Microsoft Defender XDR Reviews

We use Microsoft Defender XDR for our Microsoft 365 email service.

It helps protect us against ransomware. We were a victim of a malware attack in 2018 before implementation.

Email protection is the most valuable feature of Microsoft Defender XDR.

The price has room for improvement. The price should be adjustable by region.

I have been using Microsoft Defender XDR for almost 5 years.

Microsoft Defender XDR is stable.

Microsoft Defender XDR is scalable.

The technical support is good.

Positive

Microsoft Defender XDR is priced high.

I would rate Microsoft Defender XDR 8 out of 10.

No maintenance is required from our end because it updates with the OS.

We typically use Defender's default settings and are implementing MITRE ATT&CK use cases on Microsoft Defender this year. We do manual threat hunting and check to see if there is a trending attack. We have the latest IOCs and sweep across the organization looking for them. 

When implementing Defender, we usually use its advanced hunting features to determine particular techniques used across the whole environment. We use multiple Microsoft security products, including Defender for Endpoint, Defender for Cloud Apps, Sentinel, email and collaboration, data loss prevention, and Microsoft Purview.

Defender XDR enables us to prioritize threats according to the algorithm or our custom rules. We can prioritize threats and have the option to automate the response. For instance, let's say we are facing a sticky key hijack. When you press shift several times at the login screen, you can open the command prompt of that particular host. That is a vulnerability of Microsoft Windows. When this happens, we can automate a priority alert and also isolate that endpoint from the network immediately. 

The solution reduces our remediation time by enabling our security analyst to respond quickly, make some automations, and edit the rules to detect any potential threats. The extent to which the solution reduces the remediation time depends on the analyst's skill. If the security analyst is good, Defender XDR will help them.

XDR saves money if you are using Microsoft products. XDR is more inclined toward Active Directory, a Microsoft product. No other XDR can integrate with Active Directory so seamlessly and use it to its fullest potential. Microsoft also offers multiple sub-products. If we purchased third-party solutions for email, endpoint, XDR, cloud applications, etc., and managed them on a single platform, it would be more expensive than Microsoft solutions. When we do a cost-benefit analysis, Microsoft Defender XDR offers a better value. 

I like Defender XDR's automation capabilities. XDR isn't automated by default, but you can automate it to respond. If an attack is performed anywhere within the organization, you can isolate that instance from the network. This is what I can figure out for it. When integrated with Sentinel, you can set up playbooks to automate all the alerts gathered on Sentinel from different Microsoft solutions. Sentinel has a wider range of capabilities than XDR. 

Defender XDR has good threat visibility, but it could be better in some areas, like when we are hunting for a specific host. For example, let's say we are investigating email services, and want to trace an email account to its host PCs and investigate the emails in its inbox. We want more visibility into the email side of investigations. It would be better if these features could be more integrated into the console like you could have a tab for Cloud Apps to see the cloud applications a user had communicated with. 

Microsoft's threat analytics are somewhat helpful for anything related to Microsoft products. For instance, it can update us about any single sign-on vulnerabilities or something along those lines. However, Microsoft was very late in terms of the recent LockBit attacks. LockBit compromised some significant organizations, and Microsoft didn't provide the report fast enough. It was reported on my normal cybersecurity information websites first. The site analytics are a bit weak when it comes to non-Microsoft clouds.

Defender XDR is capable of providing intelligence reports about threats specific to Microsoft components, but if we are implementing a Microsoft solution across an organization, many other products and side factors must be considered. I feel like Microsoft falls behind some other vendors in threat intelligence.

When we do investigations, it would be better if Microsoft could populate the host dashboard more. When we open any host for investigation, we want the entire timeline of what is happening on the host, including all the users logging in, their hardware, Windows version, etc. 

I have used Defender XDR for nearly 2 years. 

We haven't faced issues with stability. XDR doesn't lag during investigations. We've seen a few minor bugs in the XDR console but not often. There have been no major issues that disrupted our operation. 

Defender XDR has good scalability. If you want more endpoint visibility, you don't need to scale your organization much. You only need to integrate that particular endpoint by running a script and deploying an agent to it. 

I haven't contacted Microsoft support about XDR, but my client has. One of the alerts was triggering incorrectly based on a default setting. We asked their team to investigate why the solution was excessively triggering. I just disabled the default rules and made custom policies. Now, everything is working fine.

I previously used CrowdStrike EDR. It's hard to compare the two products because CrowdStrike EDR was focused on endpoint detection, so it cannot investigate emails or have any other XDR capabilities. One is an XDR and the other an EDR. 

We compared Microsoft Defender XDR to Trend Micro's Vision One. Defender's advantage over Vision One is ease of use. Managing and enabling policies is much easier on Microsoft Defender. There's a considerable difference between their default rules. In some cases, alerts will trigger in Defender, but not Vision One. Overall, Microsoft Defender XDR is preferable over Vision One.

I rate Microsoft Defender XDR 7 out of 10. It's a useful product for a professional security analyst who knows how to increase the visibility. You only need to make some front-end changes and put the data on host names into XDR. 

If someone asked me whether a best-of-breed or single-vendor approach is better, I would support mixing different products. Each security vendor has its own intelligence base. By including other vendors, I am gaining visibility into more indicators of compromise. Nevertheless, I would still pick Microsoft Defender XDR and Sentinel together because they are well integrated. All the big companies and banks use Microsoft. Windows is a popular operating system across the world. Defender and Sentinel are better integrated with Microsoft systems. 

One of my largest customers deployed Defender for Endpoint, but they also wanted Defender XDR to get a specific feature. Defender XDR is included in the E5 license, but it's a bit too expensive. Our customer wanted Defender XDR's file integrity monitor tools for compliance. My client is using Defender with Sentinel, but I'm unsure how much they use it. 

My clients like Defender's file integrity monitoring. They're monitoring Windows and Linux system files.

My client would like the solution to be more customizable without using code. You can only build on the default console, but we're not allowed to change it. 

We have a similar tool to Defender's file integrity monitoring. Under the VMware VM properties, there is a change-checking tool, and it will tell us if the extension is in a different location. You can configure checking and do the monitoring. When I log into Defender's file integrity portal, I cannot see that this machine was enabled.  It's the same agent and extension. 

It's confusing because I don't know how to tell the customer they don't need to pay $15 per month because you already can enable the extension in VMware. Under the Defender account, it all seems like it's high code, and we cannot change it. Every customer has requirements for us to customize those things. 

I have used Defender XDR for about a year. 

Defender XDR is an enterprise-scale solution. 

I rate Microsoft support 4 out of 10. 

Neutral

I rate Defender XDR 3 out of 10. I don't think Defender XDR is ready to deploy in its current state. It has too many solutions inside, and they're not fully integrated. 

It is an integral part of our security infrastructure, primarily serving to monitor both our server and client environments comprehensively.

Its strength lies in providing a holistic view of the protection it offers. When a threat is detected, the system not only identifies the nature of the threat but also provides valuable insights into how and why it was detected. This thorough understanding empowers us to take well-informed steps to remediate the threat effectively. The unified Microsoft environment enhances overall ease of use, making it considerably simpler for our team members to collaborate and work efficiently, given our familiarity with Microsoft products. Unified identity and access benefits stand out as crucial, especially as we delve deeper into compliance considerations. The increasing importance lies in having a centralized view, streamlining visibility through a single interface rather than navigating across various sections in Defender.

The incident threat response and its ability to facilitate effective remediation against threats are the standout features. I haven't encountered a similar level of comprehensive incident response in other solutions before.

Perhaps there's room for visual enhancements to make the platform more appealing. Stability could be improved by avoiding frequent changes to the interface.

We have been working with it for approximately a year.

It has proven to be scalable within our organization, which, while not exceptionally large, consists of around eight hundred users globally. It strikes a balance, meeting our needs effectively without being overly complex.

The technical support is generally good, but we sometimes find the first-line support process a bit cumbersome. After initiating a case, we, as experienced professionals, go through the standard script diligently (ABC), only to find that first-level support requests the same steps again. While I understand the need for thorough troubleshooting before escalation, it can be time-consuming. I would rate it six out of ten.

Neutral

Compared to antivirus or security products such as Trend Micro or McAfee, Microsoft Defender XDR appears notably more user-friendly and offers a clearer interface. The adoption of Microsoft Defender allowed us to phase out the use of other security products, including our long-standing reliance on McAfee and Trend Micro. The transition was prompted by the effectiveness of Advanced Threat Protection offered through Microsoft Defender 365. The decision to consolidate under Microsoft's umbrella proved advantageous, making the adoption process smoother and more efficient for our organization.

The initial setup wasn't overly complicated. We only needed to create a few scripts, which were then executed on our local machines within the environment. This process seamlessly integrated the machines into Defender within our tenant.

We use a third-party software tool for executing scripts and deploying software packages.

We've achieved significant cost savings, primarily in the realm of security. As Microsoft continues to enhance Defender, we anticipate further opportunities to streamline and consolidate various aspects of security monitoring and software under the Microsoft umbrella. I'd estimate the savings to be in the tens of thousands of dollars annually.Considering our relatively small team of around thirty IT professionals, especially those at the first level primarily using security products like Defender, the streamlined access within the same application prevents them from having to navigate through multiple applications. This efficiency translates to a potential saving of around a dozen hours per month per individual.

Understanding the subscription model has been a bit challenging, as every feature or requirement comes with an additional cost.

Overall, I would rate it eight out of ten.

We use the solution for endpoints. 

What I like most about the product is its all-in-one solution. With Microsoft Defender XDR, we get coverage for various aspects like endpoint security, cloud security, and image-related cases, all within a single platform. This eliminates the need for multiple products or technical controls to address incidents. The main benefit became evident immediately after deployment, especially in its ability to analyze files and phishing emails quickly. By submitting suspicious files or emails, we receive quick results on whether they are legitimate, suspicious, or malicious, saving time. 

The solution could enhance the threat Intelligence feature by making it more relevant to specific industries. Much of the threat intelligence information isn't directly applicable to our environment. It would be beneficial if the threat intelligence were tailored to the industry, such as healthcare or fintech, where the solution is being used.

Additionally, the MDCA feature could be improved to provide more accurate data on how much data is uploaded or downloaded from the cloud. This might involve better implementation from our infrastructure team, but clearer and more precise reporting on cloud data activities would be valuable.

I have been using the product for eight to ten months. 

The solution works smoothly. 

The tool's scalability is good. 

If we open a case on the Microsoft portal, a support person from Microsoft helps resolve the queries. From our side, it usually involves two or three people. The Microsoft support person sometimes brings in another expert to resolve technical queries.

We've submitted our queries, and a tech support engineer comes through on a chat, a Zoom call, or another type of call. We discuss the queries with them, and they usually resolve the issues in one or two sessions.

Sometimes, if one engineer can't resolve the query, they will bring in another engineer, which can take an additional one or two days. 

Neutral

We chose Microsoft Defender XDR because it provides a one-stop solution. Everything related to endpoint security, email security, or cloud applications is integrated and visible in a single window. If we were to use other solutions, we would need to implement three different products to achieve the same level of integration and functionality.

We had some issues while deploying the tool's on-prem version. Support helped us resolve them. The cloud version is easy to deploy, while the on-prem version takes one month and doesn't require any maintenance.  

I rate the overall product an eight out of ten. If a new customer is going to buy Microsoft Defender XDR, they should clearly state their needs in front of the Microsoft team. They need to specify what they want and what features they require. It's good for the Microsoft team and the customer to understand all the requirements before deployment clearly. This way, any potential issues can be addressed beforehand, making the deployment smoother.

We use Microsoft Defender XDR for endpoint protection.

We have integrated Microsoft Defender XDR with 365 for identity and access management.

Microsoft Defender XDR protects against ransomware, business, and mail compromise. Microsoft offers the MITRE ATT&CK framework through its Defender XDR platform. This integration is particularly beneficial for Microsoft Office environments. It's a common practice to use Sentinel to investigate potential security incidents. For instance, we can check logs, examine hunting patterns, and review queries in Sentinel. Additionally, I've encountered situations where clients have lost their conditional access policies due to various factors, such as country-based rules, MSA-related rules, or application-based roles. Clients need to maintain these specific policies to ensure optimal security.

Multi-tenant management is a relatively new concept. I currently work with GCP, Microsoft 365, AWS, and Azure, where I access and perform assessments.

Microsoft Defender XDR helps replace other security products in our environment.

Microsoft Defender XDR helps save us time.

The common and advanced security policies for threat hunting and blocking attacks are valuable.

The UI is user-friendly. 

Microsoft frequently changes the names of its products, sometimes even renaming entire portals or features. This can make it difficult for users to keep track of the latest changes and find the information they need. For example, every month, Microsoft might rename a product, change a portal, or update a feature. This can lead to confusion and frustration for users.

I have been using Microsoft Defender XDR for seven years.

I would rate the stability of Microsoft Defender XDR eight out of ten.

I would rate the scalability of Microsoft Defender XDR eight out of ten.

The few times I have contacted technical support, they have been helpful.

Positive

The initial setup is straightforward. Depending on the size of the environment, two to three people are involved in the installation.

Purchasing Microsoft Defender XDR as part of a Microsoft 365 bundle can be cost-effective, but acquiring it as a standalone product may be more expensive.

I would rate Microsoft Defender XDR eight out of ten.

We have many clients that have large companies in the south region of Mexico. They use the solution for security.

 Microsoft 365 Defender is a good solution and easy to use.

I have been using Microsoft 365 Defender for approximately 15 years.

Microsoft 365 Defender is a stable solution.

The scalability of Microsoft 365 Defender has been good.

The support from Microsoft could improve. There are times I have to wait for a response from a qualified specialist.

If the solution is deployed using a good specialist with the correct configuration it works very well for normal users.

The amount of people needed for the deployment depends on the number of licenses the customer has. if it is a large company as we have with approximately 8,000 to 12,000 people, we need more people to do customer service in this case. However, for small to medium companies, we have two people that do the implementation.

We have a lot of problems in Latin America regarding the price of Microsoft 365 Defender, because the relationship between dollars and the money of the different countries, it's is a lot. Many customers that have small businesses say that they would like the solution but it is too expensive. However, large companies do not find the cost an issue.

I rate Microsoft 365 Defender an eight out of ten.

We have very strong DLP policies. The product will inspect each and every outgoing email and what kind of attachments they have, including if any have business-sensitive information such as outgoing email going to some public domain such as Gmail or Yahoo. If the solution detects this, it'll raise an alarm and notify the required teams. On top of that, the incoming email will scan attachments for any potential malware tech or any phishing link. 

The native capabilities are quite good as it slips in seamlessly as part of our integration. 

It integrates well without AD, Active Directory.

It gives a lot of flexibility in terms of configuration and customization as per the business requirements.

These days, in the security industry, there is a buzzword called zero trust. I personally have not seen much evidence of how Defender can enhance the story of Zero Trust for enterprises. Microsoft needs to offer more features here or spread awareness in the industry and the market about how Defender addresses Zero Trust issues.  

I've used the solution for more than a year now.

The stability is good. it's up to the mark. 

It's usually scalable. 

We're using it on a daily basis. 

The solution works for any size of organization. There is no such limitation for Microsoft as the ecosystem they have built doesn't really have a limiting factor. It will work for a small sized up to a big-sized organization. Our company is half a million strong. If it satisfies our needs, then definitely it can satisfy anybody else as well.

I personally have never reached out to technical support as our in-house expertise is good enough.

It's good for the most part, as it is their own homegrown product and they understand it well.

We haven't worked with any other products.

The setup is a simple process, however, users can adopt the phase-in approach and start simple and then yeah. For example, over a period of time, you can achieve what you want to achieve, but not in a single shot. You can do it in phases and work everything in slowly.

The amount of time it will take to deploy Defender depends, actually. If a customer is already sure about all the processes and reporting information they require, then to start, it should not take more than a couple of months, including planning.

There is some maintenance required. We need a team to run the show, however, when you compare it to other options, the maintenance requirements are reduced. We typically have a cloud operations team to oversee it, and it's business as usual. Our company is able to provide any needed maintenance services to our clients. 

Our company integrates this solution into our client's infrastructure.

We have E3 and E5 licenses for our users and there is the default.

Depending on the user role, the senior people and critical positions have been allocated the E5 licenses and the intermediate users have been allocated E3 licenses.

Whether it is inexpensive or not is not a very straightforward question as, when you compare the total cost, you have to consider the total cost of ownership. It's not only a comparison between two products. You have to see the other dependencies when you deploy any other solution. That said, I would say it is more or less cost-effective.

We are partners with Microsoft.

I'm in a customer-facing role where we propose different email security solutions to our customers. My role demands that I identify the required security solutions for the different needs of our customers.

We are on the latest version of the product.

I'd advise potential new users to define their business requirements first, however, it's likely Defender will need them and provide what they need.

I'd rate the solution at a nine out of ten.