Microsoft Defender XDR Reviews

We manage around 5,000 computers inside and outside our company. I use Defender to work on our security score by deploying security policies. We apply all the security recommendations to our computers and patch all third-party applications. We check every day for malware to alert our security teams.

Seven months ago, our security score was 50 score and it's now 84. We applied all the security policy recommendations coming from the solution and we became aware of the vulnerabilities and fixed them all, one by one.

We can also automate some tasks and that reduces daily work. And if we get an alert, and we know it is not a false positive, we automate things so that we don't get that alert again.

And if we find malware or a threat, we transfer it to level-one technical support to check and, after that, to the security team. But a lot of times, it catches malware and takes action to block it automatically.

Defender has also saved us money, about 30 or 40 percent. When we had Symantec, we suffered one attack against our company and we lost a lot of data and a lot of servers, and that was a lot of money. Since switching, Defender has been perfect, catching all malware and taking action automatically.

It has also decreased the time it takes me to check everything. I now spend only one or two hours a day monitoring things.

I like that it's fully integrated with Windows, Microsoft 365 Exchange Online, and Outlook. It is better than other antivirus solutions because it's fully integrated with all Microsoft products. It's easy to integrate them and onboard all Windows devices from SCCM. That is really amazing. Everything is clear in Defender. It's not difficult.

Also, everything for security is in one dashboard. It's great. It's not only for Defender but email and everything else. it makes things very easy. I can check everything at once.

The dashboard should be easier to use. There is also improvement needed in the reporting when it comes to exporting or scheduling reports.

I have three years of experience with Microsoft 365 Defender.

It is very stable.

It is also scalable.

On-prem, we have around 300 servers, a mix of Linux and Windows. We also have around 5,000 clients, all using Windows 10 and 11. We have a plan to migrate all on-prem servers to Azure. In the next six months we are looking to migrate 90 percent of them to the cloud. 

I like their support sometimes.

Neutral

We used Symantec for antivirus and security and we migrated all users from Symantec to Microsoft 365 Defender. It's easier to use than Symantec or McAfee and we can use it anywhere because it's a cloud solution. Also, with Symantec, we suffered an attack and it did not do anything. In addition, we already had an E5 license with security so we decided to use this license more fully.

I onboarded it to all machines using the configuration in SCCM. It was very easy. It didn't take much time.

We checked McAfee but we went with Microsoft because it has improved its product very quickly. Microsoft Defender of five years ago is not like it is now. Five years ago it was nothing, but Microsoft has improved it very quickly.

It works with Microsoft Sentinel and integrates well with that, but we do not use Sentinel in our company.

We have it deployed as part of our security stack for our endpoints.

The technicians working on the issues have a clearer idea of a higher priority issue versus a lower priority. 

I like that Defender is easy to use and the alerts are all in one central location.

Some of our older hardware experienced a slight bump in CPU and memory usage. Although I don't have empirical data to back that up, I would suggest possibly more streamlining in the software.

I have been using Defender XDR for seven months.

We haven't had any issues with it, so I don't have any problems with its stability.

From what I have seen, it's easy to roll out to new onboarded machines and servers.

Microsoft support is not very good. You get stuck in low-level support for way longer than you should, instead of them escalating the issue up the chain. This is kind of the same with all Microsoft support, not just XDR.

Positive

We had BitDefender EDR, which is a pretty similar product, but we switched because we were trying to put everything under the Microsoft umbrella. We got good pricing on it and were happy with the results of the testing we did. Defender XDR officers richer insights into Defender XDR. It's a better overall experience. 

I don't personally crunch those numbers, so I don't know. But I know that we're committed to this for the future, so I would assume that we're doing okay.

Defender XDR is priced comparably to other solutions on the market.

I would rate Defender XDR as an eight or a nine. There is always room for improvement.

We are a managed security service provider, and we use Microsoft 365 Defender to provide EDR and endpoint, and email protection to our customers.

Microsoft 365 Defender has great threat analytics integration. It has visibility into threat incidents that occur across different organizations, and this is directly integrated into the tool. Rather than checking for indicators that are available online, we can directly look at which endpoint or user has been impacted in the organization, and this makes our job easier.

Another valuable feature is vulnerability management. The inbuilt vulnerability management service automatically scans devices for vulnerabilities and separates them as critical and non-critical. We don't need to have a separate vulnerability assessment device.

In terms of prioritizing threats, we have come across vulnerabilities and threats that are present in our customers' environments and have been able to discover the devices that are vulnerable to particular attacks. We have then been able to immediately inform our customers and help them update to the latest version of the particular software that was vulnerable. There are automatic response actions in the tool so that a threat can be remediated within the tool itself.

I also like the lab devices that are available within the tool itself with which we can do all the tests. We can simulate some threat activities in these lab devices that are provided by Microsoft and don't need to prepare a separate device to validate it or to simulate a threat tag duty.

The threat intel integration provides great visibility into threats. Microsoft has a huge team that handles threat intel research, and their findings are integrated with their tools like Defender or Sentinel. The features within the tool itself work very well. There's an automatic threat handling module available in the tool, and there are lots of threat handling queries specific to different attack campaigns. We can run those queries to know if any IOCs related to those are present in the devices. Also, there are several inbuilt analytics rules available.

We have integrated Microsoft Sentinel and Office 365, and Defender and Sentinel as well. Some, like Office 365, are natively integrated, and there are connectors available for those that are not. It is easy to integrate the solutions. For example, to integrate Defender and Sentinel we just deployed a connector. There was a short latency period, but other than that, it was seamless.

The automatic investigation and remediation (AIR) feature helps to automatically investigate and terminate many of the malicious files. Without this feature, we would have the difficult task of going to each and every endpoint to delete a particular file or prevent execution.

Microsoft 365 Defender has eliminated the need to look at multiple dashboards and has given us one XDR dashboard. We have a wider range of visibility from a single pane of glass, which also makes it easier to manage.

Regarding saving time, the key has been the fact that everything can be managed from a single pane of glass where we have visibility into all of the endpoints and users. Previously, we had to look into each device belonging to the customer before deploying a solution. Automatic remediation and vulnerability management features have saved us a lot of time. The time-savings have resulted in saving us money as well.

Offboarding latency should be reduced. Even after a device has been successfully offboarded using a particular offboarding script, it still shows up as onboarded.

Licensing is also confusing, particularly with regard to Microsoft Defender for Endpoint.

A good feature to add would be automatic patch deployment. Currently, the vulnerability management feature shows all of the vulnerabilities present in different devices that have been onboarded. It shows what manual actions can be taken or what patches can be deployed, but automatic patch deployment is not an option. It would be great if a patch can also be deployed right from the tool.

I've been using Microsoft 365 Defender for 1.5 years.

Other than a few times where we faced issues with hanging, the solution has mostly been stable.

It's a very scalable tool that can be used in a very small environment or in a very large environment. Everything can be managed from a simple dashboard and can be scaled up or down depending on the customer's environment.

We have had to rely on technical support quite a few times, and they have been very responsive. I'd rate technical support at nine out of ten.

Positive

Because it's a cloud solution, Microsoft 365 Defender is easy to deploy.

I prefer to go with a best-of-breed strategy rather than with a single vendor's security suite, but the tool would need to integrate with as many products as possible, as in an open XDR strategy. However, if you can't integrate with multiple devices by having an open XDR tool, it's best to have a single vendor's tool in order to have greater integration.

If you are looking into Microsoft 365 Defender, my advice would be to make sure that you know your licensing requirements. If you already have a Microsoft-based environment, then this solution may be a good fit as it will integrate with all other Microsoft products. Also, Microsoft is constantly improving their solutions, and it's a good time to be in the Microsoft security sphere.

Overall, I'd rate Microsoft 365 Defender at eight on a scale from one to ten.

We're a small business. Defender XDR gives us a centralized security solution for monitoring our servers and some user PCs. We have around 30 machines, 10 of which are servers. 

Defender XDR saves the security team time by telling us what patches to apply. We also get preemptive notes about things that need to be done.

I like Defender XDR's reports and alerts. They give you updates about the latest hotfixes and zero-day vulnerabilities, which gives me all the information I need to maintain my servers. 

Defender's AI for identifying suspicious activity could be improved. Also, I do a lot of home updates. Maybe there is a way to set it up faster. For example, let's say that I want to automatically update seven computers, servers, etc. I wouldn't do it to a user, but maybe the server. I don't mind if the server restarts automatically.

I have used Defender XDR for a year.

Defender XDR is stable.

Defender is scalable. I haven't had any issues with that part.  

Microsoft support is good. I usually don't contact them directly. We have a support partner. If there's an issue, they can resolve it with Microsoft quickly.

We previously used Symantec antivirus. We're a small company, so switching wasn't a big deal. We switched because Symantec discontinued the solution we were using. They actually don't sell it anymore.

I wasn't involved in the decision to purchase Defender XDR. We are a small company, so we needed a vendor to support SMEs, and Microsoft caters to businesses of all sizes. We checked some other solutions but went with Defender because we're already on Azure, so the solutions complement each other.

Deploying Defender XDR was easy. Our external security guy handled most of the settings and onboarding, and our IT guy handled a few of the problematic cases. Most of the maintenance was automatic.

I don't know the exact pricing, but I believe Defender offered the best small business solution for the price.

I rate Microsoft Defender XDR nine out of 10. I don't have experience with other XDRs that I can compare it to, but I think Defender is an excellent solution. It's fairly easy to understand and navigate, and it's a good value.

We use Microsoft Defender XDR for antivirus, threat intelligence, and email blocking.

Microsoft Defender's XDR platform provides unified identity and access management. It has improved significantly, although other products remain slightly ahead. I would rate it among the top four or five XDR platforms I've used, and Microsoft is continuously enhancing its capabilities. Overall, it's a fairly good solution.

Consolidating identity and access management under one umbrella within Defender 365 offers significant advantages. This unified approach simplifies control and visibility, eliminating the need to navigate through different screens from multiple vendors. With everything centralized, we gain a comprehensive overview of all IAM activities and can easily access specific details through subcategories. The main page provides a clear starting point, highlighting key information and granting quick access to deeper levels of detail when needed.

While Microsoft Defender can effectively impede the lateral movement of advanced ransomware, it cannot guarantee complete protection. No system is perfect, and vulnerabilities will always exist.

Defender's ability to stop attacks includes its adaptability to evolving threats. Microsoft has been steadily improving Defender over the past few years, and they continue to do so. Several updates in recent months have changed Defender's functionality, making it more effective. While technology advances and tools like Defender improve, the skills of hackers and their tools also evolve. This necessitates continuous improvement to keep pace.

Adaptability to evolving threats is crucial. A static system is vulnerable to attack. Its unchanging vulnerabilities can be readily identified and exploited, allowing unauthorized access and manipulation. Constant improvement is necessary to maintain security.

While we have reduced our reliance on other products, we haven't eliminated them at this time. We are actively reducing our use of other products as we progress. Once we have completed the configuration and setup process for Defender XDR, we can then fully transition to using it as our primary product.

Defender XDR has saved our security team approximately two hours per day. Automation is improving steadily, allowing us to automate audit file processing and scheduling. This provides us with continuous insight into our environment. The main page offers a high-level overview of current activity, enabling us to quickly identify any anomalies. Our security team can then address these anomalies promptly.

The threat intelligence is excellent. Email collaboration is very good. Device protection is useful. Overall, 90 percent of Microsoft Defender XDR is used weekly, primarily for email collaboration.

Advanced attacks could use an improvement.

I have been using Microsoft Defender XDR for almost four years.

I would rate the stability of Microsoft Defender XDR a nine out of ten.

Microsoft Defender XDR is scalable and we are planning to increase the usage.

The Microsoft technical support I used in the past was quite good. They were typically responsive and efficient, providing solutions quickly. However, I haven't needed their assistance in the last year, so I can't offer an updated assessment.

Our past experience includes Sophos, Check Point, and ESET. We briefly utilized SentinelOne as well, but ultimately opted for Microsoft Defender XDR. We had Defender included in our purchases but it wasn't being utilized fully until I fine-tuned and set it up to work more efficiently.

I would rate Microsoft Defender XDR an eight out of ten.

We require three people for maintenance.

We have Microsoft Defender XDR deployed across multiple locations, roles, and teams.

Before implementing Microsoft Defender XDR, ensure that all the features will be utilized otherwise it is more cost-effective to go with a smaller package that includes only the features needed by the organization.

I'm a Security and Compliance consultant providing 365 Defender as a security solution for my clients.

All our solutions are Microsoft 365 products, including security, identity, etc., so we have better protection from advanced cyber attacks. It's also easier to ensure compliance with data regulations through the Microsoft Purview portal, which has templates for various regulations on medical privacy and personal data.

365 Defender helps us automate routine tasks and prioritize high-value alerts. Automation allows us to use time more efficiently. It makes functions easier by consolidating data from multiple Microsoft portals into a single dashboard. You can customize the playbook however you like and get a centralized view of the various components.  

The Threat Explorer feature helps us understand emerging threats in real-time and take steps to safeguard our environment. 365 Defenders saves us money because it's a bundle. If you purchased each of these solutions as a standalone product, it would cost you more than $60 per user per month, but you get them for $12 a month in a package. 

365 improved our detection and response times because we catch issues earlier in the chain of events. All the components of 365 Defender work together to provide instant detection. 

The most valuable feature depends on the scenario. For compliance, I like Microsoft Purview Information Protection and Data Loss Prevention. Sentinel is the most helpful feature for security. 365 Defender helps us prioritize threats across an enterprise. It's a crucial feature for the managed services team. 

I also have Defender for Cloud Apps and Defender for Office. Integrating other Microsoft solutions with 365 Defender is seamless. Microsoft has better documentation than some other solutions. I also work on AWS, but I feel more comfortable with Azure. There are some limitations with a standalone license, but integrating Microsoft products is a seamless experience that produces insightful analytics.

Sentinel enables us to ingest data from our ecosystem, giving us a complete picture of the entities associated with an incident. Those analytics are pretty helpful. We develop playbooks customized for any executive or developer-based summary. It depends on what we want to show and our creativity. 

365 Defender has multiple subsets, including Defender for Cloud Apps. When integrating Defender for Cloud Apps with apps on third-party cloud platforms like AWS or GCP, there are limitations on our ability to control user activities. If Microsoft added more control over third-party products, that would be a game-changer and help us quite a lot.

I have used 365 Defender for five years.

365 Defender is stable.

365 Defender is scalable. It's easy to create and manage groups, set policies, and add users. 

I rate 365 Defender support a seven out of ten. When I raise a ticket, I'm usually redirected to a third-party vendor like Convergence. I would prefer it if Microsoft India handled our tickets instead. That would be helpful. The third-party vendor sometimes doesn't have comprehensive knowledge of the product. 

Neutral

The deployment varies from client to client. Our implementation strategy is based on the client's business requirements and the RFP. You need at least two people to deploy 365 Defender, but you might need more support staff for larger jobs. 

It all depends on how a client wants to proceed, but we typically perform an audit before consulting to identify missing components or security controls. For example, if the client requires HIPAA compliance, we must control the data about specific patients. After following up on everything, we recommend the appropriate Microsoft product, and each has a separate timeline. 

I'm on the consulting side, so once we are done with the implementation, a managed services team takes over the maintenance on an SLA of one to three years. 

The price of 365 Defender is reasonable. 

I rate Microsoft 365 Defender a ten out of ten. Microsoft is a one-stop solution, and it has an answer for any problem you're facing. Before implementing 365 Defender, you should be clear about the problem you want to solve. Hiring a consultant can help, but typically, my clients know maybe three out of the five things they should know. 

We use Defender XDR to monitor our network. We use it for when we analyze email and check endpoints.  

XDR is our second solution. We have two. We have it in basic mode as an antivirus and as an XDR. We use the DLP in our company as well. We can look at threat intel for vulnerabilities, and we check to see if vulnerabilities are present within our environment. We do that through Defender. It's useful for threat hunting. 

We have it integrated with Sentinel and we manage our incidents from Sentinel. We can do a detailed analysis of what actually happened, and it gives us the ability to log in remotely on devices. For example, if you have a problem with your PC, one of my colleagues can take the file from the PC remotely. As long as you have permissions as an administrator you can do that. Otherwise, you can create an incident and escalate it to the right admin.

The file analysis is helpful. When we have phishing emails Microsoft itself can analyze the file in the sandbox and then give you a detailed report. It's helped us respond better and increased the security of our organization.

I like the attack graph of each incident. It's really handy, and there's a summary. For example, you can see what had happened with a timeline. And if you go to investigate, the evidence will be there, including the users and devices. Co-pilot is integrated there as well. With just one click, you have a summary of what to do and the next steps. For young analysts, it is quite helpful.

You can have security administrators or global administrators. You can set up different permission structures outside of Defender.

The solution's security extends or covers more than just Microsoft technologies. Linux machines can be used, for example. It is possible to install an agent for Linux so you can monitor also Linux machines.

Apart from having everything within the same console, you have alerts.

The attack disruption capabilities positively affect our security operations. We can integrate with third parties. If an email comes in with a file attached, Microsoft's intelligence would be able to tell if it's a phishing scam, and it can automate the deletion.

We do educate and train our users, however, it provides an extra security layer that catches suspect emails. It reduces the risk of users accidentally clicking on phishing emails. 

The solution adapts to evolving threats. It's a next-generation solution. The machine learning and AI are integrated. With the help of machine learning, it can block quite a bit of suspicious activity.

It offers multi-tenant capabilities. We have four different tenants, and for each, we have a different console, so I don't directly deal with multi-tenant capabilities; however, it is possible. 

We do use the solution with a variety of others. We haven't reduced the number of other products we use for security. However, it's quite handy. It blocks a lot of malicious attempts. Nothing really gets by it. The automatic incident response and protection have kept us very safe, even though we do have other backups there on offer as well. 

We've saved a lot of time with the automated detection. It reduces the time we need to respond and react. We've saved maybe 30% to 40% of the typical amount of time it would take, thanks to automation. For example, if there is, a phishing email goes to the XDR if we had to do an analysis and a report, that alone might take 20 minutes to an hour. Then, we have to remediate, delete and block. With automation, we can save those 20 minutes to an hour. The process is automatic, so we don't have to manually do it. Also, if you have a bunch of suspicious domains or IPs, it will take time to manually go through everything, one by one. However, we can automate the blocking process and save ourselves a lot of time. 

The AI could be improved. As an analyst, I want to be able to interact more with AI. The AI simply sends summaries. I can't ask it, for example, if it has seen any suspicious activity with device two. I have to go and check device two for myself.

I've used the solution for 15 months so far.

The solution is quite stable. I'd rate stability eight out of ten.

We have 15 to 16 people using the solution in my organization. Then we have users on various Microsoft accounts. There may be 50 or more users in total. We have the solution spread across multiple locations. 

It's a scalable product.

I've had colleagues mention that they were very pleased with Microsoft's support. Once you open a ticket, the response you get is usually within an hour or two. 

Positive

I do use different solutions. Microsoft is very good compared to other market leaders. It's a leader itself. I've used CrowdStrike, for example, and I'm familiar with Zscaler. 

My understanding is it is quite easy to deploy the solution. Between deploying the agent and the initial installation, it may take one to two hours. Then, of course, you have to customize the product. However, as a SaaS product, it's very easy to deploy. I'm not sure if any ongoing maintenance is needed after deployment. 

I don't have visibility into the pricing. However, Defender is included in the price of a larger bundle. As a Microsoft customer, it's my understanding that users can access discounts. 

I'm a Microsoft customer. 

I'd advise new users to try a proof of concept. Before the solution is implemented, figuring out the grouping will be very important. You'll want to implement policies based on groups, so they need to make sense. For example, it would be easy to create a structure based on departments.

I'd recommend the solution to others. Microsoft is quite handy. You can get a full overview of your vulnerabilities, which makes investigations easy.

I'd rate the solution seven out of ten.

I'm using the solution for security.

Previously, we weren't using anything and now we can configure privileged access and rules. We now operate in a more secure environment. 

It's great that it's a cloud solution. You don't need to worry about physical hardware.

You can configure the product very easily. It's simple to implement and easy to run.

The XDR platform provides unified identity and access management.

We only use it to cover Microsoft products; it works really well. 

365 Defender stops lateral movement of advanced attacks, like ransomware or business email compromise. It protects us from spam and ransomware. 

So far, we haven't had any attacks. It also allows us to adapt to evolving threats. 

We use the solution's multi-tenant management capabilities. It's easy to access and helps with investigating and responding to threats across tenants. 

With Microsoft, we get multiple services under one platform.

With Defender, we've been able to reduce costs. We've likely saved around 25% in costs so far. We've also been able to save time - around 10% to 20%.

You can customize the product based on your requirements - and everything is available under one platform.

The solution can improve the rules and privileges it offers. They need to be more transparent with changes. Often, changes come too rapidly.

I've been using the solution for seven months. 

The solution is a stable product. I'd rate it nine out of ten.

It's scalable. I'd rate the ability to scale nine out of ten. You can scale according to your needs. 

Support is very good. 

Positive

I also use SentinelOne and Splunk. Microsoft Defender is easy to implement and is user-friendly. Splunk, however, is not user-friendly.

The deployment is easy.

We have 20 to 30 people working on the solution. 

There isn't really any maintenance needed. 

The pricing is reasonable. It's cheaper than other options. 

I'm a Microsoft customer. 

I'd rate the solution eight out of ten. 

I would recommend the solution to others.