Microsoft Defender XDR Reviews

We mainly use this solution for security reasons. We use it for the complete stack of email security so we don't have to use a third-party tool, and we use the extended security features that are included in M365, like sandboxing.

The solution is deployed on the Azure cloud. We're a cloud-only company, so we only deploy cloud workloads, but we also have customers with legacy systems. If we're not able to migrate them to Azure, Defender for the server can be deployed on-premise.

The solution is deployed across Germany in four regions: Munich, Cologne, Bremen, and Hamburg. However, most people work from home.

There are about 50 endpoint users, but we have customers with thousands of users. We focus on customers with a thousand seats or more.

We use the entire M365 E5 license for everything that's going on in the M365 world. We try to accomplish everything we need with Microsoft products.

It was very easy to integrate the solutions. We integrated them so we could have an overall good view of our assets. The installation was fully automated via Intune.

Overall, the solution has decreased our time to detect and respond. If there is any issue, it's not complicated to get the information we need and respond quickly. We offer managed services to some customers, and we have a very clear view of what's going on in their security environments.

One of our main focuses is IT security. This solution has a huge impact on how we use tools and what we do in IT.

One of the biggest points is that Defender is included in the license. It's integrated fully into the M365 world. There's no need to have a third party, which is more complex and includes additional costs. Especially because we're partners, it's very good to have 100 free licenses. We're able to distribute all the information to our customers and integrate it into our projects in a very streamlined way.

We saw all of these benefits instantly. It's different with customers because they are often heterogeneous in the software they use. There's a little bit of explaining and promoting, but it's a huge benefit for most of our customers when they understand that they can have a centralized view of all these security topics. If we are able to deploy the solution to new customers, the benefits are realized in about six months because we have to train them and implement all of the security.

The solution helps with finding high alerts. I wouldn't say it helps with automation because we are piping the problem into the Jira automation, so our managed service kicks in. I would say that it's half-automated.

It helps save time when it comes to the operation and receiving information because we don't have to skip around with different products and customer situations.

This solution enabled our security operations. The legacy approach, in which the tools are in place and someone occasionally checks them, is not secure as it's meant to be today. 

It eliminates the need to look at multiple dashboards and gives us one XDR dashboard. The consolidated dashboard helps our customers get a faster view, which wasn't possible with the former solution.

The solution's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. Our security team is able to work well with it, and a lot of information is getting to our internal users. We distribute everything we learn to our customers.

Sentinel enables us to ingest data from our entire ecosystem because we're cloud-only, so there is no other architecture to monitor.

I would say the logging and analyzers are about 80% of our security operations. The ability to have a clear view of the security information is a big win. For legacy implementations, it's normal to have the security installed but not be able to monitor, detect anything, or get the information to the right people.

For the most part, Sentinel enables us to investigate threats and respond holistically from one place. Today, there are different views, different websites, and different portals to use in order to drill down and get to the real problem. It's a good starting point.

I like the easy integration and advanced possibilities. We can implement it at customer sites in a few clicks, but we can also dive deep and drill down to extended features. There's a very good starting point to get into this product and all the features from Defender. We use Plan 1 for email security because it's a common vector for phishing and attacks. The Plan 2 version goes more into advanced features and logging, which we also use for our internal security operations center.

The solutions work natively together to deliver coordinated detection and response across our environment by about 80%. There should be something to get a consolidated view, which doesn't exist at the moment. We have a known tool in place to consolidate all the information into one view for us. That would be a perfect function to have in the future.

I have more than 15 years of experience in IT security, so I have a very good understanding of the tools we need for a use case. I think the documentation helps us and all of our customers comprehend the product. For cloud products, it's normal that something new today is almost outdated tomorrow. Company-wide, we have a very good view of all these products, and we're very firm in deploying them.

I would like more of the features in Defender for 365 to be included in the smaller licenses. Even if I buy a small license and don't need everything, security shouldn't be a question. Security is one of the main aspects of all projects from our side, so it would be nice to have more features in the smaller licenses.

I would also like a more aesthetically pleasing dashboard. For German customers, it's important that the solution is in German. Multi-language support should be in all the features if possible. In many projects, we want to use digital signatures on emails. It would be perfect to have better integration of digital signing in a standard way.

In the last few months, the dashboard changed very often. When they restructure it, it's a little bit painful. Otherwise, the technology is very helpful.

The visibility into threats could be better. For the last six months, getting information from the access points has been difficult. However, the newest version fits very well. It's easy if you've found the right spot to view what's happening.

For legacy organizations or legacy customers, I would say it's possible to save time, but time-saving isn't always the best with security because it needs to be deployed and managed.

It can be installed quickly, but it takes time to check out false positives, have everything in place, and train each end user.

We have been using this solution for five years since our company started. The solution had a different name, but we have been using it since it's been available. We use company-wide E5 licenses.

The solution is stable.

We haven't had any scalability problems.

I haven't had a lot of contact with technical support.

For my personal project, I used many other legacy projects, but not at my company. We aren't selling anything other than the new Microsoft solution at the moment.

The solution doesn't require any maintenance.

We have seen ROI in project situations because we removed legacy email gateways and legacy antivirus on-premise solutions.

I would like to have more security features in the lower licenses because not every customer is able to buy E5 licenses. The bundling isn't always easy for our customers to understand. Compared to other tools, it's a good price.

I would rate this solution as eight out of ten. 

My advice to those who are looking to implement this solution is to get help from the right company so you can use the solution properly.

Defender helps us prioritize threats, but I would say it's a combination of all the information that we're getting from the internet and from other resources.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor security suite, I would say that it depends on the customer. If someone has their own VSOCK implemented and many security guys on board, then maybe best-of-breed is what they need. 

If someone is a classic customer who doesn't know a lot about security, then they should stick to a one-vendor strategy.

It addresses various use cases, including monitoring and securing file storage like OneDrive and SharePoint. It has recently incorporated Teams integration to safeguard against malware. Additionally, it serves as a replacement for on-premises Advanced Threat Protection, offering enhanced capabilities. It has proven valuable in highlighting critical scenarios related to credential use and legacy Active Directory, providing substantial assistance in these areas.

When transitioning to Microsoft Defender for Endpoint from our previous use of ATP, we observed significant improvements. Legacy ATP involved numerous signals and a substantial learning curve, but Microsoft Defender for Endpoint establishes a more effective baseline. In comparison to Cylance, which generated a considerable amount of background noise, Microsoft Defender for Endpoint enables us to concentrate on the more critical alerts that demand our attention. Our team is actively phasing out disparate security tools in favor of a streamlined approach. The efficiency gained from having a single pane of glass is a powerful asset for our team.

One of the most valuable aspects is the comprehensive insights it provides into on-premises identities, particularly within Legacy Active Directory. This allows for the examination of use cases related to identities, ensuring there is no misuse of accounts or computers. A crucial aspect for our team is the inclusion of identity and access management tools from the vendor. Despite being a sizable global company, our team is relatively small, considering our global reach. Therefore, minimizing overhead is a top priority for us, and integrating these tools from the vendor becomes crucial in achieving that goal.

My suggestion would be for Microsoft to continue aligning all components within this ecosystem. This consolidation is beneficial as we strive for a more unified and comprehensive view, essentially a single pane of glass, which is highly valued. In the future, I hope for increased third-party integration. While Microsoft plays a role, it's equally important for third-party providers to step up. In our organization, the information security team has endorsed a specific set of products. Integrating the telemetry from these approved products into our systems would be immensely beneficial, providing a more comprehensive view and enhancing our overall security posture. Extending security coverage is of paramount importance. Integrating telemetry could bridge these gaps, fostering greater cooperation among individual teams within the organization. Having teams collectively examine the same information might contribute to advancing collaboration and overall security efforts. The capability to not only thwart attacks but also to adapt to evolving threats is crucial.

I have been using it for the last three years.

It is exceptionally stable, without encountering any notable issues or complaints. Microsoft seems proactive in communication through the message center, keeping users informed about any ongoing issues, and we appreciate the clarity provided through multiple channels.

It has the capability to scale seamlessly, especially with Microsoft's expertise in the cloud. We have over six thousand end users globally distributed across various facilities, with some on-premises deployments due to specific requirements. However, our overarching strategy is cloud-first, and the majority of our infrastructure operates in Azure. In terms of endpoints, the number is substantial, likely exceeding seven thousand when considering both servers and clients.

We haven't had the need to contact them so far. In general, our experience with Microsoft support has been variable—it can be both beneficial and challenging. While they offer a wealth of resources, there are instances where the response may not align with our expectations. I would rate it eight out of ten.

Positive

I made the switch from Bitdefender to Defender primarily due to cost considerations. In my professional assessment, Bitdefender appears adequate from a client perspective, but when it comes to enterprise deployment, I don't view it as fully enterprise-ready. We encountered numerous challenges, particularly with installing Bitdefender's agent on Server 2022, which proved to be a significant hurdle for my team, consuming valuable time and resources. The advantage of Defender lies in its ability to seamlessly bring together threat telemetry from servers across various cloud providers, including Azure, and extend this protection to our Windows endpoints, offering a robust and integrated security solution.

The initial setup was straightforward.

Our implementation strategy was relatively gradual and soft. We enabled the features, allowed it to ingest the data, and then began assessing the generated alerts. Taking a somewhat silent approach, we deferred more to the expertise of our information security team, considering their role as the cornerstone in this aspect. As we moved forward, we aimed to identify areas for improvement and address the specific queries and needs that our team raised during the process. Our ongoing maintenance primarily involves fine-tuning our alerts to align with our specific use cases.

In terms of return on investment, the potential for cost reduction is a key consideration and Defender does provide it. The time saved is substantial, especially if we can navigate through our internal processes efficiently. Specifically for my infrastructure team, using Defender for Endpoint has significantly reduced the time spent delving into emerging issues. As a rough estimate, I would say it saves us approximately six hours a week that would otherwise be spent navigating through the complexities of individual components within Microsoft 365.

I find the pricing to be quite competitive, especially considering its inclusion in our E5 subscription, which provides a comprehensive set of functionalities. Initially, when I evaluated the pricing for add-ons with our E3 subscription, it seemed reasonable. However, we opted for the E5 subscription, absorbing the additional features seamlessly.

I'd recommend exploring Microsoft's Learn documentation, a resource that is sometimes overlooked but provides valuable insights into the capabilities of Defender. It's a good starting point to understand its features. For large enterprises with tools like Visual Studio subscriptions (formerly MSDN), Microsoft offers the option to set up an E5 tenant for testing. This can be deployed freely for up to twenty-five licenses, excluding the Windows license. I suggest diving into hands-on experimentation in a lab environment, combining practical experience with informational reading for a comprehensive understanding. Overall, I would rate it nine out of ten.

We use the entire 365 security package. Defender XDR is primarily used for real-time malware scanning. Our company has about 1,500 endpoints. 

Before Defender, we used a different tool but were unhappy with its performance and frustrated with the deployment. Defender offers real-time scanning and alert notifications.

By adopting the Microsoft stack, we have eliminated other security solutions. Defender XDR reduces manual work. Our organization manages more than 1,500 systems, and manual intervention on all these systems would be a huge workload. Cloud solutions are easier to manage and monitor. 

We are a massive Microsoft shop. We see significant savings by getting all of our security from one vendor. There is a considerable drop compared to buying from other vendors. 

Defender XDR enables you to scan a system remotely and get a complete inventory of its assets. You can gather more information from the asset inventory and apply threat intelligence using Office 365 or something. It's a user-friendly, cost-effective, and feature-rich solution. The XDR features offer considerable value because you get more insights from your user systems.

Microsoft Defender XDR stops the movement of advanced attacks by working with the complete 365 package. For example, you can create rules for email filtering to block phishing emails. I can create rules for email filtering. If there are any suspicious links in an email or its attachments, we can quarantine that email. It notifies the admin or the user.  The user can ask the admin to remove the email from the quarantine. We can investigate the email before it reaches the endpoint. Defender also has web content filtering and all the other EDR file features.

Defender's ability to adapt to evolving threats is critical today. The number of attacks today is multiplying, and Defender's adaptability and awareness are amazing.

The initial time spent setting up and configuring Defender XDR is a bit longer than the other solutions. If everything were on one portal, the platforms for managing policies or alerts would be simpler. We must automate and manage policies on Intune rather than the same portal.

I have used Microsoft Defender XDR for nearly 14 months.

I am very satisfied with Defender's stability. It's a reliable solution that improves our confidence in our security.

I rate Microsoft support seven out of 10. I would like Microsoft's support to be a little more robust and technical.

Neutral

Deploying Defender XDR is pretty straightforward. We deployed it in phases with deadlines. It took a couple of months. We met all our deadlines, and it wasn't a very complex solution to implement. 

We prepared and configured the tenant. Next, we created XDR policies and groups and orchestrated our requirements. We tried pushing the policies to see if the endpoints received them and sent the required information back to the admin portal. There was a testing period before we went live. Deployment only required two people. 

Defender doesn't require much maintenance after deployment because it's a cloud-based solution. We only need to tweak and update the policies, then push them out. 

Defender XDR is reasonably priced based on the licenses we need and the solution's capabilities. At the same time, Defender is a little pricier than some of the other solutions. 

We also considered CrowdStrike and Trend Micro. Trend Micro came the closest to meeting our expectations. Ultimately, we decided to use Defender XDR because we already used most of the Microsoft products, so it was a little more cost-effective. 

I rate Microsoft Defender XDR nine out of 10. Before deploying Defender XDR, potential users should be informed about the pricing, support, and the labor required to manage, maintain, and deploy the solutions. 

We mainly use it to defend endpoints.

We have seen fewer threats with the solution. The attacks that we experienced in prior years have reduced drastically since we implemented Defender.

We also use Microsoft Defender for Identity. Their integration is very good. If you are a Microsoft 365 SaaS solution user, it is perfect. It works very well with all the services provided by Microsoft. These services work natively together to deliver coordinated detection and response across our environment. We are pretty much a Microsoft shop, so the integration of these different services is very important for us to secure our offices.

Microsoft 365 Defender's threat protection is very comprehensive. The service that is available now is much more comprehensive than what was available a few years back. The only area that I see lacking is the dashboard. I can create my own dashboard, but the preset security dashboards should be much more functional.

Its threat intelligence helps prepare us for potential threats and take proactive steps before the threats hit. The vulnerability scanning feature is great, and the Secure Score feature that scans the endpoints for vulnerabilities and keeps them up to date reduces a lot of the attacks that can possibly happen.

Microsoft 365 Defender has saved us time. It has saved at least 30% to 40% of our time.

Microsoft 365 Defender has saved us costs. Previously, we had to pay for third-party protection services separately, but because it is now integrated with our E5 licenses, it saves us a lot of money.

Microsoft 365 Defender has decreased our time to detect and respond. We now have visibility and this led to about a 20% to 30% reduction. 

The EDR and the way it automatically responds to ransomware and other attacks are valuable features.

The visibility into threats is not as good as other products in the market such as CrowdStrike, but if you know where to look, you can gain access to what is going on. The way the dashboard is designed is not as great as other products.

It helps to prioritize threats across the enterprise, but a lot of administrative overload is involved in determining which threats to prioritize. As compared to other products, it is a bit lacking.

Similarly, it helps to automate routine tasks and finds high-value alerts, but a little bit more automation would be appreciated.

Automated playbooks and automated dashboards would be preferable to the way the data is currently being presented. That is because a lot of organizations that I have worked with over the past years do not have full-on SOC or threat detection services. They should put in more automated response capabilities and dashboards for smaller organizations.

I have been using this solution for almost three years.

It is a very stable product. Our attack metrics have come down drastically since we integrated with Defender. In my opinion, it is a very stable product.

It is very scalable. I do not know about third-party clouds or third-party solutions, but when you are a Microsoft shop or have Azure or a hybrid setup, it is very scalable.

We have multiple departments and multiple locations. We have client-facing computers, and we have in-house and on-prem computers. We also have Azure VMs. 

Their support can be better. Their response time is good, but their knowledge and documentation are a bit lacking. Technology is moving faster than the documentation and the knowledge that is being provided to the support team. Their support team pretty much looks at the same documentation that we are looking at, but the technology is moving a lot faster than they can catch up. I would rate their support a seven out of ten.

Neutral

We used CrowdStrike and Trend Micro. We switched to Microsoft 365 Defender because we wanted to integrate services.

The solution is deployed on the cloud, but the endpoints are connected on-prem. In our organization, we have quite a few endpoints, so it took about three or four weeks.

The setup will be straightforward for big organizations if they have a complete IT department, but for a small organization, implementing the same service becomes trickier because they do not have full-fledged IT departments. That is where the problem lies. 

More automation would be better. However, automation is present with Autopilot and other services where you can integrate everything.

In terms of maintenance, you have to fine-tune the services on a regular basis and tweak the deployment as per your requirements.

We have about eight admins who worked on the implementation of the solution.

We have probably seen 30% to 40% ROI.

It is fairly priced because we get complete integrated services with the E5 license.

To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single-vendor strategy worked for us because it brought down our investment in terms of licensing and cost. The deployment across the organization has been a lot easier than integrating third-party solutions in different areas of the organization. For example, Defender integrates very well with both the endpoints and the cloud. Whereas with a third-party solution, we have to get different applications that need to connect back to the service to get the solutions that we require. Native integration is very useful for us when it comes to Microsoft. That is what I would recommend.

If you are a Microsoft shop, I would highly recommend it, but you have to do a PoC.

I would rate Microsoft 365 Defender a nine out of ten.

Almost every use case is about security layers for messaging in Teams and for email. It especially used for phishing filters, spam filters, and composite authentication, as well as Zero-day advanced protection, and for protection within already received emails. Clients are also looking for link protection in Teams and in SharePoint.

The solution has improved the remediation steps we take for each threat. That has been the biggest impact on our organization because we need fewer human resources to deal with a bigger attack surface.

And for routine tasks and alerts on issues of high importance, the automation that the system provides has helped greatly. You can set up customized alerts and categorize trends to see a quick overview. As a result, our security officers can focus on the really important tasks, without noisy alerts. Previously, there was a procedure with a rule that was sending all emails that resulted from the SPF and DMARC controls failing to the phishing mailbox. Our security officers had to review every email and accept or decline. Now, using the automation tools within the Microsoft 365 Defender, they don't need to do that. They can check that the tool is working fine from time to time, but they don't need to do that task on a daily basis. It gives them a lot of time to do more important and creative stuff.

In addition, especially when it comes to Zero-day attacks, the solution's threat intelligence helps prepare you for potential threats before they hit. It identifies, for example, attachments containing something malicious and remediates by blocking additional delivery to other users. For example, an email may only be delivered to three users instead of 100 users. Even if somebody didn't open the email, the Zero-day attack protection has removed the email from their mailbox. This is a great remediation step for protecting that attack surface. Then I can observe how the tool is dealing with the attack instead of trying to figure out how to approach it, what to do, who I should contact, et cetera.

It also saves me time every day. It was taking me really long to review the message headers to identify what happened. It could take an hour or even more if it was a really complicated case. I needed to check the headers, the content, the links, the attachment. Using Microsoft 365 Defender, I can see in Explorer at a glance, or by clicking through one or two tabs, what is happening. It gives me a lot more time to do more interesting work and to close other cases. Instead of an hour, it takes five or 10 minutes now.

It's a lifesaver for me and keeps my clients from being threatened and attacked every day. It's not about the money, it's about the information. Attackers can use information to make money.

I can check the overviews and see trends where somebody wants to use some kind of open gate to gather my information. But the solution does the work on my behalf, so I don't need to observe the environment, traffic, and user behavior. And we don't have to invest a lot of money on repetitive training for users. Training is also good, but I don't need to invest so much money and effort in that process, and that results in savings.

For me, the email protection features are the most useful because I focus on that area.

I also really like the integration with the entire Microsoft 365 service because it's not really common to have a tool that is integrated well with Teams, SharePoint, and Exchange. 

Another feature I like is that inside Explorer I can perform an investigation to check, for example, if any accounts have been breached or accessed by a malicious actor. I can also check the source of emails from which we are receiving something that was not expected by us, such as 

• XML attachments 
• meeting invitations with the malicious links
• JavaScript. 

And I really like that the tool checks attachments within the hash so that we can investigate who received the malicious file and where.

There is also one dashboard that shows us the status of many controls at once and the details I can get. Sometimes I'm on a call with somebody from the security team who is asking why we received something or how we can better protect our environment. I can even show them the analysis of a particular Excel file and a macro inside that file. That is something I really like. It gives me a lot of information and I can respond very quickly to a particular case.

It gives a great overview of many areas, such as files, emails, chats, and links. Even with the apps, it gives you a great overview. In one place you can see where you should look into things more deeply and get knowledge of the details, instead of browsing the details and looking for something that might be of interest.

And, of course, it helps prioritize threats across the enterprise. The solution identifies threats and categorizes them. I can assess which category is more important for me and react accordingly. This categorization is really important because it gives something like an SLA for each case. You always have limited resources to deal with cases. For example, in one of the companies which I support, over half of the email traffic is filtered by Microsoft 365 Defender's tools as malicious traffic, amounting to about 5,000 emails a day. I can use the tool to see an overall view of the threats, instead of just going through each one, one by one. It gives a great overview and the ability to see trends for a day or a month and I can adjust my focus according to the trends.

With Defender on end-user devices, we have the ability to monitor them without the need to have them connected to the same network. People are working from home and sometimes they are working on their own devices. We can use conditional access policies to ask them to provide the minimum security standards. That gives us a lot of peace of mind when using Microsoft Defender. We can create rules that look for users who are uploading malicious content to Teams, SharePoint, Android, et cetera.

There should be better information for experts on features in the solution. What I see when reading about features in Microsoft 365 Defender is that it is always general information.

If Microsoft could go deeper into details for the experts about how to use the tools, usage of it would be more familiar and it would be easier to use. Right now, I need to spend a lot of time using Defender to check the possibilities and how to connect them together to see things better. If I could read a more detailed article about it and see some use cases and how some threats are remediated, that would be great. Maybe I'm not looking deep enough or maybe there is some room for them to improve in this area.

And I would really like to see new features.

I'm a Microsoft 365 consultant and have been using Microsoft 365 Defender for about three or four years.

It is really stable.

Sometimes, when there is a problem with the Microsoft infrastructure, for example, in India, then it can be hard because it's not just that somebody may have a problem. It's not about only one business unit but all of Europe. But it's not that problematic for us because usually this kind of situation is very limited and the fix is delivered really quickly.

It is a scalable solution. I haven't had any problems with the scalability of Defender.

We have the solution deployed in 38 countries. People are connected to their local networks and they use the updates from Intune and SCCM.

I haven't had any situation in which I had to ask for support for Defender. 

But for Microsoft 365, overall, when we contact the exact, dedicated team, it's really good. But before that, when a ticket goes through the first and second lines of support, sometimes it's too repetitive. The first line asks the same things as the second line. I know that it's required because Microsoft is a huge company and it has a lot of customers, so some kind of triage is needed. But when an issue is well-known and there is already a solution or a workaround, the sharing of this knowledge should be better.

Neutral

I used regular filters on the email server, running on Linux, with some type of anti-exploit solution that checked for threats inside the files. I filtered the DMARC and SPF with regular controls. That was a nightmare and I'm really happy to now use Microsoft 365 Defender.

I don't deal much with the pricing aspect, but the companies I am supporting use an E5 license for Microsoft 365 because they want to include all the features and it's cheaper for them to use E5 than SE3.

Maybe the solution should be cheaper because I have heard that the licensing is pretty expensive. I can imagine why: The knowledge is expensive and the tests and infrastructure are expensive as well.

From time to time there is maintenance in reviewing the rules so that we can focus on how to use it better. But that's not "maintenance" in the standard meaning that you need to check if the processes are working properly. For example, our security department uses phishing attack simulations to check if users are aware of how the tool behaves when we receive a phishing attack and what actions are taken to remediate that attack.

When trying to decide between a best-of-breed strategy versus a single vendor for security, it depends on the approach, resources, and of course, money. You can have a single vendor and extensively use the solution and really invest time and effort into better understanding how it works. Or you can buy a few solutions but understand each of them less, because it's not possible to have deep knowledge of how every solution works. For me, it's better to use only Microsoft 365 Defender instead of having additional security providers. I can then go deeper into the details and ask the vendor to implement a feature that is useful, and that probably will not only be useful for me. We can build it together instead of blaming each about who should do better work.

My advice is to go deeper into the details to understand how remediation is utilized inside the solution. Notice that Microsoft 365 Defender is using data collected from every tenant that is using the solution, not only mine. If a company's controls have been attacked, the tool can already protect me because I'm not on the first line of fire. It's great to understand this fact and understand the idea behind it and what the benefits are.

It has helped us identify a lot of loopholes within our environment and mitigate risk. It has improved user experience as well.

The visibility into threats provided by the solution is amazing. If you have Sentinel, you can integrate it with Microsoft 365 Defender. You can then access all of the logs at once with a code. You would be able to quickly analyze and react to any threat.

We are able to prioritize threats with this solution. Depending on the type of license you have, you will be able to access different capabilities. We place very high importance on prioritizing threats because the easiest way to get attacked is through the user or the endpoint. You must have multiple layers of security.

We use several Microsoft security products such as Sentinel, Defender for Office 365, and Microsoft Defender for Cloud Apps (Cloud App Security). Microsoft has the highest form of integration, so these solutions integrate in a straightforward manner. Once Microsoft Defender for Cloud Apps is unlocked, you can connect to third-party applications as well.

These solutions work natively together to deliver coordinated detection and response. The threat protection that these Microsoft security products provide is comprehensive and very effective.

We use Microsoft Defender for Cloud and make use of its bi-directional sync capabilities. It gives us access to reports and makes reporting much easier as well.

Microsoft Sentinel enables us to ingest data from our entire system. Data ingestion is very important to our security operations because it makes it easy for us to know if there are any vulnerabilities or threats. It flags it, and we can analyze it and also create a query, which brings to light threats. We can then mitigate the threat or attack breach on the device.

Sentinel enables us to investigate threats and respond holistically from one place. It makes life easier for us and helps us not to be caught unaware. There are many forms of alerts that notify you immediately of any threats. You can set up automations, which might even fix the issue or mitigate the issue immediately without the need for intervention. That is, you can create a rule to automatically fix a particular problem.

Sentinel captures a lot of logs, and you'll be able to create action plans through the application to directly handle particular threats. The integration has been done already, so automatically it will send a signal to the environment or to the solution you have integrated with to carry out a particular action.

The cost of Sentinel is on the higher side compared to that of other standalone solutions.

We can automate routine tasks and write scripts to carry out difficult tasks, which makes things easier for us.

This solution has helped us to save 60% to 70% of our time.

Microsoft 365 Defender provides one XDR dashboard, so we don't have to look at multiple dashboards. In the Import Center, all you need to do is to select the solutions that you want, and it will give you multiple options on different categories and different data. It's amazing and straightforward, and you won't need to open other tabs.

We have been able to prepare for potential threats before they hit and take corrective steps. We can immediately identify users or systems that have viruses or malware. We can also find scripts that have errors underneath them. We can discover each element from the history and delete it. It covers a lot of aspects, and the integration with Sentinel helps as well.

Because there's someone actually monitoring everything, when there is a threat or any form of abnormality, all they would need to do is to create a rule or a query to create a particular section and add the action that needs to be carried out. It's easy to get to reports as well. Overall, the solution has decreased our time to detection and our time to respond by 60% to 70%.

Microsoft tends to provide too many features, which makes the solution prone to bugs.

Also, 365 Defender needs to be more flexible during deployment. When it comes to causal admittance, at times it seems slow.

We have been using this solution for about three years.

The stability is okay. Microsoft has evolved a lot, so they tend to make sure that the solution is up to date and up to par with best practices in the environment. They add new features as well.

It's very scalable.

The level of support you get depends on the knowledge of the engineer who has picked up your ticket. I'd rate technical support at seven out of ten.

Neutral

The initial deployment is straightforward as long as you meet the prerequisites. 
It doesn't really take a lot of time to deploy. All you need to do is to set up the policy, then assign the license to the users. Microsoft handles the maintenance of the solution.

Defender Plan 1 is tenant-wise, and Defender Plan 2 is per-user, which makes it more expensive. To have certain features, you would need to purchase the E5 license. For all of the capabilities that the tool provides, the price, though it can be high, is fair. 

I don't think having a single vendor's security suite is the best because once the threat actors are in through the surface, it's easy for them to penetrate. This is because they'll know all the cracks in that particular product. However, if you have another vendor protecting you as well with a different signature database that is separate, then the attackers have multiple walls that need to be cracked.

An average-sized organization can go for the Business Premium plan. Larger organizations can go with E5, which comes with the full functionalities of Microsoft 365 Defender. Overall, I'd give this solution a seven out of ten.

I am the head of IT of the police force in the Madrid municipality. I have deployed the product to all 6,000 policemen and police women here and we are trying to protect all our devices with it.

It has helped eliminate having to look at multiple dashboards. This is a part of the benefit of the integration. It's quite helpful to receive information and data that is correlated with other information, in the form of a graph or chart. It's a good added value. We are provided with consolidated information, which is very valuable for making decisions and moving forward in improving our devices and our security.

It's very well known by all our technicians and it has helped to decrease the time to detection and response.

And while I can't demonstrate it with metrics, my intuition is that we have saved money. Because we are a very large organization, we have very large needs in IT systems. Perhaps the best thing we did, years before, was to have everything, all applications and the operating system, come from Microsoft. Perhaps that means potential money savings.

The most valuable feature of all is the full integration with the rest of the software in the operating system and Office 365, as well as Microsoft SCCM. It is quite easy for us to work with the whole instance of Microsoft products. This integration improves the benefits of the whole suite of products. Even the desktop devices seem more productive by having all these products integrated. That's the best advantage.

I'd like to see a wider solution that includes not only desktop devices but also other devices, such as servers, storage cabinets, switching equipment, et cetera. That is where they should put in more effort. I don't have a global risk solution coming from Microsoft, one that could help me in all these different IT areas.

I have been using Microsoft 365 Defender for about two years.

I would rate its stability at seven or eight out of 10. It's quite good. Up until today, we haven't had any big problems with the solution. I'm quite comfortable with it.

The solution is deployed to more than 25,000 in the municipality, but my responsibility is only over 6,000 people in the police corps.

Microsoft provides quite good support across their different areas of activity. The people attending to your requests are quite professional. They take care of your requests and respond to your needs. They try to help you. The documentation is not the best in the world, but it's quite sufficient for our needs.

Positive

Years ago we had solutions from other companies, such as Trend Micro for the desktop devices, and Trend Micro and Sophos for servers.

We used to work in different ways. Some people were in the office with desktop devices, but most of our people work outside with mobile devices. The latter group is at much more risk and we wanted to protect all these devices from potential damage and risks.

The switch was a company decision made by higher management within the municipality. We started to work with Microsoft Office 365 years ago, and then a decision came down imposing the use of Microsoft 365. I feel comfortable with the decision, but I know inside our organization that we've had plenty of problems deploying all facilities given by M365.

I'm not aware of having more or fewer problems with this product than the ones we had before, when it comes to deployment or interfaces. It's quite standard and the deployment was quite easy, but it was equally easy to deploy all the products years ago.

It has been easy to integrate with the rest of our devices and software. In addition, there was no impact on the user experience. The solution is transparent. The users may not even know of the existence of this product. There was no problem deploying and starting to use Microsoft 365 Defender. We have some other products, beyond the desktop level, that work in a coordinated way Defender.

The deployment took a few months, but we needed at least a year to stabilize our organization. The first days were awful because people couldn't understand the change in mentality required to work with this paradigm of software. During the first year, we had to cope with plenty of incidents and problems. Having passed the one-year mark since we deployed, we have started to see some of the benefits.

I generally use an "onion" deployment methodology. I start deploying new solutions in desktops that are quite close to my area of activity in the IT department. We implement, let's say, 50 to 100 desktops per day and we wait for a week to see if everything is okay and whether there are incidents. Once we are assured everything is fine, we implement by regional police units in different locations.

We had 10 to 12 operations technicians involved in the deployment.

Every software solution requires maintenance. In this case, there isn't a lot of maintenance. We have to keep an eye on the status of the solution every day. That process involves two or three people.

As most software companies have done during the last few years, they have moved from a licensing model to pay-per-use. It was difficult to understand and accept this change. When we had to accept that model, it had a great risk for companies like ours that always have to cope with annual budgets. The question is: What happens if, for any reason, there's not enough budget to accept this model? That could be a great problem.

There was a possibility of continuing with the solutions we had been working with.

But we cannot compare them because the other solutions were built eight years ago. Technology has changed so much.

Fortunately, we haven't had the chance to see if the solution's threat intelligence helps prepare us for potential threats before they hit. But I'm quite sure that it's working together with other tools to help us to stop potential breaches and risks.

Give this product a chance. Is it the best in the market? I don't know. Is it the worst? I don't know. But what is quite good is the integration with the rest of Microsoft's software products. That's the added value.

Try it, prove it, and see how it integrates. It depends on the situation. If a colleague is using Linux in their data center and desktops, of course, I wouldn't recommend this solution. But here in Spain, most companies have Microsoft products.

The primary use case involves using Microsoft Defender XDR as a comprehensive security solution. This includes securing endpoints, user devices, SQL databases, containers, and third-party cloud solutions such as AWS and Google Cloud.

Microsoft Defender XDR is a complete package of different Defender solutions, including Defender for Endpoint, Defender for Office 365, Defender for Cloud, and Sentinel SIEM, among others. With Microsoft threat intelligence information, it detects various types of threats, including insider attacks, malicious content, and data exfiltration.

There is no comprehensive visibility, making it less user-friendly. The visibility of different types of threats should be improved. This aspect is not as developed compared to third-party vendors. Improvements are needed in automated response capabilities.

I have been working with Defender XDR for around two years now.

I would rate the stability of the solution as seven out of ten due to compatibility issues across different devices.

The scalability would also be rated as seven out of ten. It is suitable for enterprise-level deployment but has room for improvement.

For technical support, I would definitely give a rating of nine out of ten.

Positive

The setup process is simple; enabling features just requires the right licenses and is essentially an on-off switch on the portal.

I would rate the pricing as eight out of ten, indicating it is a reasonable cost for the product.

Overall, I would give Defender XDR an eight out of ten. While it is a good enterprise solution, there is room for improvement in different areas.