Microsoft Defender XDR Reviews

In our organization, we are mainly using it for email security and SharePoint security.

It has been great for us. Previously, we didn't have a solution to protect us, especially from malware, whereas now, we are getting protection up front, especially from the malware attacks coming through emails or endpoints.

It helps us to prioritize threats across our enterprise, which is very important. It has sorted many things.

We use Defender for Endpoint, and we also use Sentinel. In my organization, they are all integrated. Sentinel pulls the data from M365 Defender via connectors. The integration is very easy. There are no problems. These solutions work natively together to deliver coordinated detection and response across our environment, which is good. We rely a lot on Microsoft products. Together Defender for Endpoint and Sentinel give me a clear picture to defend against threats and investigate the threats.

Sentinel enables us to ingest data from our entire ecosystem. It's always good to get a centralized, holistic view of our security operations. We are using centralized Sentinel dashboards mainly to get all the threats and information in one place. It's good.

Microsoft security products provide comprehensive and deep threat protection. I'm pretty satisfied with that.

It has saved us time. It has saved more than 50% of our time. 

It has decreased our time to detect and time to respond. It has been helpful, and the time to detect is really fast. We don't have to do anything. We just have to rely on it. In terms of the time to respond, if something is under the radar or intelligence of Defender, the tool itself responds and gives us what happened. When it comes to something that is not on Defender's radar, Sentinel is generally where we go. So, it saved more than 50% time in terms of detection and response.

Email security and endpoint security are valuable.

It provides good visibility of Microsoft products but not for third-party products. It's a good product if we have Microsoft product lines to protect or defend, but it lags when it comes to a mixed environment or non-Microsoft products. The Defender agent itself is more compatible with Windows 10 and Windows 11. Other than these two lines, there are so many compatibility issues. Security is not only about Microsoft. The core technical aspects of it are quite good, but it would be good if they can better support non-Microsoft solutions in terms of putting the agents directly into VMware and other virtualization solutions. There should be more emphasis on RHEL and other operating systems that we use, other than Windows, in the server category.

On the Defender side, for custom detection queries, KQL and the dashboard are not that great, but we are not doing automation directly from the Defender side. We leave Defender intelligence as it is, and we collect everything from Defender to Sentinel and handle the response from the Sentinel side. So, all our automation is happening through Sentinel only. We don't have any extra customization on top of Defender.

The maturity of the portal or dashboard is missing. The dashboard is something that Microsoft is changing every month, and we are seriously not liking it. As a management person, I am not bothered about it, but my team is suffering because there are many versions. You are working on a version and then a new version comes and then the preview toggle button comes. Now, they are combining all the parts into a single console. It confuses technical teams a lot. I'm not happy with their approach or experiments when it comes to the Defender portal. They shouldn't change it again and again.

The SOAR side of Sentinel is zero. If any subscriber subscribes to Azure Sentinel, SOAR is zero. Microsoft says that Sentinel is a SOAR solution, but I don't agree because they are only exposing the existing Azure automation engine towards Sentinel. My automation ask is that when there are already so many detection rules and connectors, why is the SOAR capability not in-built? Why can't they make the Azure functions behind it available in a template form and let us modify and use them? It will save my team's time in preparing the automation of the response. If my team has to create the logic, they have to invest a lot of time.

Their support needs to be improved. I'm not happy with their support.

I have been using this solution for more than a year.

For stability, the product must be mature enough. It should not keep on changing every month.

It's scalable. Target points are in my capacity, and I can scale it without any problems. There is no limit to the agents for Defender, but on the server side, Microsoft would have the answer. 

Location-wise, we are spread in five locations within one country, and department-wise, we have around 11 departments.

Their support is bad. They weren't at all able to solve my problems. They buy the time but never get back. I have to follow up with them again and again. They just take the logs and sleep on them. I'm not happy with their support. I would rate them one out of ten.

Negative

We were using another solution. Our organization at the time was too much dependent on the on-premises infrastructure. We were using Symantec, but it was a very quick shift within one quarter or two toward the cloud products and services. We are now heavily reliant on Microsoft Cloud products. We have the Azure environment and a lot of cloud applications, and we have shifted to M365 and Sentinel.

We have a hybrid deployment. Within the cloud, it's straightforward, and when it comes to the target points, it's doable. 

Our biggest challenge was removing the old Symantec signatures from the registries, devices, and servers. That was what we mainly struggled with a lot. Otherwise, deployment was going very smoothly. We had around 46 virtual machines or servers. The problem was that the MDATP agent was not ready to protect them. We struggled a lot there. We went to Microsoft, and Microsoft said to go back to Symantec, and when we went to Symantec, they asked us to go back to Microsoft. That took a long time for us. Everything else was smooth. When the target point is Windows, it's very smooth.

It took around 20 to 25 working days. In terms of the staff, other than the infrastructure team, there were five people including me.

In terms of maintenance, we have to just work on the detection rules and nothing else. There is no other maintenance. It's a complete cloud solution.

It's quite hard to measure the money saved from using this solution because we have not got any attacks that have resulted in any kind of ransom or monetary loss. It's defending us, and as of now, as per my report, there are no financial losses due to any attacks.

Microsoft's pricing differs geographically. We are based in India, and we have India-based licenses. Money-wise, it varies from product to product or OEM to OEM. We pay less for some, and we pay more for some. 

Microsoft has a lot of CSPs, indirect partners, and direct partners to deal with customers. There is so much difference in the price, which is something we are a little confused about. For Defender, they have Endpoint Plan 1 and Endpoint Plan 2, but I don't know on what basis they have classified Endpoint Plan 1 and Plan 2, but it has given me enough pain to pick and design Endpoint Plan 1 or Endpoint Plan 2 for my organization. In fact, we are still struggling with it. Too many SKUs are confusing. There should not be too many SKUs, and they shouldn't charge for every new feature.

We evaluated Okta products and QRadar.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single vendor security suite is always better. It's simple. It saves the time to detect and respond and administer.

This product is best if you have mostly Microsoft solutions in your ecosystem. If more than 20% of your solutions are third-party solutions, you can also look at and compare other products.

Sentinel enables us to investigate threats from one place, but when it comes to response, we have to put a lot of effort into it because Microsoft is not giving anything ready-made on the SOAR side. We have to put a lot of effort into orchestration and automation. The SIEM of it in terms of the collection of security events and information is wonderful, but when it comes to the SOAR capabilities, there is nothing in-built. They are just the analytical rules for the detection purpose, not for the response. The response is something we have to sit and design. So, the defending capabilities of Defender are good. It has some intelligence, but on the response side, Sentinel is blank. We have to start from scratch. It's a circle, and we have to keep on evolving. When comparing the cost, I am not that exposed to other products' costs, but as per my understanding, the cost of Sentinel is a little bit on the higher side because Microsoft generally charges on a log ingestion basis. It also depends on the amount of log data we are ingesting in Sentinel.

Its threat intelligence hasn't helped to prepare us for potential threats before they hit and to take proactive steps because it depends on the type of attack, the type of payload exploits, and other things. However, as per my previous report, in the last six months especially, there have been quite impressive preventive features, especially related to the process memory injection attacks or attacks coming from emails and links. It's very good for those.

Overall, I would rate this solution a seven out of ten.

I've mainly used the EDR component within 365 Defender, which is Microsoft Defender for Endpoint. It does a good job of bringing the whole attack story together, so you can see email activity, endpoint activity, cloud app activity, and some sort of sign-in activity as well relating to Azure AD, but I've mainly dealt with it from the EDR aspect.

It definitely improved visibility when I dealt with this solution, but the main benefit is the advanced hunting because it allows you to uncover threats that you didn't realize were there, or they weren't alerted because you were looking for specific behavior. The custom detection and linking to that is something quite cool because if you know there's a behavior, you want to keep an eye out for it. For example, it might be linked to a recent threat, so you can set up that detection query, and as soon as it finds a result, it will flag an alert. That has definitely helped to be more proactive and a bit more ahead of the curve with attacks. So, it improves visibility and also helps with being proactive.

It helps to prioritize threats across the enterprise. It does assign severity to a threat, but it also gives you an overview at a glance. If you know that your organization is susceptible to certain major threats, those are the ones you probably want to pick up on. With the severity and alerts, it gives you an idea of which is the most pressing incident. If you've got one with just one alert, that's a medium, but if you've got one with five highs. You're probably going to focus on the high one. That helps to prioritize.

It helps automate routine tasks and the finding of high-value alerts to a degree. You can have certain actions where if an event starts on the endpoint, it automatically isolates that. If it occurs, for example, on the email, then you can automatically purge it. It helps with the routine tasks that people would have to manually do in the portal. With automation, it takes care of it automatically if an alert fires. It improves efficiency because, after hours, there might be no one there available to isolate a machine. This way, as soon as the alert fires, that machine is isolated, and the next morning or the next working day, an analyst can go in and see that this alert fired and the endpoint has been isolated. That definitely helps from a coverage perspective when people are unavailable because those actions occur without anyone being present.

It has absolutely helped eliminate having to look at multiple dashboards and have one XDR dashboard. I've got three years of experience. At the start, we had all the individual portals for cloud app security, endpoints, Office, etc. The whole point of 365 is to unify, and they've done a good job. The different components are broken out into sections on the left-hand side, and you can very easily click through them and navigate them. It eliminates the need for multiple tabs and dashboards. It has definitely helped with what they were aiming for, which is to have a single pane of glass view.

It has saved us time by not having multiple dashboards. We don't need to open multiple portals and sign in to them. It definitely saves time there and also in understanding the true story of an attack. It has definitely helped in terms of efficiency. It's hard to quantify the time savings because I'm not using it now, but from what I remember, it saved at least 20% to 25% time just because it does a good job of giving you the information. You can glance at the key information that you need, and then it gives some details, and then you go to other places externally to investigate further.

The threat analytics give you a report on what Microsoft has seen in the world. What I like about those is that they will show you if that's actively impacting your environment at the moment or likely to. For example, if there are vulnerabilities that are being exposed, it tells you whether you're vulnerable or not, so you can protect against them before they are here. One thing I do like is that they also give you advanced hunting queries, so you can look for the behavior associated with those threats and make sure that you've got your coverage in place. I wouldn't necessarily call it threat intelligence. It's more of threat analytics and reporting that they provide.

I'm not aware of whether it saved any money in any of my previous roles, but a lot of organizations have the E5 security license, and they don't realize it. They have third-party vendors doing their email security, endpoint security, and so on, but holistically, Microsoft's E5 license gives you all of those capabilities, and it would also be cheaper than paying multiple vendors.

It decreases your time to detect and time to respond. It does a good job. It has the auto investigation ability so it can automatically detect threats. When you build custom detections, you can have automated response actions. Those two together help you with the mean time to remediate and the mean time to resolve. The information at a glance easily lets you see if it's a false positive or something that you know in your environment, and it's gonna be non-malicious. You can glance over and dismiss those alerts, and you could potentially be setting up suppression so that you don't get notified about them in the future. All in all, it helps you to improve your remediation. The time reduction depends on the scenario. Sometimes, you can instantly see false positives that would decrease your time by 85%. On the whole, there is about 35% to 40% time savings because of the way it correlates with the signals and gives you quick ways to remediate them.

For me, the advanced hunting capabilities have been really great. It allowed querying the dataset with their own language, which is KQL or Kusto Query Language. That has allowed me to get much more insight into the events that have occurred. The whole power of 365 Defender is that you can get the whole story. It allows you to query an email-based activity and then correlate it with an endpoint-based activity. The advanced hunting capabilities have definitely been one of my favorite features.

The way the incidents are put together is also good. It can intelligently correlate activities from email to endpoint, and then you can visually see it in the timeline view or graph view. It does a good job of presenting that incident to you, and it's easy to navigate between it and then pivot to some actions as well.

For some scenarios, it provides good visibility into threats, and for some scenarios, it doesn't. For example, sometimes the URLs within the emails have destinations, and you do get a screenshot and all further details, but it's not always the case. It would be good if they did a better job of enabling that for all the emails that they identified as malicious. When you get an email threat, you can go into the email and see more details, but the URL destination feature doesn't always show you a screenshot of the URL in that email. It also doesn't always give you the characteristics relating to that URL. It would be quite good if the information is complete where it says that we identified this URL, and this is what it looks like. There should be some threat intel about it. It should give you more details.

One other limitation is with cloud-based events. Sometimes, you don't get enough details in the alert. You have to go to other portals to then complete the story or do your own research, ask the user, etc. 

The other one is that with Defender for Endpoint, the attack story is quite good in terms of queries and things like that, but sometimes, multiple events for the same thing are captured, and it's not summarized in a good way. You have to open each entry to see what that partial syntax is. It'll be good if it said that this specific partial syntax was seen fifteen times, and maybe it's something to pay attention to. They could also do some sort of pattern matching. There could be some sort of pattern matching where it says that this is the attack trying to do some enumeration or reconnaissance activities. 

I've been using it for over three years.

There are some times when it does have downtime or service outages. They do a good job of updating the service status page to let you know about that, but there have also been misclassifications, for example, for Chrome updates, generating malicious alerts and things like that. On the whole, it's quite stable.

There are sometimes when it can freeze up or not present the data that you want. It gives you data unavailable or other errors, but, usually, these are quite quickly resolved. Sometimes, it's just to do with a particular instance, but sometimes, there can be wider outages. You just have to pay attention to the service status page or raise a support case and then be notified when that's resolved. On the whole, it's fairly stable.

Because it's built on the cloud and for the cloud, it does scale quite well. However, one area where it can be a challenge is when you use the Kusto Query Language for event hunting. Sometimes, if you do quite a generic search across, for example, thirty days of data, it gives you processing errors and limitations. I guess Microsoft does that for two reasons. One, to keep the cost down on their side, and two, from a performance standpoint. That is a bit of a limitation of scaling because if you want to do generic sessions across thirty days, you're not able to, but the idea is that you should be able to filter and granularly restrict conditions to get exactly the events you want. However, it would be nice if you were able to search more widely and if the solution could scale to support that, whereas, currently, it doesn't seem to, but that's not the use case they might have had in mind.

It depends. With some clients, we've had the fast-track option, whereas, with some clients, we just had to raise support cases. Usually, when you raise support cases, you're not going through an SME, so there is a bit of basic troubleshooting and things like that. With the fast-track option, you directly get through to someone who understands security, and you can explain the issue. They understand the issue, and you can get a much quicker response. So, the fast-track option is the one where I've had better success. The normal support can sometimes be a bit drawn. There could be a lot of back and forth about not relevant things just because they're not security trained, so they're trying to understand and then help you. 

It has been a mixed experience. Overall, I would rate them a seven out of ten because there have been some gaps, and there have been some successes, especially through the fast-track program.

Neutral

We didn't have anything that was overarching and correlated all the different signals. We had different products. We had a different product for email security or a different product for the endpoint. I might be wrong here, but I don't think there's another tool that brings those aspects together as well as 365 Defender does.

From what I went through in various roles, it was mostly in the cloud. Defender for Endpoint is a cloud-based solution. In fact, most Defender solutions are now based on the cloud. The only exception is if you've got Defender for Identity. For one of our engagements, I did deal with that, so it was a mixture. Apart from Defender for Identity, all the other solutions have been on the cloud.

In one of my roles prior to my current one, I was doing onboarding for a client with Defender for Endpoint. I was getting them onto it and migrating from McAfee. I was involved in the setup, coordinating the groups and the roles, and things like that. In all the other roles, the tool was already in place. It was just about maturing it and getting hands-on.

The setup was quite complex. Microsoft Docs guide you, but there were a few gaps that I had to fill in. One example is onboarding with group policy. Microsoft does lay all the steps on the docs page, but it doesn't give you screenshots. It doesn't give you things to look out for. It doesn't give you logs that would correlate to those events and things like that. I had to put things together using external sources, such as YouTube or just Google search. On the whole, it was very okay to follow, but it just didn't have that depth. What I produced for that client was a step-by-step coding guide with screenshots that they could give to the infrastructure team to get them on board. We had a good success rate that way, whereas if I had just sent them the Microsoft Docs link, I'm sure they would have had a few more questions.

That was the only use case I had experienced initial-setup-wise. The onboarding for group policy took maybe a month or two just because we had quite a big setup. We had different groups to roll it out to. We rolled it out to pilot devices, then 10 or 20 devices, then 100, and so on. It took about a month or two.

In terms of maintenance, from the service side, you rely on Microsoft to make sure it's available, secure, and things like that. Sometimes, you get downtime, and sometimes, you get bugs. For example, last year, a Chrome update was misclassified as malicious, which caused all the alerts. You then have to raise support cases to find out what happened. Eventually, Microsoft releases a fix, so in terms of maintenance, it's more on them. The only thing from your side is making sure, for example, the roles are still relevant. If someone who has access leaves, you need to make sure that their role is revoked. You need to make sure that you've got your role set up for the least privilege and things like that on an ongoing basis because there may be certain new features in the portal that have a corresponding role assignment. If you don't have that enabled or configured, then you're not going to get that benefit. That's the only thing needed from the maintenance perspective. You just need to make sure your roles are regularly reviewed and optimized when needed.

All I can say again is the E5 gives you all the capabilities that it offers. It also gives Office 365 and one terabyte of storage. All in all, the E5 license model makes sense. There are some people who say it's quite costly, but rather than paying different vendors, it makes sense to go all in with Microsoft if you've got that licensing. From that perspective, it's cost-effective, but I can't comment much on that.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that I'm slightly biased because I'm such a fan of the Microsoft suite. Some people do say that you shouldn't put eggs into one basket, and you're giving a lot of control to Microsoft and things like that. I would advise evaluating based on your needs. For example, for your endpoints, you might see much better value in CrowdStrike, Tanium, or something like that as compared to Defender for Endpoint.

You can do PoCs. Microsoft makes it quite easy. You can have the trials and things like that. You can play around and see which one supports your environment. I wouldn't say Microsoft is necessarily the option for all organizations, but I do think it's a very compelling offer. They're constantly evolving the product. They pay a lot of attention to consumer feedback. They've enterprise feedback as well to improve the product. I wouldn't completely rule out either option. If you've got one that's tried and tested for your enterprise, and that's a third party, you can see what Microsoft can offer. If it just doesn't match up, then stick to what you have even if it costs more because all in all, you may have tried and tested processes. You may have an investment in that product, and it may just have capabilities that the Microsoft one doesn't have. I would also encourage you to add a feature request for the Microsoft one, and then they'll be more on the equal side.

I would advise doing a PoC. If you are using Carbon Black, CrowdStrike, or Titanium, evaluate it. Have a sample host or spin up some VMs or onboard them to Defender. Do some simulations and do some attacks that you think are likely going to be. See how the logs look, see the investigation processes, and do a gap analysis with your current solution. If it brings you any value, then potentially look to deploy it further. Don't just go all in without understanding what it does. If you don't have any security solution right now, and you are a small business or a local business, it's worth doing the trial and seeing what value you get from the trial because, in that situation, you don't have anything to compare to. You are an easy customer to onboard from Microsoft's perspective because you wouldn't be that complex. So, do a trial and then go from there.

I would rate it an eight out of ten overall. I do really like the product. I do like the fact that it combines all the alerts into one. I remember when I was a security analyst back in 2019, I had to open multiple tabs and close alerts in one portal and then the other portal. They've done a good job of bi-directional syncing of alerts. If you're closing in 365 Defender, it'll close in the MCAS portal or cloud apps. Overall, the biggest thing for me was just advanced hunting capability because previously, it wasn't possible to get those cloud app events or Defender for Office events to do hunting. Endpoint was the first one to have that hunting capability, and I'm glad that they've extended that to the other stacks. So, overall, I would give it an eight, and I'm really impressed.

I'm using the solution for security.

Previously, we weren't using anything and now we can configure privileged access and rules. We now operate in a more secure environment. 

It's great that it's a cloud solution. You don't need to worry about physical hardware.

You can configure the product very easily. It's simple to implement and easy to run.

The XDR platform provides unified identity and access management.

We only use it to cover Microsoft products; it works really well. 

365 Defender stops lateral movement of advanced attacks, like ransomware or business email compromise. It protects us from spam and ransomware. 

So far, we haven't had any attacks. It also allows us to adapt to evolving threats. 

We use the solution's multi-tenant management capabilities. It's easy to access and helps with investigating and responding to threats across tenants. 

With Microsoft, we get multiple services under one platform.

With Defender, we've been able to reduce costs. We've likely saved around 25% in costs so far. We've also been able to save time - around 10% to 20%.

You can customize the product based on your requirements - and everything is available under one platform.

The solution can improve the rules and privileges it offers. They need to be more transparent with changes. Often, changes come too rapidly.

I've been using the solution for seven months. 

The solution is a stable product. I'd rate it nine out of ten.

It's scalable. I'd rate the ability to scale nine out of ten. You can scale according to your needs. 

Support is very good. 

Positive

I also use SentinelOne and Splunk. Microsoft Defender is easy to implement and is user-friendly. Splunk, however, is not user-friendly.

The deployment is easy.

We have 20 to 30 people working on the solution. 

There isn't really any maintenance needed. 

The pricing is reasonable. It's cheaper than other options. 

I'm a Microsoft customer. 

I'd rate the solution eight out of ten. 

I would recommend the solution to others.

We use Defender XDR to monitor our network. We use it for when we analyze email and check endpoints.  

XDR is our second solution. We have two. We have it in basic mode as an antivirus and as an XDR. We use the DLP in our company as well. We can look at threat intel for vulnerabilities, and we check to see if vulnerabilities are present within our environment. We do that through Defender. It's useful for threat hunting. 

We have it integrated with Sentinel and we manage our incidents from Sentinel. We can do a detailed analysis of what actually happened, and it gives us the ability to log in remotely on devices. For example, if you have a problem with your PC, one of my colleagues can take the file from the PC remotely. As long as you have permissions as an administrator you can do that. Otherwise, you can create an incident and escalate it to the right admin.

The file analysis is helpful. When we have phishing emails Microsoft itself can analyze the file in the sandbox and then give you a detailed report. It's helped us respond better and increased the security of our organization.

I like the attack graph of each incident. It's really handy, and there's a summary. For example, you can see what had happened with a timeline. And if you go to investigate, the evidence will be there, including the users and devices. Co-pilot is integrated there as well. With just one click, you have a summary of what to do and the next steps. For young analysts, it is quite helpful.

You can have security administrators or global administrators. You can set up different permission structures outside of Defender.

The solution's security extends or covers more than just Microsoft technologies. Linux machines can be used, for example. It is possible to install an agent for Linux so you can monitor also Linux machines.

Apart from having everything within the same console, you have alerts.

The attack disruption capabilities positively affect our security operations. We can integrate with third parties. If an email comes in with a file attached, Microsoft's intelligence would be able to tell if it's a phishing scam, and it can automate the deletion.

We do educate and train our users, however, it provides an extra security layer that catches suspect emails. It reduces the risk of users accidentally clicking on phishing emails. 

The solution adapts to evolving threats. It's a next-generation solution. The machine learning and AI are integrated. With the help of machine learning, it can block quite a bit of suspicious activity.

It offers multi-tenant capabilities. We have four different tenants, and for each, we have a different console, so I don't directly deal with multi-tenant capabilities; however, it is possible. 

We do use the solution with a variety of others. We haven't reduced the number of other products we use for security. However, it's quite handy. It blocks a lot of malicious attempts. Nothing really gets by it. The automatic incident response and protection have kept us very safe, even though we do have other backups there on offer as well. 

We've saved a lot of time with the automated detection. It reduces the time we need to respond and react. We've saved maybe 30% to 40% of the typical amount of time it would take, thanks to automation. For example, if there is, a phishing email goes to the XDR if we had to do an analysis and a report, that alone might take 20 minutes to an hour. Then, we have to remediate, delete and block. With automation, we can save those 20 minutes to an hour. The process is automatic, so we don't have to manually do it. Also, if you have a bunch of suspicious domains or IPs, it will take time to manually go through everything, one by one. However, we can automate the blocking process and save ourselves a lot of time. 

The AI could be improved. As an analyst, I want to be able to interact more with AI. The AI simply sends summaries. I can't ask it, for example, if it has seen any suspicious activity with device two. I have to go and check device two for myself.

I've used the solution for 15 months so far.

The solution is quite stable. I'd rate stability eight out of ten.

We have 15 to 16 people using the solution in my organization. Then we have users on various Microsoft accounts. There may be 50 or more users in total. We have the solution spread across multiple locations. 

It's a scalable product.

I've had colleagues mention that they were very pleased with Microsoft's support. Once you open a ticket, the response you get is usually within an hour or two. 

Positive

I do use different solutions. Microsoft is very good compared to other market leaders. It's a leader itself. I've used CrowdStrike, for example, and I'm familiar with Zscaler. 

My understanding is it is quite easy to deploy the solution. Between deploying the agent and the initial installation, it may take one to two hours. Then, of course, you have to customize the product. However, as a SaaS product, it's very easy to deploy. I'm not sure if any ongoing maintenance is needed after deployment. 

I don't have visibility into the pricing. However, Defender is included in the price of a larger bundle. As a Microsoft customer, it's my understanding that users can access discounts. 

I'm a Microsoft customer. 

I'd advise new users to try a proof of concept. Before the solution is implemented, figuring out the grouping will be very important. You'll want to implement policies based on groups, so they need to make sense. For example, it would be easy to create a structure based on departments.

I'd recommend the solution to others. Microsoft is quite handy. You can get a full overview of your vulnerabilities, which makes investigations easy.

I'd rate the solution seven out of ten.

We use Microsoft Defender XDR to secure all data transfers between the company network, databases, and user devices. It also protects against malware, ransomware, and other security threats.

Microsoft Defender XDR provides unified identity and access management.

Microsoft Defender XDR can extend beyond to cover more than just Microsoft technology.

The most beneficial aspect of Microsoft Defender XDR is the integration with Office 365.

We can realize the benefits of Microsoft Defender XDR anywhere from two weeks to three months, depending on the organization.

Microsoft Defender XDR stops the lateral movement of advanced attacks.

When a user exhibits suspicious activity, Defender XDR and Microsoft Sentinel work together to provide real-time protection and automation for prevention. This includes threats like insecure connections, lateral movement by malware, and unauthorized email sending. While Microsoft Defender XDR is a powerful solution on its own, combining it with Microsoft Sentinel and automation creates an even more robust defense.

Microsoft Defender XDR helps to discontinue other third-party solutions in our environment.

The cost savings potential of Microsoft Defender XDR depends on the size of an organization and the specific licensing chosen.

Microsoft Defender XDR streamlines security team workflows by offering a unified console for investigation, blocking, and mitigation.

The integration between all the Defender products is the most valuable feature.

The management and automation of the cloud apps have room for improvement.

I have been using Microsoft Defender XDR for 3 years.

Microsoft Defender XDR is stable.

The scalability of Microsoft Defender XDR depends on your organization's network for on-premises deployments, but it offers excellent scalability for cloud deployments.

Scaling Microsoft Defender XDR on-premises can lead to network and access control list problems, as well as VPN restrictions.

Microsoft Defender XDR boasts a straightforward setup process. This ease of use stems from its integration with existing Microsoft products. Once we have the appropriate license, we can be up and running quickly. Extensive documentation is available, and Defender XDR enjoys broad industry compatibility. Many other security solutions readily integrate with Defender XDR, opening their products to its robust security features.

The deployment time depends on each environment and can take anywhere from a couple of days to one month.

The number of people required for deployment also depends on the environment and varies between two to eight people.

The price we see for Microsoft Defender XDR is typically the discounted rate we offer to our customers. However, when we bundle Defender XDR with other Microsoft products, the overall bundle price may differ. Despite any initial price considerations, Defender XDR offers excellent value. It's important to compare similar products to make a fair assessment. For organizations already using Microsoft products, which applies to roughly 90 percent of our customers, Defender XDR is easy to set up. Unlike some third-party security solutions, Defender XDR integrates seamlessly with our existing Microsoft environment, eliminating the need for complex identity management configurations and development efforts.

While the standalone price of Defender XDR might seem high, its value becomes clear when considering the ease of implementation and smooth integration with our existing Microsoft infrastructure, especially when bundled with other Microsoft products.

I would rate Microsoft Defender XDR nine out of ten.

Between one and two people are required for maintenance which is conducted twice a month to roadmap Microsoft and check new features.

I recommend thoroughly reading the documentation. Additionally, if there are opportunities to attend Microsoft events, such as a partner workshop focused on Defender, these would be valuable resources. By participating in these activities, you can gain a deeper understanding of what needs to be done within your environment to successfully implement Microsoft Defender XDR.

I'm managing the SIEM, but the SIEM is heavily integrated with 365 Defender and all the other components. Defender is a natural extension of Sentinel, and our entire SOC team leverages the solution. We utilize it daily for everything related to incident response from an advanced threat-hunting perspective.

We do some KQL-based threat hunting and have set up some custom detections built into the platform, so we can raise an alert about a threat when we see it. Right now, we're onboarding our server environment to push Defender for server agents to see what that looks like. 

Defender is used widely by our SOC for everyday investigations. Our attack surface reduction teams use it for vulnerability information. Other teams at the company use the telemetry data, but it's primarily our SOC using it for incident response. 

Defender XDR has simplified our security operations because we don't need to shift around various portals. If I respond to an initial access event involving phishing emails, I can go to the endpoint and the user's identity in one console instead of having four or five different tabs open for multiple products. 

Since adopting Defender XDR, we haven't consolidated anything because the corporate leadership purchased the E5 license with all of Microsoft's other security solutions. All of those are still in play, but some of Defender's features are creeping into other spaces where it could potentially replace some of their products. 

It allows things like indicator blocking. You can block file caches now. You can block URLs, domains, etc. We might have handled that somewhere else with DNS and stuff like that. We might be blocking domains or adding different intelligence to handle that from the endpoint perspective so the threats are stopped before they get to the network. There are certain functions that Defender might not necessarily take over, but it can augment the entire approach to that security design. It could replace those solutions, but I'm not one to have all my eggs in one basket. However, that's not my decision to make.

Having everything in a single pane of glass saves some time, but it's hard to quantify. It reduces the time needed to respond. It correlates the data in a certain way that probably decreases time spent on manual data aggregation by about 30 minutes per incident. We can aggregate the logs from third-party solutions in Sentinel, run KQL queries there, and look at them together to make some assumptions. That's a significant time saving, but I don't think we're tracking that. 

The way it gathers data is fundamentally different. It's all right here, and I don't need to do separate queries. I can look through the timeline and export the data to a CSV if I want to sift through the data. It likely reduces the time it takes to respond dramatically. One problem we have internally is that we can't deploy Defender for Endpoint on everything. I can't deploy it on a many legacy OS due to the compatibility. It's challenging to address those things when you get so used to having all of this telemetry. When working through that, the advantages of using the platform become clear. It incentivizes us to stop using some of those assets because we can't see anything on them the same way that it gets represented in the M365D. We don't have direct telemetry ingestion into the cloud portal where we can collect logs from all those assets.

The most valuable feature is probably the aggregation and correlation of the different telemetry points with Defender for Identity, Defender for Endpoint, and Defender for Cloud Apps. All of these various things are part of that portal. We've wanted that single pane of glass for years. 

We've become early adopters of almost all of the features that they offer through the portal, so we've become good at working through the leading-edge quality of the new features and deciding whether or not we want to implement something in production based on that. We have a close relationship with Microsoft's team, and they present us with opportunities to enable new features, but all of the training is done internally. We have a close-knit team structured between our level two, level three and engineering team. And so we'll come together and say, "Here's this new thing we can do with Defender for Identity. We can reset users' passwords on-prem through the portal." We'll discuss these things and whether to implement them, but it's just our team.  

Defender provides unified identity and access management. There's probably some more granularity that could happen within the existing access control model. You can apply default labels for security admin and this or that. It depends on how you design it. A lot of our security admins can do at-will actions. We want them to be able to do anything else requiring an elevated set of privileges that allow you to design roles or stuff related to assets or identities. 

You have an audit trail for who's doing what, which is great. I think they could make the roles more granular. That would be ideal. Integrated identity and access management capabilities are core to the solution because you don't want people to have too much access. You want to control it to a point. We need people to be able to do what they need to, but I don't want everyone to have domain privileges because they can log into a domain controller through the portal. 

These are the kinds of things the portal lets you do, like the interactive sessions with Defender for Endpoint. However, I would like to see a just-in-time access approach that allows me to do something, and once I'm done with the action, it shuts off that capability.

Defender feels restricted to Microsoft products, but if we augment its capabilities with Sentinel, you can pull all your third-party data sources and everything into the SIEM. That immediately adds a different value to the product. Having some level of normalization on the data helps, but the ability to take data from third-party sources and correlate it with Microsoft sources is beneficial.

The solution stops the lateral movement of advanced threats like ransomware if you set it up correctly and are willing to accept the possibility of false positives on automated isolation, app restriction, etc. It entirely depends on what your team can do with rule tuning and use case detection. 

Our team does customized detections entirely based on what's happening in our environment. We have direct tuning capabilities.  We don't have an automated isolation-based task applied to out-of-the-box rules. That would be scary. We do our best to ensure false positives don't happen. If they do, we can control the outcome and make sure it can tune out the false positives. 

Defender can stop attacks and evolving threats because it can correlate data and make assumptions based on it. If you feed it all of your data, it will do an incredible job. It's dependent on your environment, but I think it does an excellent job of detecting perceived threats. At the same time, you still need a human being to monitor and tune it. 

The advanced threat-hunting capabilities are phenomenal, and the security copilot enhances that, but some data elements could be better or have more context inside of the advanced tables themselves. The schemas feel a little limited to what they're building into the product. It's probably just a maturity thing. I imagine we'll see the features I want in the next year.

Once you've onboarded your servers to Defender, they're housed on Azure. When those things are brought into the 365 Defender portal, I can see clearly that some of those are Azure resources. There is a subscription and the resource group. That data doesn't exist in the tables. We don't want to run automated remediation against our domain controllers, but you can't exclude those using Azure resource tags. You can't tell it to exclude assets from this resource group. 

That data doesn't exist inside the tables you use to build your thresholds or custom protections. I could see where they could improve the data they present to you in the tables. I assume that it will come with time. There's so much happening. Every time I open the portal, there's a new feature. 

We have used Microsoft Defender XDR since earlier this year and prior to this the Microsoft 365 Defender solution. We were early adopters of the platform and changes to the different products being integrated.

I rate Microsoft support seven out of 10. Sometimes, the support teams are great. However, sometimes we know more about the tool in some cases than the people we're talking to. We use it so heavily that our internal team has a better understanding of the toolset than the average SME should. We use it every day, so we live in the portal. I can't comment negatively or positively on the support. It depends. Sometimes, you might get somebody who knows what's going on, but in other cases, we have to figure out the solution on our own. 

The worst thing I can think of is when we need to reclassify a domain that they've called incorrectly. In that situation, you send a request into the abyss. you never get a response, and it's like, okay. Do I have to keep checking back over and over again to see if this has been reclassified? 

Neutral

We've experimented with other providers at this point, like Carbon Black. I think Defender meets the enterprise-grade criteria for our needs, but there are some nuanced differences between the solutions. 

I think it's hard to compare due to the sheer volume of the E5 ecosystem in one location. No other tools have that. If you bundle all the Microsoft solutions, it doesn't make sense to compare them to third-party solutions. Defender stands out in terms of gathering data and the way it presents everything in the incident timeline. The only thing it could do better is the filtering capabilities when you're pulling back the data from the timeline. 

Data is expensive if we want to leverage the telemetry that exists within the 365 ecosystem and bring that into Sentinel. I can't pipe that data in without paying an ingestion cost. I know how much data exists in each one of the tables that are there, and it would cost a significant amount of money to bring that in. 

I rate Microsoft Defender XDR 10 out of 10. I don't know of anybody else that's even remotely close to doing what they're doing. It's reduced my work in terms of identifying things. I might be in a position where I'm engineering, but I'm still technically on the response team. I'm using the tool the same way, and it has gotten better and better every time they add something new.

We use it for endpoint protection, monitoring network traffic, and enabling automation of issues, we utilize Microsoft Defender XDR. If we are specifically referring to Defender for Endpoint, it is a perfect solution to monitor user behavior and activities across all of our web portals. This provides an easy way to analyze and generate reports about user online activities.

Microsoft Defender XDR's security extends beyond Microsoft technologies and that is crucial for us.

Defender 365 stops the lateral movement of advanced attacks. An attack disruption would cause a lack of availability of our systems and corruption of data if there is a breach.

Microsoft Defender's ability to stop attacks includes an ability to adapt to evolving threats which is extremely important.

Microsoft Defender has enabled us to discontinue the use of a few different products. We consolidated our antivirus, web filtering, and EDR, and we had an endpoint monitoring tool that we now use Defender for.

Reducing the number of solutions we use has significantly impacted how our security team operates. This is because everything is now managed under one control and one tenant. This unified approach facilitates a natural integration with the various Microsoft products we rely on for collaboration, data storage, email communication, and other critical resources essential to our company's operations.

The discontinuation of many of our security products has reduced manual correlation.

Microsoft Defender has saved our security teams 20 percent of their time by providing a single console to manage everything. 

It helps prioritize threats across our company. It is a product that I use every day. I go into the portal all the time. It is very crucial to my security strategy.

We use additional Microsoft solutions. Most of them are available with E3 or E5 packages, including governance and DLP tools. We have integrated most of the ones we are using. Doing so was not that easy but not that complicated. It requires a lot of knowledge. They work natively together for coordinated detection and response, which is a critical component of my endpoint strategy for security and control. Without that, I would have a huge gap and I would have to find a different product.

One of the aspects I use it most for is as a basic antivirus installed on endpoints.

One of the biggest downsides of Microsoft products, in general, is that the menus are often difficult to find, as they tend to move from place to place between versions. It's unclear who makes these decisions, but simplicity would be a highly welcome change. A great way to achieve this simplicity would be to have built-in wizards within the products to help users accomplish tasks. This would eliminate the need to guess where to find the necessary options to enable or disable features.

The features I would like to see added to Defender are improved web filtering capabilities and a WAF service. However, I may be mistaken, and Microsoft may already offer a similar solution. I understand that our finance department rejected most of the Defender for Azure services due to their cost, but I lack the information to judge their expense myself. I believe that, as with the Azure environment itself, which was initially considered expensive but became increasingly popular over time, the Defender for Azure solution will also gain traction if its price becomes slightly more competitive.

When it comes to visibility into threats, 365 Defender is slightly complicated, and much more complicated than competitors like CloudStrike. That's just the "Microsoft way" where everything is usually slightly more complicated. The interface is not clear.

Also, it is not clear when the system is offering a recommendation or just a way to validate something. It is not clear what will be automatically done and what you will have to do yourself.

I have been using Microsoft Defender XDR for almost five years.

Microsoft Defender XDR is stable.

Scaling it is not easy and not complex. It's in between. With Microsoft, sometimes it feels like they hide the menus and you need to search for them with a magnifying glass.

The quality of technical support I receive varies depending on the country from which it originates. Sometimes, I feel I possess greater technical knowledge than the support representative and find it more productive to research solutions online, such as through Google. Conversely, I find that teams based in Europe or the United States typically provide more professional and informative responses.

Neutral

Previously, we used ESET, Cisco Umbrella, and JumpCloud for endpoint security, along with Cisco web filtering. I found Defender convenient due to its integration within our existing Office 365 environment. Since Office 365 is built on the Azure platform and integrates seamlessly with other Microsoft services like email, SharePoint, and others, it was more natural to use everything under the Office 365 umbrella rather than navigate to third-party solutions.

Implementing Microsoft solutions has proven more complex than initially anticipated. Due to ongoing changes, the project remains in progress. Migrating from our previous third-party solutions and establishing full functionality required several weeks, potentially extending to three months.

We hired One Pass, an American consulting firm, for our project. However, I am dissatisfied with the work they delivered. One Pass is a large company with too many people communicating with us simultaneously. We had difficulty speaking to the appropriate person because individuals either transferred us to other employees or were unavailable due to vacation.

My advice is to read up on best practices so that you know what the best way to deploy it is. Otherwise, it will be a mess.

It is very effective as long as you don't need real-time information. For me, that's okay. When there is a need for real data, on the spot, which is not available from Defender, it is available CrowdStrike. But for the way I run my business, it is okay.

In terms of a best-of-breed strategy rather than a single vendor’s security suite, I would go with a single suite.

I would rate Microsoft Defender XDR an eight out of ten.

Microsoft Defender XDR is deployed across our organization, encompassing multiple locations, departments, and continents. With approximately 200 international users, we rely on a team of four in-house administrators for security management. Additionally, we utilize the services of external companies for first-line support, who also handle specific tasks within our Microsoft 365 environment.

We use Microsoft 365 Defender to protect our privacy.

Microsoft 365 Defender's XDR platform provides identity and access management which is important for our organization.

Microsoft 365 Defender's security extends beyond Microsoft technologies, which is important to our organization.

The multi-tenant management capabilities are easy and the support is 24/7.

It has helped save us approximately USD 1,000 per month.

Microsoft 365 Defender has helped save our security team time.

The most valuable feature is the network security.

Since all of our databases are updated and located in the cloud, I would like additional support for this.

I have been using Microsoft 365 Defender for almost four years.

Microsoft 365 Defender is stable. The only downtimes are scheduled by Microsoft and we are provided with advanced notification to prepare.

Microsoft 365 Defender is scalable.

Technical support is one of the reasons we chose Microsoft 365 Defender.

Positive

The initial deployment is easy. Microsoft 365 Defender is plug-and-play. The deployment takes a maximum of one day.

We also evaluated Kaspersky and Trellix XDR but found that Microsoft 365 Defender had additional features that met our needs and their support was better.

I would rate Microsoft 365 Defender nine out of ten.