Microsoft Defender XDR Reviews

We use it for endpoint protection, monitoring network traffic, and enabling automation of issues, we utilize Microsoft Defender XDR. If we are specifically referring to Defender for Endpoint, it is a perfect solution to monitor user behavior and activities across all of our web portals. This provides an easy way to analyze and generate reports about user online activities.

Microsoft Defender XDR's security extends beyond Microsoft technologies and that is crucial for us.

Defender 365 stops the lateral movement of advanced attacks. An attack disruption would cause a lack of availability of our systems and corruption of data if there is a breach.

Microsoft Defender's ability to stop attacks includes an ability to adapt to evolving threats which is extremely important.

Microsoft Defender has enabled us to discontinue the use of a few different products. We consolidated our antivirus, web filtering, and EDR, and we had an endpoint monitoring tool that we now use Defender for.

Reducing the number of solutions we use has significantly impacted how our security team operates. This is because everything is now managed under one control and one tenant. This unified approach facilitates a natural integration with the various Microsoft products we rely on for collaboration, data storage, email communication, and other critical resources essential to our company's operations.

The discontinuation of many of our security products has reduced manual correlation.

Microsoft Defender has saved our security teams 20 percent of their time by providing a single console to manage everything. 

It helps prioritize threats across our company. It is a product that I use every day. I go into the portal all the time. It is very crucial to my security strategy.

We use additional Microsoft solutions. Most of them are available with E3 or E5 packages, including governance and DLP tools. We have integrated most of the ones we are using. Doing so was not that easy but not that complicated. It requires a lot of knowledge. They work natively together for coordinated detection and response, which is a critical component of my endpoint strategy for security and control. Without that, I would have a huge gap and I would have to find a different product.

One of the aspects I use it most for is as a basic antivirus installed on endpoints.

One of the biggest downsides of Microsoft products, in general, is that the menus are often difficult to find, as they tend to move from place to place between versions. It's unclear who makes these decisions, but simplicity would be a highly welcome change. A great way to achieve this simplicity would be to have built-in wizards within the products to help users accomplish tasks. This would eliminate the need to guess where to find the necessary options to enable or disable features.

The features I would like to see added to Defender are improved web filtering capabilities and a WAF service. However, I may be mistaken, and Microsoft may already offer a similar solution. I understand that our finance department rejected most of the Defender for Azure services due to their cost, but I lack the information to judge their expense myself. I believe that, as with the Azure environment itself, which was initially considered expensive but became increasingly popular over time, the Defender for Azure solution will also gain traction if its price becomes slightly more competitive.

When it comes to visibility into threats, 365 Defender is slightly complicated, and much more complicated than competitors like CloudStrike. That's just the "Microsoft way" where everything is usually slightly more complicated. The interface is not clear.

Also, it is not clear when the system is offering a recommendation or just a way to validate something. It is not clear what will be automatically done and what you will have to do yourself.

I have been using Microsoft Defender XDR for almost five years.

Microsoft Defender XDR is stable.

Scaling it is not easy and not complex. It's in between. With Microsoft, sometimes it feels like they hide the menus and you need to search for them with a magnifying glass.

The quality of technical support I receive varies depending on the country from which it originates. Sometimes, I feel I possess greater technical knowledge than the support representative and find it more productive to research solutions online, such as through Google. Conversely, I find that teams based in Europe or the United States typically provide more professional and informative responses.

Previously, we used ESET, Cisco Umbrella, and JumpCloud for endpoint security, along with Cisco web filtering. I found Defender convenient due to its integration within our existing Office 365 environment. Since Office 365 is built on the Azure platform and integrates seamlessly with other Microsoft services like email, SharePoint, and others, it was more natural to use everything under the Office 365 umbrella rather than navigate to third-party solutions.

Implementing Microsoft solutions has proven more complex than initially anticipated. Due to ongoing changes, the project remains in progress. Migrating from our previous third-party solutions and establishing full functionality required several weeks, potentially extending to three months.

We hired One Pass, an American consulting firm, for our project. However, I am dissatisfied with the work they delivered. One Pass is a large company with too many people communicating with us simultaneously. We had difficulty speaking to the appropriate person because individuals either transferred us to other employees or were unavailable due to vacation.

My advice is to read up on best practices so that you know what the best way to deploy it is. Otherwise, it will be a mess.

It is very effective as long as you don't need real-time information. For me, that's okay. When there is a need for real data, on the spot, which is not available from Defender, it is available CrowdStrike. But for the way I run my business, it is okay.

In terms of a best-of-breed strategy rather than a single vendor’s security suite, I would go with a single suite.

I would rate Microsoft Defender XDR an eight out of ten.

Microsoft Defender XDR is deployed across our organization, encompassing multiple locations, departments, and continents. With approximately 200 international users, we rely on a team of four in-house administrators for security management. Additionally, we utilize the services of external companies for first-line support, who also handle specific tasks within our Microsoft 365 environment.

Public Cloud

Microsoft Azure

We use Microsoft 365 Defender to protect our privacy.

Microsoft 365 Defender's XDR platform provides identity and access management which is important for our organization.

Microsoft 365 Defender's security extends beyond Microsoft technologies, which is important to our organization.

The multi-tenant management capabilities are easy and the support is 24/7.

It has helped save us approximately USD 1,000 per month.

Microsoft 365 Defender has helped save our security team time.

The most valuable feature is the network security.

Since all of our databases are updated and located in the cloud, I would like additional support for this.

I have been using Microsoft 365 Defender for almost four years.

Microsoft 365 Defender is stable. The only downtimes are scheduled by Microsoft and we are provided with advanced notification to prepare.

Microsoft 365 Defender is scalable.

Technical support is one of the reasons we chose Microsoft 365 Defender.

Positive

The initial deployment is easy. Microsoft 365 Defender is plug-and-play. The deployment takes a maximum of one day.

We also evaluated Kaspersky and Trellix XDR but found that Microsoft 365 Defender had additional features that met our needs and their support was better.

I would rate Microsoft 365 Defender nine out of ten.

Public Cloud

Microsoft Azure

My role is to monitor Microsoft 365 Defender. We investigate various alerts and incidents that occur there. We utilize the solution to block any malicious domains, URLs, or other harmful elements that could affect our environment. Microsoft 365 Defender is our tool of choice for this purpose, and it helps improve our secure score. We assess the available remediation options to determine if they are suitable for our enrollment. Additionally, we use it for email analysis and make use of all the features provided by Microsoft 365 Defender.

Microsoft 365 Defender offers excellent visibility into our environment. We have a dedicated team that focuses solely on handling threats. As for me, I mainly deal with the architectural aspects of the overall environment. However, we rely on Microsoft 365 Defender for threat detection, and in the future, we plan to implement Sentinel as well. The reason for choosing Sentinel is that its integration is much more compatible, as Microsoft does not send various logs for other third-party tools like QRadar or any other tool. Therefore, we have decided to move forward with Sentinel.

Microsoft 365 Defender assists in prioritizing threats across our organization by offering real-time threat analysis. However, it does not provide upcoming threat alerts, such as identifying vulnerable technologies for our environment. To secure them, we can access the security score and follow the recommended actions. The platform displays current metrics and trends.

We are currently in the process of integrating Microsoft Defender for cloud apps and Microsoft 365 Defender, with 80 percent completion. Both solutions work together to deliver coordinated detection and response across the environment. We have one unified dashboard to monitor and control both solutions from a single place.

To create a fully comprehensive threat protection environment, we will integrate Sentinel with Microsoft 365 Defender and Microsoft Defender for cloud apps. This integration will allow us to receive additional data related to threats that are currently not shared by Microsoft.

Microsoft 365 Defender is an excellent tool. It is compatible with Teams and Outlook, making it ideal for threat detection and mail security in a Windows environment, which is commonly used by many corporate entities.

Microsoft 365 Defender is helpful in automating routine tasks and identifying high-value alerts. The Microsoft dashboard facilitates the remediation of alerts by grouping alerts of the same kind, which is beneficial.

Microsoft 365 Defender helps reduce the number of dashboards we need to look at, but it does not completely eliminate them.

Microsoft 365 Defender has saved us time by consolidating many of our solutions into a single tool.

Microsoft 365 Defender helps reduce our MTTD, but Sentinel would help decrease our MTTD even further.

The 'Incidents and Alerts' tab is a valuable feature where we can find triggered alerts.

Microsoft Cloud App Security has now transitioned its alerts to 365 Defender. As a result, all alerts that were triggered in Microsoft Cloud App Security are now visible in Microsoft 365 Defender.

It is beneficial that we can search for any of the devices. If we choose any of the devices, it will display the alert, incident, and the entire timeline related to that particular device. These are the features covered, including the ability to run antivirus directly on the device, isolate the device, and apply restrictions. These are the positive aspects of the solution. The same applies to 'Identity' as well. 

We can also investigate that router using email. The image represents the user's complete inbox. We can find out who the main users are, what the titles of the emails are, and how much malware we have received, including the number of phishing emails. We can see all this information in that explorer. Additionally, that thing is also beneficial.

There is a section titled 'Action and Submission.' When we submit any kind of share value for evaluation to Microsoft, they take a significant amount of time for the process.

When discussing the secure score, which includes overviews and recommended actions, some of these recommended actions are not applicable to us, particularly those related to Microsoft Internet Explorer, which we do not use in any of our environments. Nevertheless, there are instances where options to disable macros and various configurations appear, even though they shouldn't be present.

I have been using Microsoft 365 Defender for two years.

Microsoft 365 Defender is stable.

Microsoft 365 Defender is scalable. The solution can handle numerous endpoints, and as our user base grows, the number of endpoints automatically increases.

Many times, the engineers assigned to our tickets are not very knowledgeable about the solutions and features.

Neutral

I would rate Microsoft 365 Defender an eight out of ten. There are many rapid and independent changes happening each month or every other month, making it difficult to keep track of them.

I prefer adopting a best-of-breed strategy instead of relying on a single-vendor security suite. I have observed this approach being implemented in numerous organizations.

Microsoft 365 Defender surpasses most platforms available in the market in terms of advancement and offers extensive integration with other Microsoft solutions. I highly recommend this solution.

Public Cloud

Microsoft Azure

We are a security consulting company that assists clients with their Microsoft 365 and Azure security and workloads. We can help optimize the use of their purchased feature sets and licensing, ensuring they get the most out of their investment for security and other workloads and features within the 365 and Azure environments. As information flows between their 365 and Azure environments, we offer expertise to ensure clients are utilizing all available resources effectively.

The majority of our deployments follow a hybrid model, which is currently the norm. Although there have been instances where organizations have fully migrated to the cloud, many larger enterprise solutions in the industry are still in the process of transitioning from on-premise to cloud-based infrastructure. Consequently, most of these solutions are currently in a hybrid state.

The visibility provided by Azure is multi-dimensional, and one aspect that I appreciate is the Microsoft 365 Defender portal. It not only offers Azure security but also a single-pane-of-glass experience where we can view our SaaS applications, email hygiene, and threats and alerts, all on the same page. The monitoring is exceptional, and the quality and depth of the telemetry are impressive. Clients appreciate the fact that we can access incident or alert details, including the affected entities and the timeline of events. For instance, we can identify where an email was opened, a link was clicked, and how malware or viruses spread across the network, causing damage. Additionally, the portal's ability to provide automated responses is second to none, and we can see how Microsoft's AI technology can isolate or stop these instances from further propagation. In summary, Microsoft 365 Defender is a powerful tool.

Microsoft 365 Defender assists in prioritizing threats within our enterprise by utilizing CVE security, a standard security prioritization method. This means that the product has incorporated industry standards into the Microsoft tenant, providing prioritized threats and best practice remediation. With the help of Defender, we gain insights on how to remediate and prevent future threats from similar malware or incidents.

We utilize several security products to ensure the protection of our data and identity. Our product offerings include Defender for Identity, Defender for Cloud, built-in tools for data governance and data protection, as well as compliance and monitoring through the compliance portal. Typically, clients with E5 or A5 licenses can benefit from these products, which cover a wide range of features for protecting data, and identity, and detecting risky behavior such as risky sign-ins and user behavior analytics. The behavior analytics feature, which is a part of our Defender product, has been particularly crucial for federal governments and other organizations with highly sensitive data. While all of our products are valuable and important, we believe that identity is the most crucial foundation to start with since it feeds into everything else.

The integration of Microsoft products is almost seamless, as long as we have the licensing piece. To enable sharing or maintaining telemetry across different solutions, we turn on Connect and switches for products like SharePoint, OneDrive, Teams, and Exchange. Setting up connectors for SharePoint on-premise or Exchange online may be necessary, but Microsoft provides setup wizards and good documentation on their website, making it easy to implement solutions. Any difficulties usually arise from user error or trying to integrate insecure legacy third-party software. However, most modern authentication and protocol software integrate seamlessly within the Microsoft environment. The Microsoft documentation site is excellent, with built-in training and links to assist with implementation.

The security solutions work together seamlessly to provide coordinated detection and response across our environment. One of the things I appreciate about these products is that the Defender products share telemetry across the board. For instance, if we set up Defender for Identity on our domain controllers, we need to grant permissions for that telemetry to be accessible from Microsoft 365 Defender in the cloud. This means we may have to give permissions to our on-premise domain controllers. While the integration is simple, it is essential to follow the documentation to ensure a seamless and easy-to-maintain setup, monitoring, and management of our Microsoft 365 and Azure ecosystems.

Microsoft covers all current threats that have been identified by various security organizations and standards. These threats are typically integrated into the Microsoft ecosystem, including zero-day detections. Microsoft is plugged into world-class cybersecurity organizations, ensuring that all vulnerabilities and updates are current and available in the Microsoft portals. The comprehensiveness of Microsoft's security coverage is top-notch, with seamless integration with other clouds and on-premise products. While there are other products competing in this space, Microsoft 365 users and organizations should not rely on third parties when Microsoft already has integrated solutions available.

Microsoft Defender for Cloud's bi-directional sync capability is crucial as it enables the transmission of telemetry data regarding SaaS application usage from client systems, on-premise devices, and any other systems that access the Microsoft 365 cloud. This feature ensures that real-time data is accessible for managed systems, providing immediate access to any detection of sanctioned or unsanctioned applications. The bi-directional sync capability offers immediate data feedback, which is essential for prompt action.

Microsoft Sentinel enables us to gather data from our entire ecosystem. However, it is important to note that using Sentinel requires a Microsoft subscription and a storage account. Therefore, it is necessary to consider the cost of data ingestion and aggregation. It is crucial to only ingest data that is relevant and beneficial for our security monitoring and data log aggregation. Simply collecting data without a specific purpose is not advisable. I advise our clients to focus on maintaining a lean monitoring and data log aggregation approach that yields security benefits. We can detect and query threats using the crystal query language that is integrated with Sentinel, making it a key component of our Microsoft security journey with our clients. Sentinel connects with everything and has native connectors and third-party options available. Additionally, Sentinel can be set up as a provider of security operations center capability by connecting it to another cloud.

Microsoft Sentinel allows us to investigate threats and respond to them in a comprehensive manner, all from one platform. What I find particularly impressive about Sentinel is its ability to provide both reporting and analysis through workbooks, and actionable response strategies through playbooks. In addition, Sentinel includes UEBA and threat intelligence capabilities. This raises the question of how we can evaluate the effectiveness of Sentinel's security protection. One advantage of Sentinel is that it not only detects threats but also responds to them using advanced DAI and intelligence technology. This allows us to take proactive measures and set up playbooks and other capabilities that integrate seamlessly with Sentinel. By taking telemetry from different products and environments, Sentinel provides a three-dimensional perspective that other products may lack. This helps us take the right steps toward risk mitigation or remediation by giving us current, broad coverage. With telemetry, we can take a holistic approach to secure entities affected by any type of alert or environmental compromise. Sentinel's ability to bring together reporting, analysis, and actionable response strategies makes it a superior product in terms of security protection.

The cost of Sentinel depends on the amount of data being processed. This is likely true for other similar products as well. Typically, the cost of using these products is associated with ingesting and aggregating data logs. However, I believe Sentinel's cost is competitive and provides an advantage, as it offers more than just a SIEM or SOAR solution. Sentinel includes response capabilities, which is where it excels. Therefore, I believe the cost is reasonable considering the benefits it provides.

After implementing Microsoft 365 Defender, our organization has observed a significant improvement in our security measures. We have noticed a substantial decrease in compromised accounts, access issues, and entry problems resulting from phishing attempts, emails, and other security threats. This improvement can be attributed to the robust exchange of online protection capabilities. The impact has been remarkable and has made a noticeable difference in our overall security. Additionally, addressing insecure applications operating within our environment and managing data governance has been a challenge. Data governance, in particular, can be time-consuming since data is ubiquitous and it takes time to establish the appropriate tools, labels, and policies to protect it. It requires a marathon-like approach rather than a sprint and Microsoft 365 Defender has helped reduce the time.

Our Microsoft security solutions automate routine tasks and aid in detecting high-value alerts. The ranking of these alerts is customizable, allowing us to adjust their priority based on our industry or organization's specific needs. While the default settings are effective, we appreciate the ability to modify them to better suit our purposes. This customization feature is particularly valuable as it allows us to tailor the alerts and detections to our particular use case.

The solution has helped our clients by eliminating the need for multiple dashboards and providing one comprehensive XDR dashboard. This has been the most significant feedback from our clients who prefer to have all information in one place instead of having to navigate through multiple portals. With the integration of Microsoft tools like Power BI, our telemetry can be displayed in different views and graphics, making it easily understandable for all stakeholders and users. Power BI can also import Sentinel queries, allowing for customized dashboards with a unique look and feel. I appreciate the flexibility and versatility of Power BI in creating informative and visually appealing dashboards.

The solution's threat intelligence helps us prepare for potential threats before they strike, allowing us to take proactive measures. I have witnessed some excellent updates that are posted on the Microsoft Defender portal. These updates have enabled us to stay ahead of any potential threats. When there is an attack, Microsoft is quick to disable affected services, such as service principals or services, across many servers and other devices, taking affirmative action ahead of time. I have observed many proactive notifications, including day-one or zero-day notifications, that are promptly released on the Defender side. This approach allows us to get ahead of the potential issues and prevent any significant impact.

The amount of time saved by using automation tools is significant and exceeds our expectations. While we sleep, these tools perform tasks such as deleting phishing and malicious emails and conducting automated investigations. This has resulted in a substantial reduction in the number of man-hours needed for Microsoft security and Defender product tasks, which has more than justified their cost.

Microsoft 365 Defender has saved our organization money.

Microsoft 365 Defender has significantly reduced our detection and response times. The proactive nature of the software alerts us to suspicious activity, such as a user logging in from an unknown location, allowing us to trigger conditional access responses accordingly.

In Microsoft 365 vendor products, monitoring and connectivity across all Microsoft and third-party connectors enable viewing of all activity within those environments. This is a key advantage for maintaining and monitoring usage, implementing security guardrails, and protecting data integrity and privacy from oversharing. Many clients face challenges in managing guest account access, SharePoint links, and access control. Thus, we recommend starting with access and entry as a foundational principle of security, using tools such as the identity secure score to assess the security journey progress. 

Microsoft 365 security portals cover four pillars: identity, applications, devices, and data, with Defender products geared towards identity protection being the most useful. These products help set up conditional access controls, privilege identity management, and risk mitigation strategies for legacy authentication and protocols. Defender products also provide visibility across third-party services such as AWS cloud, Box, Workforce, and other enterprise tools. Microsoft Sentinel, another useful product, provides a great solution for infrastructure visibility across Azure and on-premise infrastructure, albeit with associated costs for storage and subscriptions.

At times, there may be delays in the execution of certain actions and their effects. These delays are often related to Microsoft tasks that run in the background. For instance, when we perform an improvement action such as improving the secure score, it may take a few days before we see any changes. This delay can be frustrating, but it is still beneficial. We have also encountered issues with the secure score feedback when we set it up to work with third-party tools. We have reported these issues to Microsoft. To improve the situation, we need to fix this aspect of the solution so that we can receive secure score feedback closer to real-time or more promptly. This would be a significant improvement.

I have been using the solution for five years.

Stability has been good overall, but there was a recent incident where some of the most searched URLs were incorrectly tagged. This included URLs for services like Zoom, which caused concern among many of our clients. However, Microsoft has since corrected the issue.

Our licensing for Microsoft 365 Defender enables automatic scaling based on our needs. This means that the software's capacity will increase or decrease depending on our licensed usage.

The technical support we receive is of high quality. They effectively address specific incidents that arise, and their overall response time is satisfactory. We usually receive a response on the same day. In the rare event that an issue requires advanced technical escalation, they are able to provide us with a specialist within a day or two.

Positive

We have previously used CrowdStrike, McAfee, and Norton products but Microsoft 365 Defender is already included in the license we have with Microsoft so there is no need to pay for additional licenses.

The initial setup is usually straightforward, but it can become more complicated when we are dealing with scenarios such as bringing your own device or managed devices. In these cases, deploying can be a bit more challenging. However, I still believe that the process is generally straightforward.

Before deploying we typically do a pilot with the IT organization and once that goes well, we continue with the rest of the organization and their devices. We usually require between 10 and 20 staff for deployment.

The implementation was completed in-house.

The return on investment is significant. We have observed Microsoft 365 Defender's value in terms of saving man-hours that would have been spent sifting through logs and connecting information during investigations. The Microsoft tool provides us with an advantage by performing this task automatically, allowing us to take action on the information it has already gathered during the investigation. 

The cost of the solution appears to be appropriate, and we get what we pay for. Although I am aware that Microsoft has recently introduced licensing adjustments with plan one and plan two options, I have observed that they offer a higher level of benefits and value compared to our current solution. Nevertheless, we are taking steps to make our solution more accessible to various organizations, including educational institutions, by utilizing the licenses we have and pursuing certification for federal cloud services, despite the additional obstacles. Overall, I believe that the pricing of the licensing is fair.

I give the solution a nine out of ten.

We have a cloud environment, and for Microsoft 365 cloud services, our remote workforce is currently working from various locations. However, some resources and applications are still located on-premise and need to be accessed. To accommodate these hybrid environments, we usually use Azure AD sync to synchronize on-premise AD. This process can add some complexity.

Microsoft 365 Defender needs to be fine-tuned for optimal performance. In order to achieve this, adjustments need to be made based on the specific needs of the user. For instance, when tuning for phishing email security, there are different levels of aggressiveness available for the products. Fortunately, maintenance is quite minimal as Microsoft handles virus signatures, updates, and other related tasks. However, tuning is necessary for individual use cases, such as adding specific emails to an exception or whitelist.

Determining the best-of-breed in a given space can be subjective due to varying perceptions. While a best-of-breed strategy is effective in certain cases, it has limitations when compared to integration. For instance, when trying to identify the best tool for different security areas, having disparate solutions that don't communicate with each other can be problematic. Therefore, integration becomes a critical component in this context. Although having the best-of-breed approach is a great strategy, we also need to consider the benefits of integration and having a single pane of glass that provides an overview of all security aspects. This will help us avoid having to navigate multiple best-of-breed solutions in a sporadic manner.

My suggestion is for people to carefully review the documentation provided by Microsoft to gain an understanding of how the product works and how it fits with their particular use case and solution scenario. Negative feedback is often the result of a lack of knowledge or understanding. By taking the time to conduct a proper POC, engaging with the appropriate Microsoft representatives or consulting organizations, and being inquisitive, we can evaluate our current tenant and solution, and conduct a security assessment. This will enable us to make an informed decision about Microsoft products.

Hybrid Cloud

Microsoft Azure

We mainly use it to defend endpoints.

We have seen fewer threats with the solution. The attacks that we experienced in prior years have reduced drastically since we implemented Defender.

We also use Microsoft Defender for Identity. Their integration is very good. If you are a Microsoft 365 SaaS solution user, it is perfect. It works very well with all the services provided by Microsoft. These services work natively together to deliver coordinated detection and response across our environment. We are pretty much a Microsoft shop, so the integration of these different services is very important for us to secure our offices.

Microsoft 365 Defender's threat protection is very comprehensive. The service that is available now is much more comprehensive than what was available a few years back. The only area that I see lacking is the dashboard. I can create my own dashboard, but the preset security dashboards should be much more functional.

Its threat intelligence helps prepare us for potential threats and take proactive steps before the threats hit. The vulnerability scanning feature is great, and the Secure Score feature that scans the endpoints for vulnerabilities and keeps them up to date reduces a lot of the attacks that can possibly happen.

Microsoft 365 Defender has saved us time. It has saved at least 30% to 40% of our time.

Microsoft 365 Defender has saved us costs. Previously, we had to pay for third-party protection services separately, but because it is now integrated with our E5 licenses, it saves us a lot of money.

Microsoft 365 Defender has decreased our time to detect and respond. We now have visibility and this led to about a 20% to 30% reduction. 

The EDR and the way it automatically responds to ransomware and other attacks are valuable features.

The visibility into threats is not as good as other products in the market such as CrowdStrike, but if you know where to look, you can gain access to what is going on. The way the dashboard is designed is not as great as other products.

It helps to prioritize threats across the enterprise, but a lot of administrative overload is involved in determining which threats to prioritize. As compared to other products, it is a bit lacking.

Similarly, it helps to automate routine tasks and finds high-value alerts, but a little bit more automation would be appreciated.

Automated playbooks and automated dashboards would be preferable to the way the data is currently being presented. That is because a lot of organizations that I have worked with over the past years do not have full-on SOC or threat detection services. They should put in more automated response capabilities and dashboards for smaller organizations.

I have been using this solution for almost three years.

It is a very stable product. Our attack metrics have come down drastically since we integrated with Defender. In my opinion, it is a very stable product.

It is very scalable. I do not know about third-party clouds or third-party solutions, but when you are a Microsoft shop or have Azure or a hybrid setup, it is very scalable.

We have multiple departments and multiple locations. We have client-facing computers, and we have in-house and on-prem computers. We also have Azure VMs. 

Their support can be better. Their response time is good, but their knowledge and documentation are a bit lacking. Technology is moving faster than the documentation and the knowledge that is being provided to the support team. Their support team pretty much looks at the same documentation that we are looking at, but the technology is moving a lot faster than they can catch up. I would rate their support a seven out of ten.

Neutral

We used CrowdStrike and Trend Micro. We switched to Microsoft 365 Defender because we wanted to integrate services.

The solution is deployed on the cloud, but the endpoints are connected on-prem. In our organization, we have quite a few endpoints, so it took about three or four weeks.

The setup will be straightforward for big organizations if they have a complete IT department, but for a small organization, implementing the same service becomes trickier because they do not have full-fledged IT departments. That is where the problem lies. 

More automation would be better. However, automation is present with Autopilot and other services where you can integrate everything.

In terms of maintenance, you have to fine-tune the services on a regular basis and tweak the deployment as per your requirements.

We have about eight admins who worked on the implementation of the solution.

We have probably seen 30% to 40% ROI.

It is fairly priced because we get complete integrated services with the E5 license.

To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single-vendor strategy worked for us because it brought down our investment in terms of licensing and cost. The deployment across the organization has been a lot easier than integrating third-party solutions in different areas of the organization. For example, Defender integrates very well with both the endpoints and the cloud. Whereas with a third-party solution, we have to get different applications that need to connect back to the service to get the solutions that we require. Native integration is very useful for us when it comes to Microsoft. That is what I would recommend.

If you are a Microsoft shop, I would highly recommend it, but you have to do a PoC.

I would rate Microsoft 365 Defender a nine out of ten.

We primarily use the solution for email protection to scan incoming emails and attack simulation. Attack simulation allows our users to practice detecting phishing emails without any risk. The product also gives us an overview of our security situation. 

We operate a hybrid environment with a wide variety of users around the world. 

We use multiple Microsoft security products, including Defender for Endpoint, Sentinel, and Defender for Cloud Apps.  

We have integrated all our Microsoft security solutions, and the integration is easy and seamless, though an Azure account is required to connect Sentinel with other products. 

The solutions work natively together to deliver coordinated detection and response across our environment.  

The multiple Microsoft security products provide comprehensive threat protection, especially by combining 365 Defender and Defender for Cloud Apps, Endpoint, and Identity.  

The solution allows us to remediate threats better, and the Microsoft Secure Score tells us where we need to improve the security of our organization.

365 Defender saves us time in the region of 10%.

With security products, it can be hard to determine how much money they save us by protecting us from attacks, but I would say our cost savings are around 15%. 

The tool decreased our time to detect and respond, as we can quickly navigate to the required dashboard to get on top of unfolding threats. It reduced the time by 5% for each.  

The attack simulation is excellent; initially, this feature wasn't very robust, but Microsoft improved what we could achieve with it. We can now customize our practice phishing emails and include our company logo, for example. Attack simulation also helps integrate with third-party solutions where applicable and provides an overview of our security architecture through testing. The summary includes areas for improvement in our protection and what steps we need to take to get there.

365 Defender works seamlessly with other Microsoft products like Defender for Endpoint, and once we've onboarded a device, it's easy to see the entire progression of a malicious email. This includes the IP origin, and these are some of the things I love about the product.

The solution provides us with excellent visibility into threats; there are various features that clearly show when our organization is under attack, which country the attack originates from, and what we need to do to mitigate it. 

365 Defender prioritizes threats across the enterprise, which is essential because it gives us an overview of what we need to do to improve our security. We don't need to think of what we must do which is significant for us. 

The solution's threat intelligence helps us prepare for potential threats and take proactive steps before they hit. Over time, the threat intelligence learns and gets better, much like an AI.  

A simple dashboard without having to use MS Sentinel would be a welcome improvement. 

We sometimes get false alerts, and Microsoft told us the issue was with them and that they were aware of it. They were supposed to remediate it, but we had to do much ourselves. The false positives need to be reduced. 

We've been using 365 Defender for four years. 

The stability isn't bad, but we get too many false positives.

Microsoft has been able to scale up the solution over time, so it's scalable. All we need to do is purchase licenses according to our requirements. We have around 1,000 users.

The customer support is good, but there is room for improvement. 

Neutral

The deployment was straightforward and quick; it took minutes. Onboarding the other solutions can take a little longer, depending on the environment and migration methods.

The setup can be done by one or two staff. In a scenario with many thousands of users and a proficient security admin, the deployment could be done in 15 to 20 minutes. The solution doesn't require any maintenance on our end, as it's cloud-based. 

The product gives us an ROI as it protects our organization from potentially costly attacks. Our ROI is around 5%.

The product is fairly priced for what we get from it. 

I rate the solution seven out of ten. 

We use MS Sentinel, but I wouldn't say it ingests data from our entire ecosystem. It's straightforward to integrate, but getting the most out of Sentinel requires a lot of configuration, which needs significant expertise and time.

Sentinel enables us to investigate threats and respond holistically from one place, and that's important for us. The process is primarily automatic once the logic hub and configuration are set up.  

Regarding the comprehensiveness of Sentinel's security protection, it's less a tool for protection and more of a solution for providing an overview, management, and optimization of security processes. The most significant security features are found in the Defender line of products. 

We can automate some aspects of 365 Defender, but MS Sentinel is required for more complete automation.

365 Defender doesn't eliminate having to look at multiple dashboards; we still need to click through numerous dashboards for a complete security overview. Sentinel allows management from a single XDR dashboard.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor's security suite, I'd say, why not save the stress of dealing with multiple vendors? You can have one vendor one click away and seamless integration between your products. 

I recommend the solution; I've worked with it in three different organizations and realized how seamless it is to use the Microsoft suite. They integrate well and help us protect all the services in Microsoft 365.

Public Cloud

Microsoft Azure

My company mostly uses Microsoft Office products, so we use 365 Defender for our security. 365 Defender is deployed globally, and it works the same whether you are in Europe, China, or India. It currently covers around 4,000 people worldwide. 

Defender reduced our attack surface with built-in rules for USB-based threats. Sometimes employees plug in a USB containing threats. Defender will immediately stop malicious executables from running. 

We have our own method for defining incident priorities. For example, most identity-related incidents are on the higher side. However, if we see a large number of low-level alerts affecting a single user in a short period, then those need to be checked. Automation can help in these cases. It's good to have, but I don't think Microsoft is currently very capable of machine learning. 

Defender has a security dashboard, but there is a different console for vulnerability management. We can create multiple reports where alerts are categorized and labeled, and Defender provides a single console where we can fetch all those reports. 

There isn't a foolproof method for preventing all cyber attacks, but best practices can reduce risks and limit the impact of threats. If you identify threats, you can build block lists and create regular employee training to tell people what to avoid. 

Preventing threats requires a strong firewall and antivirus solution. Defender is a good one. You can also implement threat prevention and detection technology in your remote environment. Nothing can completely prevent attacks from happening, but you can create policies using threat intelligence to ensure they are stopped. 

365 Defender helps us save time by simplifying threat response. For example, one of my customers uses USB to transfer data from one place to another. Some USB drives contain malicious programs, so I configured a rule to stop the executable. If a user copies documents from the USB with a harmful executable, Defender will lock it down. They can only copy the documents, but the executable will not run. 

It saves us lots of time. It reduces the time we spend on these tasks by about 50 to 60 percent. I switch it to audit mode and collect logs. After a month, I have received hundreds of alerts. With my rule in place to block USB executables, we no longer get alerts for that particular threat. Implementing that single rule reduced our alerts by around 30 percent. 

Defender reduces the detection time. We have a SOC team to review all those logs and alerts, and it helps them work quickly. There is little delay between detection and remediation. 

Microsoft Defender's most critical component is its CASB solution. It has many built-in policies that can improve your organization's cloud security posture. It's effective regardless of where your users are, which is critical because most users are working from home. It's cloud-based, so nothing is on-premise.

When dealing with remote users, you need the coverage of firewalls, antivirus, and all those essential security measures. There are multiple policies available that can help the organization secure its environment to prevent something malicious from entering. You need to flag users logging in from a different IP and guard against brute force attacks by detecting multiple failed login attempts.

There is also an option for identity. Most organizations aren't entirely on the Cloud. They still rely on on-prem data centers, so you need Defender for Identity. Another advantage of a cloud-based solution is that you don't need to constantly upgrade it monthly, quarterly, or weekly. All of your infrastructure is online. 

You need multiple solutions for outside threats. I can see if someone is logging in from a malicious IP before they can access the environment. You cannot completely block cybersecurity threats, but you can proactively resolve them and create a wall around your environment. 

365 Defender's attack surface reduction rules could be more customizable. Microsoft has its own pre-defined rules that can be adapted to every organization, but Defender should support the ability to create custom rules from scratch.

Defender also lacks automated detection and response. You need to resolve issues manually. You can manage multiple Microsoft security products from a single portal, and all your security recommendations are in one place. It's easy to understand and manage. However, I wouldn't say Defender is a single pane of glass. You still need to switch between all of the available Microsoft tools. You can see all the alerts in one panel, but you can't automate remediation. 

Automated remediation can be improved. I'm currently creating a remediation structure there and pushing it to my vendor, but the vendor should have their own way of resolving things. It only alerts you that something is happening. The security administrator needs to take action because Defender's automated capabilities aren't up to par. 

I have been using 365 Defender for more than a year. 

365 Defender is stable. I haven't seen an outage in the past year. We've had 100 availability. Occasionally, the servers go down for maintenance, and the sensors stop working. It doesn't happen frequently. 

365 Defender is highly scalable. 

Microsoft's support is excellent. Most issues resolve on their own, but when we need support, they typically resolve the issue quickly. 

Positive

At my previous company, we used other antivirus and identity solutions, but they weren't a complete package like 365 Defender. For example, CrowdStrike was our EDR solution, which had extended capabilities, or XDR. We had various solutions that collectively did the same thing as Defender. 

365 Defender is cloud-based, so the deployment is straightforward and only takes 10 to 15 minutes. You need to change a few configurations on your devices using Intune. One person is sufficient to do the job. It's a simple installer. 

After the deployment, you don't need to do any maintenance because it's on the cloud. The only thing deployed on-premise is the ATP sensor, which automatically upgrades. 

365 Defender is bundled with our Microsoft Enterprise license. Additional costs for support, etc. depend on the license level. If you have a premium account, you will receive priority support, but it costs more. 

I rate Microsoft 365 Defender a nine out of ten. I personally wouldn't recommend only using a single solution or vendor. If you don't try other products, then you won't be aware of what is happening in the market. There should be multiple products involved, so you can compare the solutions and go with the best one. 

Microsoft Defender XDR is our primary solution for security. We have a number of use cases across different environments, allowing us to secure all our use cases comprehensively.

One of the most valuable features of Microsoft Defender XDR is its ability to provide preemptive reports regarding excessive privileged access. This allows us to secure our systems in advance and proactively improve security, rather than waiting for incidents to occur. Additionally, it ensures that we are fully compliant before any audits are conducted, which has potentially saved our reputation. Furthermore, its integration across different environments allows central visibility for different workloads.

There is nothing I can think of at the moment that needs improvement. I am a contractor and finishing up soon, so I haven't encountered any issues requiring enhancements.

I have been working with Microsoft Defender XDR for a few years now, about one and a half to two years.

I was involved in the deployment, and it was very easy to set up and configure. I did not encounter any problem—it took half a day to a full day at most.

There are no complaints regarding the stability of the solution. It seems to do the job well.

The customer service is good, and they supported us well. Although it took some time, we got the required support in the end.

Neutral

The initial setup was straightforward, and I did not have any issues with it.

We used Teams for the deployment, but I could be wrong on that.

Overall, I would rate Microsoft Defender XDR a seven out of ten. It is a useful tool and not necessarily the best solution I've seen, but it is good and I wouldn't object to using it.

Other