Microsoft Defender XDR Reviews

We are yet to use Microsoft Defender XDR for ourselves as we are yet to procure the product.

Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans. Additionally, the threat detection at the OS level is a very good feature of Defender.

Microsoft could improve on threat hunting and build more on threat detection and handling. The cybersecurity and cloud security posture features are a bit lesser than standard security products.

We have not yet used Microsoft Defender XDR as we are yet to procure the product.

I was working with CrowdStrike before Microsoft Defender XDR. CrowdStrike has advantages in terms of threat hunting.

We are doing it for the first time, so I have nothing to compare in terms of ROI.

The pricing is a little high, however, it is on par with other competitive tools in the market.

I have not evaluated other XDR solutions besides CrowdStrike.

I would recommend Microsoft Defender XDR to others as long as they are aligned with Microsoft products, cloud, or on-prem, especially if they are using Microsoft Windows architecture. I would rate Microsoft Defender XDR six out of ten overall.

We primarily use it for endpoint security. Specifically, it serves as our solution for antivirus detection, malware detection, and related aspects focused on safeguarding individual devices. 

Its single-pane interface is a time-saving feature, as it eliminates the need to check different locations which is excellent for efficiency. It allows us to phase out the use of other security products. For example, we previously ran Sophos on-premises. However, upon transitioning to Microsoft 365 and leveraging the included Defender, we discontinued the use of Sophos. This shift not only streamlined our security approach with a unified solution but also contributed to cost savings, as everything is encompassed within the same license—a concept that aligns with the efficiency of a single-pane interface.

The most valuable aspect is that it comes included with the licensing, which is excellent. It provides a single pane of glass within the 365 admin interface, streamlining our experience by consolidating information in one place and eliminating the need to navigate through multiple interfaces.

It would be highly beneficial if CoPilot could identify anomalies within the network and notify the IT team. For instance, if a user typically accesses around a hundred megabytes of data daily from familiar files and locations but suddenly diverges to an uncommon destination, uploading ten gigabytes of data to an unfamiliar website, that would be a significant anomaly. Pausing such activity and alerting the IT team for a human assessment would be a valuable feature to ensure security.

I have been working with it for three years.

No stability issues noted, and there haven't been any concerns regarding false positives. Overall, the experience has been positive.

Scalability is straightforward; no issues are encountered. We predominantly use Windows 10, and so far, I haven't observed any issues. Some of us have transitioned to Windows 11, and it appears to function well.

We haven't contacted their tech support, which I consider a positive indicator.

In terms of ROI, our expectation is to gain a comprehensive analytical perspective by upgrading to E5, activating Sentinel, and deploying other products like Entra. This move aims to provide a more extensive understanding of user activities, login details, and other relevant metrics. Currently on a three-year Microsoft term set to end on April 1st, we've inquired with our vendor about transitioning from E3 to E5 immediately.

In our security solution evaluation, we considered Trend Micro and Sophos, focusing more on Sophos due to its cloud version. However, challenges in patching the on-premises Sophos led us to choose Microsoft Defender. The simplicity, inclusion in our package and regular patching made Defender more attractive. Additionally, our decision was influenced by community adoption, as no other law enforcement agencies in Canada were using Trend Micro. Defender's seamless integration and zero additional cost aligned with our strategy of opting for solutions without extra expenses.

Overall, I would rate it eight out of ten.

We implemented Defender two and a half years ago, utilizing it in a passive mode with only the sensor active for data collection and basic EDR results. Although it has been running on all devices, we are currently in the process of making the final transition from the existing setup to fully leverage Defender as our EDR solution.

We utilize analytics on both iOS and Android platforms, and it holds significant importance for us. Compliance with mandates, often stemming from executive orders, requires meeting specific contract requirements. In response, we employ analytics to implement and maintain controls consistently across various device types. The capability to adapt to emerging threats is of utmost importance to us. We lack the time and resources to constantly learn about new indicators and threat actors. We expect that the threat intelligence from Microsoft and other providers seamlessly integrates into the system, enabling automatic updates based on the current global threat landscape. The unified single pane of glass is a significant benefit. It consolidates everything into one interface, eliminating the need to navigate through multiple portals for information.

The greatest value lies in integration, I believe. The ability to integrate and observe a more cohesive narrative across the products is crucial.

There are still some components, such as vulnerability management within the vendor product, where improved integration would be beneficial. Currently, it's not visible in the same interface, requiring us to search elsewhere to access that information. While it has streamlined data collection and retrieval, there's still room for improvement in terms of user-friendliness for certain individuals. While the ultimate goal is to enhance security, there's room for improvement in terms of pricing.

We are currently in the migration process from Sophos to Microsoft Defender.

It offers high stability.

The backend infrastructure and structure in place seem to be easily scalable to meet our requirements.

Customer service and technical support vary. Opening support cases for different components within the security stack or Microsoft entity often reveals that first-level support is lacking. It typically takes two or three weeks to get an escalation, and by then, the issue may have resolved itself. Escalations are challenging, as first-level support struggles to comprehend the problem, leading to repetitive discussions. I would rate it four out of ten.

Neutral

We transitioned from Sophos to Microsoft Defender primarily due to cost reduction and the elimination of duplicated technologies.

The initial setup used to be complex, but now it's much more streamlined.

We follow a phased approach for deployment, beginning with a proof of concept pilot. However, our main deployment cycle revolves around Defender, facilitated via Intune, where all devices are managed. Building the package and incorporating scripts into Intune is the key process for the sequential implementation, which has evolved over time. Maintenance involves keeping pace with changes, not just patching. Microsoft has significantly improved patch cycle management, but dealing with the constant stream of changes they introduce remains a challenge.

It proved to be effective in cost savings. Our return on investment is tied to the existing investment in the current SKU. We anticipate not only recouping the dollars spent but also gaining the advantage of a unified interface, a single pane of glass. This consolidation allows us to streamline our operations, saving valuable time and effectively reclaiming productivity that would otherwise be spent navigating between different platforms on a daily basis.

When seeking a security suite, even with an E5 enterprise license, additional purchases are still necessary. The license cost for a year is approximately forty-four thousand, and this annual saving is a significant factor in our decision to switch.

In the past, we explored alternatives such as Carbon Black and Cylance, particularly for their machine learning and AI components, which were quite innovative at that time, approximately three years ago. However, our approach has evolved, and we've shifted significantly towards the Microsoft Stack. The decision is influenced by our existing environment, where we can readily assess the capabilities available within Microsoft.

The critical aspect is comprehending your existing setup. During our migration, we opt for a like-for-like transition instead of going for something entirely new, as the latter could be disruptive to some processes. Defender offers extensive capabilities, but understanding where to begin is crucial to avoiding disruption. Start with a like-for-like migration and plan the subsequent ramp-up to align with its capabilities. Overall, I would rate it eight out of ten.

I primarily use the solution as an engineer. I use the product to protect the endpoint and I use it to protect my customer's environment. 

The web protection on offer is very good. For a company that doesn't have a firewall, it's quite useful.

It gives feedback and helps protect internet access. It provides you with analysis on the state of the environment and you have a direct link to Microsoft which is doing its own research on security. You're constantly getting feedback from Microsoft resources so that you can be up to date in your own environment and you'll have a better understanding of the security landscape. 

The solution is great for companies on a budget.

Defender provides helpful visibility into threats. It covers a lot and comes with a next-gen antivirus. With that, you can register to the cloud, and, if you have cloud protection, your environment is protected even more. 

It helps us prioritize the threats across our enterprise. It covers all of our devices. You can cover your entire operation with the license you purchase.

Microsoft 365 Defender is easy to integrate with other products. You just have to configure some things in order to integrate everything and you are SDR compliant. We currently have it integrated natively, so we don't have to worry about configurations.

The comprehensiveness of Microsoft's threat detection is good. Microsoft provides a lot of security. It gives you visibility and IT has a lot of control over everything. You can see your environment, including clouds. You can block things within your environment as needed. The applications are easy to manage. It also has app governance to be able to gain visibility into permissions.

The product has helped automate routine tasks and the finding of high-value alerts. It has an automatic investigation feature that you can enable. It's great for automation. Thanks to automation, it has helped reduce the time it takes to analyze security events and alerts. You don't have to wait to take action. If there is a threat, you can neutralize it faster and it will record everything for audit records. While I know it has saved us time, I can't quantify that into a specific amount of hours.

We no longer need to look at multiple dashboards. Now, everything is centralized under one dashboard. 

The product's threat intelligence helps us prepare for potential threats and take proactive steps. Since we've been using it, we've had no security incidents.

The only issue I've had is, when it comes to deployment, the steps I must take around policy setup. That is challenging. We're working on the onboarding and configuration policies. We're collecting feedback from customers and partners in hopes of refining the future design for deployment.

I've used the solution for about two years.

The feedback I have received from customers is that the stability is very good. 

The product scales well.

If you have a license through a partner, it's the partner that will support you.

The only issue with Microsoft is the response times. They are very competent, however, sometimes you will send an email and get no response. 

Neutral

I previously used Sophos. I then switched to Microsoft Defender. The Sophos deployment is quite easy in comparison. You can do everything from a single portal. They had already achieved effective centralization. 

Right now, there are two different ways to onboard. You might have to have a different partner to configure policies. However, right now, you can also create policies from the activity center, so you don't have to do it from the device itself.

How long a deployment takes depends on your scope and the number of devices you are covering. 

If you do not get a license for the portal, you'll have to use the manual to deploy. If you have an older server you may encounter some issues. However, if you upgrade the server at the same time, you'll have fewer problems.

We do use more than one Microsoft security product. We've integrated with other products. 

I do not make use of the directional sync capabilities at this time. I'm also not using Microsoft Sentinel.

I'd rate the solution eight out of ten. If the deployment of the agent was better, I'd move my grade closer to ten. It should be more automatic. You also shouldn't have to install the logs. 

The main use case has been for threat hunting, not in the sense of actively looking for the threat, but in terms of analyzing the ongoing process within clients' machines. I was looking into what kind of changes happen when you install any new software and it asks for so many permissions. I wanted to analyze the criticality of the permissions being asked and so on. Usually, when we install any software, we just click next, next, and next. We don't look at the details. So, my role was to check how it behaves within a system. For that reason, I used Microsoft Defender. 

I used the query language to do advanced threat hunting. I ran different queries to collect the data. The data was then brought into Power BI. We had data coming from different channels. So, we used Power BI to collect it at a single point.

My usage of it was on a very small scale. I am not aware of its overall impact on the organization, but it did help us a lot to know and achieve what we wanted to achieve. Without Microsoft 365 Defender, the detection for our use case would have been impossible.

It provided more visibility into threats, and it came with some of the default functions from Microsoft, which was an advantage. They had already defined different tables in advanced threat hunting, which was very helpful. I am not aware of other vendors providing that.

Its threat intelligence helped to prepare for potential threats before they hit and to take proactive steps. That was my target for that project. We were actively looking for vulnerabilities inside the software, and we wanted to detect the software supply chain aspect. That was a difficult task, but we wanted to be ahead before any attack happened. That's why we were using Microsoft 365 Defender.

It saved time. They had already defined different tables to identify different artifacts within the system, which saved about 50% of our time.

Within advanced threat hunting, the tables that have already been defined by Microsoft are helpful. In the advanced threat hunting tab, there were different tables, and one of the tables was related to device info, device alert, and device events. That was very helpful. Another feature that I liked but didn't have access to was deep analysis.

I liked its portal a lot. I am currently using a different vendor, and there is a big difference between them. Microsoft had a very good portal, and its user interface was good. Irrespective of where I was, with a click, I could see comprehensive details about something on the right side. The related information was always on the right side. So, I didn't have to jump over different tabs and functionalities. The information was always there on the right side, which is something I liked in Microsoft 365 Defender portal.

The documentation on their website is somewhat outdated and doesn't show properly. I wanted to try a query in Microsoft Defender 365. When I opened the related documentation from the security blog on the Microsoft website, the figures were not showing. It was difficult to understand the article without having the figures. The figures were there in the article, but they were not getting loaded, which made the article obsolete. They should refresh all their articles and see that the steps and figures aren't missing. They can also provide more documentation.

I used it just for four months in a previous company.

I never had any problems with it. It was always stable.

It's scalable. You can query each and every machine in the company.

I was working for a client, and that client had more than 50,000 people.

I never contacted them directly, but based on what I heard during the meetings, they seemed to be quite helpful and good.

I didn't use any other similar solution before Microsoft 365 Defender. That was the first time I used Microsoft 365 Defender. That was my first experience. Now, I'm using a different product, and I can see that Microsoft 365 Defender was much better than the current product.

Microsoft 365 Defender is very good for analyzing something. There are multiple types of data and multiple ways to utilize that data. With a single click, you can have all the related data for a particular topic. That's really good, and that is what I'm missing in the current product.

I did not use Microsoft Defender for Cloud, but I saw the cloud part for monitoring cloud applications. It was nice, and it had some added functionalities. For example, application risk scoring was very good. It shows what data has been considered to give a particular risk score, which is useful for a new learner like me. It was helpful to know the criteria for scoring. They also included so many applications. There were more than 24,000 cloud applications inside their catalog. That's a really good catalog.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would agree that multiple vendors are better than a single vendor because every vendor has different capabilities. It's always better to use the best products from different vendors than to use all the products from the same vendor.

I would rate Microsoft 365 Defender a nine out of ten. 

Our primary use case for Microsoft Defender XDR is to serve as our email security solution, offering file protection, scanning, alerts, and incident management. It is a part of every Microsoft 365 deployment we do.

The integration of Microsoft products simplifies management, reporting, and investigations. It offers capabilities that other solutions don't offer.

The feature I find most valuable is Defender for Endpoint. It's because endpoint management is my primary focus, and this feature integrates well with my other skills.

The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users.

I've been using Microsoft Defender XDR for about ten years since it was known as Office 365 Advanced Threat Protection.

I have no concerns about the stability of Microsoft Defender XDR.

We are only a small organization, and our operations don't even challenge Microsoft Defender XDR's capabilities.

The customer service and support have been good. Whenever it is needed, they are fast to respond.

Positive

We used various solutions over the years, but since then, we've been using the Defender variants.

The initial deployment was straightforward.

We implemented Microsoft Defender XDR ourselves in-house.

There are no issues with pricing, but sometimes, the clarity in licensing is a concern. I still need to verify what's included with each license occasionally.

I would rate Microsoft Defender XDR a ten out of ten.

I've been using it for endpoints and for Microsoft 365, along with Microsoft Defender for Identity. I use it to create policies for anti-spam, anti-malware, anti-phishing, as well as safe links.

I also use it for the security score, making sure that our company achieves a good security score across the organization.

It has helped us increase our rules and policies, protecting our users, information, and data.

When I deploy a policy for anti-spam or anti-phishing, the solution automatically helps us mitigate those kinds of attacks that could expand across the organization. The automation stops those attacks and emails and sends the emails to a secure place where the admins can accept or eliminate them.

It has also eliminated having to look at multiple dashboards, which not only makes things easier, but helps us detect, and see for ourselves, the threats that are happening across the organization.

In addition, the threat intelligence helps prepare us for potential threats, providing us with security steps to take based on what other experts have done, the steps and recommendations, to prevent those threats. It collects information from the website that Microsoft has where security experts provide information.

And with our endpoints, it has helped us save time because, before we installed Microsoft 365 Defender, we had an antivirus solution that took our time. In addition, by using Defender for Identity, we have been saving time with the password self-reset, because we no longer need IT members or administrators to help reset users' passwords. They can do it by themselves. And with Microsoft Defender for Cloud, we're no longer installing the software on their computers, so there are time-savings as a result.

And one of the greatest characteristics of 365 Defender is that it natively helps you coordinate, detect, and prevent threats, and it provides investigations across the organization's domain. And with the responses across the endpoints and various resources in the cloud, it has many sophisticated solutions integrated to protect against cyberattacks. It has absolutely helped us to save money because it is just one solution, rather than paying for multiple services at the same time.

The security score and the threat intelligence are really good features. I also like the Exchange message trace.

The visibility into threats is also very impressive because Microsoft helps you predict things and provides analytics to help you really improve your security. And all of this technology works across the domain, so it is pretty helpful in terms of threat analytics. It immediately detects and tells you what you can do, with recommendations.

The solution also indicates threats as high, medium, or low priority. When the priority is high, that is when I put all of my effort and knowledge into it, and focus on it, because it is valuable for the enterprise.

We also use the solution's role-based access control across the organization. Because, as a company, we work remotely, we make sure that our users have access to what they need and we better protect our company from intruders and cyberattacks.

Intrusion detection and prevention would be great to have with 365 Defender.

I've been using Microsoft 365 Defender for nearly a year.

The stability has been great so far.

It's very scalable. That's one of the benefits of the cloud. You can scale or downsize it whenever you want.

We have many locations and departments around the world. I'm located in the Dominican Republic, but there are people in Europe and the United States.

Their technical support is great because they mostly provide responses in less than 24 hours.

We were facing downtime with our Outlook email, and they told us what was happening with our data center. After they responded to us, we provided the information to the head administrators. After two hours, they restored our services.

Positive

The solution doesn't require any maintenance, as far as I have seen.

Between a single- and a multi-vendor security solution, it depends on whether you are using multiple technologies. Microsoft solutions are pretty much integrated, and help you with the pre- and post-breach. If you are using Microsoft, I would absolutely recommend Microsoft 365 Defender. But if not, I would recommend something else because, with just Microsoft, you probably would not be getting the best solution. There would probably be latency.

Defender XDR can replace multiple security products. It covers everything, including phishing protection, network security, device security, applications, etc. 

The solution has reduced time spent on manual tasks because almost everything is automated. You don't have to do anything. If something happens, you'll get a notification, and it will instantly run the playbook for the incident. For example, a phishing email might take an hour to investigate manually. If you have Defender, you will have all the information you need on the incident page. It's all there, so you can investigate the incident in around 5 to 10 minutes.

Adopting Defender cuts costs. While the solution is a little pricey, you only need two products—XDR and Sentinel—so you don't need to add other security products. You only need to use the Microsoft security stack. 

The advantage Microsoft Defender XDR has over other XDRs in the market is that it's easy to use. You can quickly differentiate between alerts, incidents, devices, software, etc. It's easier to investigate an incident, and you have so many options. You can automate investigations and use playbooks. There's also the live response session, which is something you can't find in any other XDR. 

The identity protection is excellent. It uses some rules, including some built-in rules from Microsoft itself. It identifies risky users and differentiates between a user who is trying to sign in and isn't the actual user. Identity and access management is a valuable component of Defender.

Defender covers non-Microsoft technologies if you're using the full Microsoft stack with Sentinel and Defender. You can ingest logs from other solutions, like Palo Alto and Fortinet firewalls. 

It stops advanced attacks like ransomware and phishing in real time and prevents them from entering your environment. There's a feature called Security Advisory that shows you all the latest threats and vulnerabilities in the market so that you can make rules for them. It helps you understand them more. 

With Sentinel and Microsoft Lighthouse, you can use multi-tenant access. It allows you to connect multiple tenants to one tenant, which you can use to monitor everything from there. Before we had Microsoft Defender, we had to go to each tenant, log n from your account, and investigate the incident if it's there. Lighthouse has one page with all the alerts, and they're all connected together. You can investigate every alert from one page.

The design of the user interface could use some work. Sometimes it's hard to find the exact information you need.

I rate Microsoft Defender XDR 7 out of 10 for stability. There are some performance issues maybe 5% of the time. 

I rate Microsoft Defender XDR 9 out of 10. It's easy to scale. 

I rate Microsoft support 8 out of 10. They answer quickly. If you open a ticket, they will respond immediately. You can chat with them or schedule a call. 

Positive

The setup is straightforward. You only need to buy the product and onboard every device. It's like a script for Microsoft Intune. The process takes a couple of days for a small company, but a larger business may require three or four days. 

Defender XDR is fairly priced. 

I rate Microsoft XDR Defender 8 out of 10. I recommend giving the product a try. If it doesn't work for you, try something else until you find a suitable product. There might be other solutions that are a better fit. It's good for my case, but it might not be right for everyone.