Microsoft Defender XDR Reviews

The main use case has been for threat hunting, not in the sense of actively looking for the threat, but in terms of analyzing the ongoing process within clients' machines. I was looking into what kind of changes happen when you install any new software and it asks for so many permissions. I wanted to analyze the criticality of the permissions being asked and so on. Usually, when we install any software, we just click next, next, and next. We don't look at the details. So, my role was to check how it behaves within a system. For that reason, I used Microsoft Defender. 

I used the query language to do advanced threat hunting. I ran different queries to collect the data. The data was then brought into Power BI. We had data coming from different channels. So, we used Power BI to collect it at a single point.

My usage of it was on a very small scale. I am not aware of its overall impact on the organization, but it did help us a lot to know and achieve what we wanted to achieve. Without Microsoft 365 Defender, the detection for our use case would have been impossible.

It provided more visibility into threats, and it came with some of the default functions from Microsoft, which was an advantage. They had already defined different tables in advanced threat hunting, which was very helpful. I am not aware of other vendors providing that.

Its threat intelligence helped to prepare for potential threats before they hit and to take proactive steps. That was my target for that project. We were actively looking for vulnerabilities inside the software, and we wanted to detect the software supply chain aspect. That was a difficult task, but we wanted to be ahead before any attack happened. That's why we were using Microsoft 365 Defender.

It saved time. They had already defined different tables to identify different artifacts within the system, which saved about 50% of our time.

Within advanced threat hunting, the tables that have already been defined by Microsoft are helpful. In the advanced threat hunting tab, there were different tables, and one of the tables was related to device info, device alert, and device events. That was very helpful. Another feature that I liked but didn't have access to was deep analysis.

I liked its portal a lot. I am currently using a different vendor, and there is a big difference between them. Microsoft had a very good portal, and its user interface was good. Irrespective of where I was, with a click, I could see comprehensive details about something on the right side. The related information was always on the right side. So, I didn't have to jump over different tabs and functionalities. The information was always there on the right side, which is something I liked in Microsoft 365 Defender portal.

The documentation on their website is somewhat outdated and doesn't show properly. I wanted to try a query in Microsoft Defender 365. When I opened the related documentation from the security blog on the Microsoft website, the figures were not showing. It was difficult to understand the article without having the figures. The figures were there in the article, but they were not getting loaded, which made the article obsolete. They should refresh all their articles and see that the steps and figures aren't missing. They can also provide more documentation.

I used it just for four months in a previous company.

I never had any problems with it. It was always stable.

It's scalable. You can query each and every machine in the company.

I was working for a client, and that client had more than 50,000 people.

I never contacted them directly, but based on what I heard during the meetings, they seemed to be quite helpful and good.

I didn't use any other similar solution before Microsoft 365 Defender. That was the first time I used Microsoft 365 Defender. That was my first experience. Now, I'm using a different product, and I can see that Microsoft 365 Defender was much better than the current product.

Microsoft 365 Defender is very good for analyzing something. There are multiple types of data and multiple ways to utilize that data. With a single click, you can have all the related data for a particular topic. That's really good, and that is what I'm missing in the current product.

I did not use Microsoft Defender for Cloud, but I saw the cloud part for monitoring cloud applications. It was nice, and it had some added functionalities. For example, application risk scoring was very good. It shows what data has been considered to give a particular risk score, which is useful for a new learner like me. It was helpful to know the criteria for scoring. They also included so many applications. There were more than 24,000 cloud applications inside their catalog. That's a really good catalog.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would agree that multiple vendors are better than a single vendor because every vendor has different capabilities. It's always better to use the best products from different vendors than to use all the products from the same vendor.

I would rate Microsoft 365 Defender a nine out of ten. 

Microsoft 365 Defender is an extension of Windows Defender. Windows Defender is an AV that is integrated with Windows OS, and with this extension, you also get the EDR functionality for security purposes. Microsoft 365 Defender gets more access to the device and provides more insights and control over that. Apart from the Windows platform, it also includes other OSs, such as Linux and macOS.

We do have multiple options for deployment. We did deploy it on the cloud. We got the on-cloud license, and we onboarded our devices to the portal. The portal is deployed on the Azure cloud.

It helps us prioritize threats across the enterprise. We also have options to prioritize a specific device and monitor it. We can keep a device on high alert or on the watch out for each and every event. There are different severity levels, such as critical, high, medium, and low. We can set severities on any of the devices. Based on the set severity level, Microsoft 365 Defender can track events, and we can monitor those events from the console.

We get more insights and more information about the devices that we have. Because most of them are Windows devices, we have integrations with Intune or SCCM. It is easy to transfer all the information and see everything in one single portal. If we want to configure anything or control the devices in the whole organization, it is easy because all of them are in the same environment. It is easy to manage and control them.

There are fewer compatibility issues and errors and a better ability to track events. With third-party solutions, I used to see more issues related to compatibility and setting the ports. For each and everything, we had to either go through the support documents or through the support to get information. Most of the Microsoft documentation is publicly available. It is not that you only get that when you open a support case. That's an advantage compared to others.

It helps to automate routine tasks and the finding of high-value alerts. We have KQL or SQL queries that we can set up. We can schedule them so that it automatically queries for a specific device or all the devices and gives us a report that we can simply export.

Its threat intelligence helps to prepare us for potential threats before they hit and take proactive steps. It has helped us to recover a few devices. Because it is integrated with the OS, we get information about failed logins.

It saves time and manual labor. Previously, we used to use a deployment portal such as Filezilla or GPOs. We used to manually update the signatures, but now, it is automatic. It saved me pretty much half a day's work.

It has decreased our time to detect and our time to respond. It has saved half a day's work. The sensor constantly connects to the console. In case of an issue, we get an email immediately. We also get a notification in the console. Previously, we used to manually scan the device or query something and then get the results. Because it is automated, we don't need to manually do that. Previously, we used to manually isolate or block a device, or we used to work with different teams to get the device offline, but now, we can simply search the device name in the console and isolate a device from there, which is convenient for us.

The EDR features are valuable. By getting the EDR features, we have more control over the device. We have information about events in real-time and more protection against zero-day threats and zero-day vulnerabilities. We can monitor every event or action that a device is going through. We can get an idea if it is something malicious or if we have to take any actions.

Because Microsoft 365 Defender is integrated with the OS, we get more insight into the events or threat activities. With a third-party solution, we could have some limitations or compatibility issues with the OS, whereas with Microsoft 365 Defender, there are no compatibility issues for Windows, and we get more insights and more information on the threats simply by logging into the console.

The onboarding and offboarding need improvement. I work with other vendors as well, and they have an option to add a device or remove a device from the portal, whereas with Microsoft 365 Defender, we need to do that manually. However, once you do that, everything can be controlled through the portal, but getting the device onboarded and offboarded is currently manual. If we have an option to simply remove a device from the portal or get a device added from the portal, it would be more convenient. The rest of the features are similar. This is the only area where I found it different from others. I would also like to be able to simply filter with a few of the queries that are already there. 

It has been almost three months.

I would rate it a seven out of ten in terms of stability. It is quite stable but it can be improved for a few scenarios. It is still new for macOS and Linux, and for these OSs, I would rate it a six out of ten in terms of stability.

It is scalable. We are using it pretty extensively. It is for multiple departments, and there are multiple teams handling it. In the tenant I have, there are 2,000 devices that are currently onboarded. We also get information about which devices are not onboarded. I can see that a few hundred devices are not onboarded. We also have a few other clients or partners who are using it but on a small scale. 

It is good. We do get constant responses and inputs from them whenever we raise a case. They are quite helpful. I would rate them an eight out of ten.

Positive

I started working with this solution because I changed my organization. That was the major reason. 

Being able to get the information simply from a single portal and the integration with other portals have been some of the benefits. Previously, we used to get data manually, and then we used a SIEM or event collector to send that data to other portals. Now, we can integrate with other Microsoft portals, such as Intune, and get the same information there as well. That's one convenience I have found.

I am not involved with tenant deployment. I am involved with the onboarding of the devices. If you have the right knowledge, it is completely fine. They do have an admin console. You can deploy multiple tenants and also control through that console, but I don't have access to that. I only have access to my own tenant. I only have control over that. We can also include a tenant for a specific organization from the admin console. That admin console is deployed on Azure.

Most of the maintenance is automatic. Because we allow Windows updates, most of the Defender updates are also included in Windows updates. We don't have to specifically go and check. If we see any alert or we find any suspicious events or something on the console while we are investigating, then it might need manual checks. We do get some recommendations through the console itself for what we can do to improve the device security score. So, it requires some maintenance, but that's only when we detect something or we are investigating something. For maintenance, we have different teams in each section. We have around 15 to 20 people.

I don't have the metrics, but we started to see its benefits within a couple of weeks from the time of deployment.

Its licensing and pricing are handled by someone else. My role is limited to incidents or issues with the portal, but you get what you pay for. It is worth the cost.

We did compare it with VMware Carbon Black and McAfee. We did check Symantec as well, but Symantec didn't have EDR capabilities. So, we dropped it. The final call was Microsoft because we found the integrations and other things easy. It saves time for us because we don't need to go through another team or get a separate team involved just for data transfers.

I would definitely recommend this solution. Getting the product is easy. You simply get the license, but after getting the product, you need to go through the deployment and configuration of the product to match your environment. You can just try out the product and experiment in your own way and learn each and every feature. The documentation is completely public. 

I would rate it an eight out of ten because there are a few areas where it can be improved.

We use Microsoft Defender XDR for endpoint protection.

We have integrated Microsoft Defender XDR with 365 for identity and access management.

Microsoft Defender XDR protects against ransomware, business, and mail compromise. Microsoft offers the MITRE ATT&CK framework through its Defender XDR platform. This integration is particularly beneficial for Microsoft Office environments. It's a common practice to use Sentinel to investigate potential security incidents. For instance, we can check logs, examine hunting patterns, and review queries in Sentinel. Additionally, I've encountered situations where clients have lost their conditional access policies due to various factors, such as country-based rules, MSA-related rules, or application-based roles. Clients need to maintain these specific policies to ensure optimal security.

Multi-tenant management is a relatively new concept. I currently work with GCP, Microsoft 365, AWS, and Azure, where I access and perform assessments.

Microsoft Defender XDR helps replace other security products in our environment.

Microsoft Defender XDR helps save us time.

The common and advanced security policies for threat hunting and blocking attacks are valuable.

The UI is user-friendly. 

Microsoft frequently changes the names of its products, sometimes even renaming entire portals or features. This can make it difficult for users to keep track of the latest changes and find the information they need. For example, every month, Microsoft might rename a product, change a portal, or update a feature. This can lead to confusion and frustration for users.

I have been using Microsoft Defender XDR for seven years.

I would rate the stability of Microsoft Defender XDR eight out of ten.

I would rate the scalability of Microsoft Defender XDR eight out of ten.

The few times I have contacted technical support, they have been helpful.

Positive

The initial setup is straightforward. Depending on the size of the environment, two to three people are involved in the installation.

Purchasing Microsoft Defender XDR as part of a Microsoft 365 bundle can be cost-effective, but acquiring it as a standalone product may be more expensive.

I would rate Microsoft Defender XDR eight out of ten.

It's the main tool that we use for the customer that we support. We don't use any other tools to monitor the environment.

It helps us prioritize threats.

In addition, Microsoft Sentinel enables you to ingest data from your entire ecosystem. One of the main reasons we use Sentinel is to receive logs from different sources and create analytical routines to generate alerts. Sentinel enables you to investigate threats and respond from one place and that is also very important because it becomes part of the monitoring team.

Microsoft 365 Defender has also helped eliminate looking at multiple dashboards, giving us one XDR dashboard. That means we don't have to spend too much time checking different pages. We just have one specific portal with all the information.

The solution has saved us time, although we haven't measured how much. It has reduced our time to detection and time to response by about 20 percent.

The most valuable features are the 

• integration among all the Microsoft tools
• details of the alerts.

We also use Microsoft Sentinel, Defender for Cloud, Defender for Identity, and Microsoft Defender for Cloud Apps. They are all integrated and it was very easy to integrate them. In my experience the with the integrations, it was just a click of a button and things were integrated. It's just a button.

They work natively together to deliver coordinated detection and response across the environment. We get more details when we integrate more tools, so it's relevant to have integration enabled. When it comes to monitoring an environment, this is very important, because you get different perspectives and points of view on the same alert.

I have a positive impression of the visibility into threats that the solution provides. It brings a lot of information and details related to the alerts or any security threat.

There are other SIEM solutions that are easier to use, mainly based on the creation of rules, use cases, and groups.

There could also be an improvement on the customization part. Sometimes we need to customize a few configurations but we can't.

I have been using Microsoft 365 Defender for a year and a half.

We have never had any problem with downtime.

The scalability is good.

Sometimes, they still take too much time to reply. But when they do reply, it's positive support.

Neutral

I was not involved in the initial setup, but there is no maintenance involved now.

My advice would be to have someone from Microsoft involved in the deployment part to help. There are a lot of details that they have information about, and it's impossible to know everything.

We make use of Microsoft Defender for Office 365 for endpoint security and email and we use Defender umbrella for impersonation and sales. Under Defender umbrella, we use a lot of products depending on the customer requirements. As a company, we use Defender for email as well as for endpoint security.

We are able to consolidate licences and make use of many Microsoft products using this solution. If we have any Microsoft customers, we encourage them to use this solution for enterprise defence. 

This solution could be improved if it included features such as those offered by Malwarebytes. 

We have used this solution for many years and we are a Microsoft partner. We use this solution on a daily basis.

This is a stable solution. 

This is a scalable solution.

We have not yet needed to contact Microsoft for support with Defender. 

We have previously used a number of different solutions including Trend Micro, Symantec, Sophos Intercept X and Malwarebytes. Overall, we are more comfortable using Defender.

The initial setup was straightforward. 

I would rate this solution a nine out of ten. 

We have many clients that have large companies in the south region of Mexico. They use the solution for security.

 Microsoft 365 Defender is a good solution and easy to use.

I have been using Microsoft 365 Defender for approximately 15 years.

Microsoft 365 Defender is a stable solution.

The scalability of Microsoft 365 Defender has been good.

The support from Microsoft could improve. There are times I have to wait for a response from a qualified specialist.

If the solution is deployed using a good specialist with the correct configuration it works very well for normal users.

The amount of people needed for the deployment depends on the number of licenses the customer has. if it is a large company as we have with approximately 8,000 to 12,000 people, we need more people to do customer service in this case. However, for small to medium companies, we have two people that do the implementation.

We have a lot of problems in Latin America regarding the price of Microsoft 365 Defender, because the relationship between dollars and the money of the different countries, it's is a lot. Many customers that have small businesses say that they would like the solution but it is too expensive. However, large companies do not find the cost an issue.

I rate Microsoft 365 Defender an eight out of ten.

We use Microsoft Defender XDR to secure data. 

Microsoft Defender XDR has reduced our security staff. 

The product integrates security into one tool instead of having third-party security tools. 

The solution does not offer a unified response and standard data. 

I have been using the product for three years. 

Microsoft Defender XDR is stable. 

The solution is scalable. 

It takes weeks for the support to respond. They are not helpful. 

Negative

Microsoft Defender XDR's deployment was very easy. 

We have seen ROI with the tool's use. 

Microsoft Defender XDR's licensing is complicated. 

Microsoft Defender XDR has helped us reduce two full-time employees. 

The solution is our identity source, which protects our identities through Microsoft Intra ID.

The solution helped us save time by not flipping between the systems.  

I rate it an eight out of ten. 

We use Microsoft Defender XDR for malware detection and browser protection. We have around 500 devices to protect. We use it to get reports for each of these devices. 

We are connected to Microsoft and have every laptop enrolled. This acts as an endpoint. The tool helps me check security and compliance. I can also check what a device is doing. 

We should be able to use the product on devices like Apple, Linux, etc. 

I have been working with the product for three to four years. 

The tool's scalability is good. 

I research in forums or contact support whenever I encounter issues. We have four types of support plans available. I rate the cheapest plan a two or three out of ten since responses are slow. I rate ten out of ten for an expensive support plan. 

Neutral

We have a vendor who gives us a better price. The product is expensive. Selecting the entire Microsoft suite is cheaper than using random services or products. 

Bitdefender costs around five dollars per month per device. However, Microsoft Defender XDR costs 2500 dollars per month. 

We are evaluating Bitdefender for Windows. 

Microsoft Defender XDR helps us save time for clients. 

Microsoft Defender XDR provides unified identity and access management. It is installed on every computer and checked from the Microsoft security admin center. 

The tool is easy to use. You can use one account to log in to any Microsoft service. 

We are aware of our compliance. We can now check the devices and get reports about it. 

The product can adapt to evolving threats. We use it to manage only one tenant. We have Mac devices where Microsoft Defender XDR cannot help us. 

We have the tool deployed across different locations like Germany and Denmark. 

I rate the product an eight out of ten. You need to follow its guidelines.