveness of Microsoft's threat detection is good. Microsoft provides a lot of security. It gives you visibility and IT has a lot of control over everything. You can see your environment, including clouds. You can block things within your environment as needed. The applications are easy to manage. It also has app governance to be able to gain visibility into permissions.

The product has helped automate routine tasks and the finding of high-value alerts. It has an automatic investigation feature that you can enable. It's great for automation. Thanks to automation, it has helped reduce the time it takes to analyze security events and alerts. You don't have to wait to take action. If there is a threat, you can neutralize it faster and it will record everything for audit records. While I know it has saved us time, I can't quantify that into a specific amount of hours.

We no longer need to look at multiple dashboards. Now, everything is centralized under one dashboard. 

The product's threat intelligence helps us prepare for potential threats and take proactive steps. Since we've been using it, we've had no security incidents.

The only issue I've had is, when it comes to deployment, the steps I must take around policy setup. That is challenging. We're working on the onboarding and configuration policies. We're collecting feedback from customers and partners in hopes of refining the future design for deployment.

I've used the solution for about two years.

The feedback I have received from customers is that the stability is very good. 

The product scales well.

If you have a license through a partner, it's the partner that will support you.

The only issue with Microsoft is the response times. They are very competent, however, sometimes you will send an email and get no response. 

Neutral

I previously used Sophos. I then switched to Microsoft Defender. The Sophos deployment is quite easy in comparison. You can do everything from a single portal. They had already achieved effective centralization. 

Right now, there are two different ways to onboard. You might have to have a different partner to configure policies. However, right now, you can also create policies from the activity center, so you don't have to do it from the device itself.

How long a deployment takes depends on your scope and the number of devices you are covering. 

If you do not get a license for the portal, you'll have to use the manual to deploy. If you have an older server you may encounter some issues. However, if you upgrade the server at the same time, you'll have fewer problems.

We do use more than one Microsoft security product. We've integrated with other products. 

I do not make use of the directional sync capabilities at this time. I'm also not using Microsoft Sentinel.

I'd rate the solution eight out of ten. If the deployment of the agent was better, I'd move my grade closer to ten. It should be more automatic. You also shouldn't have to install the logs.