Microsoft Defender XDR Reviews

My main use cases for Microsoft Defender XDR are primarily my EDR, my endpoint detection and response, and my endpoint solution.

I appreciate Microsoft Defender XDR's MDE, Microsoft Defender tool, which has Attack Simulator. Instead of doing a phishing campaign and getting a separate tool, Microsoft Defender XDR does it all.

These features of Microsoft Defender XDR have helped us conduct a phishing campaign quarterly, which has been beneficial. I also appreciate the fact that it has Defender for Office integrated, Defender for Identity, and everything integrated together.

I would describe the process of using Microsoft Defender XDR to prioritize incidents in my security operations as quite decent. I appreciate the automatic alerting system where any incidents or alerts we receive come directly to our email. From there, we can open the email, go directly to Microsoft Defender XDR, and start our investigations and remediations.

I perceive the integration of security and identity access management in Microsoft Defender XDR as affecting my identity protection strategies very well because it is well integrated with Purview, integrated well with Entra ID, and integrated well with Exchange. I especially appreciate MDO, the Office product. If anything happens and I want to conduct an investigation, it takes me directly to Exchange, where I can also investigate any emails or phishing incidents. Instead of going to different portals, everything can be done from Microsoft Defender XDR. If necessary for further investigation, Microsoft Defender XDR then directs me to that environment.

I would assess the integration of AI in guiding security actions within Microsoft Defender XDR as quite positive. Recently, Security Copilot went big, and it is beneficial that I can use that, especially to write KQL. I can do threat hunting features and intelligence all within using Microsoft's Security Copilot. It also has a nice AI feature for threat hunting.

I know that all the Defender logs go to Sentinel, and I can pull it up from Microsoft Defender XDR or from Sentinel. The fact that I can actually do all that within Microsoft Defender XDR is a nice feature. In the top module, I can do threat lookups, and I can actually type KQLs in Microsoft Defender XDR and look up incidents.

Predictive shielding has had a nice impact on my proactive security measures. It is beneficial that it has, similar to Entra ID, a secure score. For me to improve the product, the secure score helps me out. If I rate it from highest to lowest, I can see what things I can improve. Secure score helps me see what areas I can improve in Microsoft Defender XDR to increase my score and bring it to 80 or more.

Knowing Microsoft Defender XDR from using it since 2019, before COVID days, I know that they have improved significantly. It is much more user-friendly and has a very nice vulnerability feature that I find handy and useful. The fact that this feature integrates into Intune is also very decent.

I do not think the Incident Queue Assistant has helped improve the efficiency of my SOC workflow.

I have been using Microsoft Defender XDR since 2024.

I would assess the stability and reliability of Microsoft Defender XDR as very stable. It does not need any improvement.

I have not experienced any downtime, crashes, or performance issues with Microsoft Defender XDR because, being in the cloud, it is 100% up and running with no downtime. It is not a standalone integration.

Microsoft Defender XDR scales with the growing needs of my organization at 100%. It is very diversely and widely used amongst the state of California ecosystem.

I do not think there needs to be any more expansion for Microsoft Defender XDR because it is already integrated with many other things. It has a very good integration system that integrates with all Azure services, all threat intelligence data models, and integrates very well with other systems such as Palo Alto.

I would evaluate customer service and technical support for Microsoft Defender XDR as very good. With Microsoft, I have had a TSM, a dedicated SSM, what is called a CIPR, the incident response plan. We actually have a unified Microsoft model plan, so I have very dedicated staff.

On a scale of one to ten, I would rate customer service and technical support as eleven out of ten because of the unified plan and the reps being easily available. They are very responsive; I can just email them or call them, and they are easily available. There are always two or more people, not just one person.

Prior to adopting Microsoft Defender XDR, I was using another solution, specifically CrowdStrike.

My change from CrowdStrike was not driven by a specific need to change but rather a change of department. One department was using CrowdStrike, and another one was using Microsoft Defender XDR. I would say Microsoft Defender XDR is much more easy to use, user-friendly, and has an easy training program.

I never got a chance to be in the deployment phase of Microsoft Defender XDR because when the product was given to me, it was already built in. I got a chance to deploy CrowdStrike, and I saw how it was. It can be a little cumbersome, but I think Microsoft Defender XDR, if deployed, would be much easier. It already comes with a portal within the licensing, so I would assume it would be much easier than other deployment or standalone systems.

I have seen a significant return on investment with Microsoft Defender XDR. If I would have to choose between any other EDRs and Microsoft Defender XDR, Microsoft Defender XDR will be one of my top priority choices, without question.

My experience with pricing, setup costs, and licensing for Microsoft Defender XDR was pretty decent. I do not think it is very expensive. It is already included with G5 licensing.

I did not consider any other solutions before selecting Microsoft Defender XDR; it was primarily Microsoft Defender XDR and CrowdStrike that I used.

What stood out to me in the evaluation process when comparing was the integration with Microsoft where I do not have to jump to different independent product portals. Microsoft Defender XDR is integrated with Microsoft. The features that come with it mean everything is a one-stop shop from Microsoft Defender XDR. I can also look up the security for Office, the security for identity, and the security for endpoint. Cloud apps is another significant advantage; I can go and do sanction applications.

I am not using the Vibe Hunting feature.

If you are considering Microsoft Defender XDR, my advice is that if you are looking for an XDR tool, Microsoft Defender XDR is the easiest to use. It is very easy to deploy, very easy to learn, and easy to jump into it, and there is nothing that is hard. Unlike using Cortex XDR, Trend Micro, or CrowdStrike, there is a learning curve, but with Microsoft Defender XDR, you will never find a learning curve. I would rate this review as a ten out of ten.

Public Cloud

Microsoft Azure

I use Microsoft Defender XDR to protect the end-user devices from malicious attacks, malicious applications, files, and unknown source installations.

Regarding Microsoft Defender External Attack Surface Management (ASM), I cannot describe its use cases.

The dashboard of Microsoft Defender XDR is very understandable; with minimal technical knowledge, you can comprehend it.

As a reseller and partner, the advantages of Microsoft Defender XDR are numerous. I have stopped many threats for many organizations using Defender alone, and I have saved significant IT management time by avoiding manual updates and manual work.

I have created automated investigations, and while they work, they operate rather slowly in the Microsoft portal. If I automate something, it takes considerable time; if I do it manually, I can complete it in a quarter of the time.

The automation response being slow is the main concern; when an incident occurs or if I run a remediation, it takes significant time to complete the remediation.

There are some limitations regarding the scalability of Microsoft Defender XDR with specific licensing.

For SMB customers, there is only Microsoft Defender for Business, and if they want more features such as XDR features and automation investigation or incident response, they need to purchase Defender for Endpoint. We are currently using the EDR.

I have been dealing with Microsoft Defender XDR for about 2.5 years.

The installation of Microsoft Defender XDR is very smooth, but I encountered challenges with some devices and raised a ticket to Microsoft, which they resolved.

There are specific challenges when installing Microsoft Defender XDR; some devices were not supported, and there are still some devices that cannot be enrolled in Defender for Endpoint.

Microsoft Defender XDR is excellent in terms of stability.

There are some limitations regarding the scalability of Microsoft Defender XDR with specific licensing.

The technical support from Microsoft is mostly better because we are not only working with Defenders; we are working with Intune, Entra ID, Microsoft Purview, and other solutions too, so we face some challenges getting support from Microsoft as a partner.

Positive

I have worked with similar tools to Microsoft Defender XDR; I have experience with Kaspersky and Wazuh.

Comparing Microsoft Defender XDR with Kaspersky and Wazuh, Microsoft stands out in terms of technical features because it works very comprehensively compared to other products. I prefer Microsoft Defender XDR the most because of its integration with Entra ID, Intune, and other products.

My satisfaction with support rates between seven and eight out of ten.

My overall experience as a reseller with Microsoft Defender XDR rates as eight out of ten.

We have suggested Microsoft Defender for Business, which fits within customer budgets and is included in Microsoft Business Premium. For enterprise customers, we recommend Defender for Endpoint, which is included in E5 and E3.

I have limited experience with the threat hunting feature, though I have accessed the portal and performed some work with it.

I am not familiar with the analytics feature and its ability to help identify threats effectively.

Hybrid Cloud

Other

My main use cases for Microsoft Defender XDR are telemetry, advanced hunting, and the ability to perform host isolation if there is potential malware.

I believe the incidents prioritized using Microsoft Defender XDR will be the very first ones to examine. Beyond that, similar to Sentinel, I have visibility, but at the endpoint level, I know what is occurring on that physical or virtual system. I can also conduct advanced hunting through its platform.

What I appreciate most about Microsoft Defender XDR is the ability to drill down to the process level, the visibility of processes, and the file-level details of what processes are accessing, including the IP addresses for outbound connections. This gives me the advanced telemetry to understand what is happening on that machine at that given time if I need to conduct an investigation.

The features of Microsoft Defender XDR benefit me by helping discover that certain items are already blocked. Sometimes it will pick up the first step, but then it will block from there. It also provides me the ability to perform host isolation in case there might be malicious code present, giving me that control point.

I believe the integration of security and identity access management in Microsoft Defender XDR is very critical to see what is occurring on the machine, as well as who is affected, and to determine if host isolation is necessary and what other areas this person might have connected to.

From my perspective, Microsoft Defender XDR can be improved with better visibility in certain areas where I can trigger host isolation on one machine. It should at least provide the option to isolate other affected systems. If you think about it, continuously performing host isolation on individual machines is inefficient, but if you have a central location where you perform one isolation method, all other potentially affected systems that have been touched may also be isolated simultaneously.

I have been using Microsoft Defender XDR for approximately three years.

I assess the stability and reliability of Microsoft Defender XDR as having no performance issues. I just have to be mindful of what to exclude in certain areas that may be application dependent on the local machine. There are no overly conflicting areas where conflicts arise when someone opens an application.

I evaluate the scalability with Microsoft Defender XDR as good so far. We have moved over to a CSP model.

On a scale from one being the worst and ten being the best, I would rate my customer service and technical support overall as good from the CSP model. If they cannot solve it, I can always escalate it. Previously, I received first-line tiered support and had to keep elevating it higher until I reached the right person with specific area knowledge.

Prior to adopting Microsoft Defender XDR, I was using another solution to address similar needs. However, this separate entity cannot be part of our organization.

The factors that led me to consider change were neither performance, cost, support, nor scalability. The reason for the change was that they could not be connected to our network from a legal perspective, so I had to use a different alternate solution.

My experience with deploying Microsoft Defender XDR is that the rollout was seamless.

I have seen a return on investment with Microsoft Defender XDR because it provides telemetry information and cost value. We are on an E5 license, so if I were not, I would have to consider the subtraction of that and go with another competing product, which would double the cost.

My experience with the pricing, setup costs, and licensing of Microsoft Defender XDR is that we are on an E5 license, so it is incorporated there. It is part of our Microsoft package.

Before selecting Microsoft Defender XDR, I considered CloudStrike.

What stood out in my evaluation process was that I was comparing similar areas, and each one has their own strong suit. For me, the valuation was most important because it is bundled in the E5 license, and these features are included with the package. If I did not have an E5 license, I would look at alternative solutions to conduct a comparison. At the end of it, I need to manage risk and cost. Frankly, can any product really guarantee that they are foolproof?

I advise another organization considering Microsoft Defender XDR to look at the cost valuation to maintain and reduce risk. Part of that is ensuring that you have visibility as well as mitigation where you can isolate a machine if something happens.

I have not fully used the AI guiding security actions within Microsoft Defender XDR, so it is still under review to determine the added value to increase and speed up investigation.

I am looking at the AI-powered Copilot assistant to speed up investigation and determine if something is a false positive or a true positive.

I have not used the Threat Hunting feature in Microsoft Defender XDR yet.

Predictive shielding has not been used by me, so that is new. The challenge is that when there is a new offering, it is somewhat hidden, and I have to look at that and really go through that process.

For future innovation with Microsoft Defender XDR, I am looking at how AI accelerates that area, including adversary detection. I am evaluating what is next to determine whether I should stick with Microsoft Defender XDR or not. I would rate this review an eight overall.

Microsoft Defender XDR is used in our company primarily for monitoring events and managing surfaced issues. As a personal financial advisor regulated by the SEC, it is important that we have controls in place to demonstrate that we are providing oversight and management of our environment. The focus is on being as proactive as possible to identify threats early in the cycle.

The value we have seen within Microsoft Defender XDR is primarily in the surfacing of events. As a small to mid-sized business, having a single security analyst supported by these tools is valuable. The proactive remediation aspects and the surfacing of suspicious activity for investigation and escalation are the key aspects we appreciate most. Everything is being logged, and we have implemented Sentinel, so everything is being written into our SIEM for forensic evidence if we ever need it. The goal is to ensure that if anything surfaces, we can clarify it and manage it immediately.

Microsoft Defender XDR consolidates all the events from Cloud App, from clients, from threats, and from internal threats.

I am not aware of a mobile app that would be available for my team. With a single analyst, if she is ever away, it would be beneficial to have easier access. While she can use the web portal, the experience on a phone might not be optimal. It would also be beneficial to have an easier way to collaborate with others on an incident because currently it involves a lot of sharing links. Having a more collaborative process would be helpful, such as connecting with my head of operations to discuss incidents and insights through a Teams-based chat.

We have been on Microsoft 365 for almost ten years, and we have held an E5 subscription the entire time, so we have been using the Defender products throughout this period.

I assess the stability and reliability of Microsoft Defender XDR as excellent. We experience only rare platform issues such as authentication problems, which are extremely few and far between.

Microsoft Defender XDR scales well with the growing needs of our organization by surfacing the important issues. The scale is not in terms of the number of users we are monitoring and managing, which is essentially limitless. My concern is about the scale of events and alerts being generated, and the product is doing a very good job of only surfacing the important items for us. We have grown considerably and have managed to sustain a single security analyst throughout this journey.

We use premier support for Microsoft Defender XDR primarily to have an SLA for our issues. We struggle sometimes with tier one support agents who give canned responses. Generally, we conduct a lot of research ourselves and understand our issues before submitting tickets, so we have to push through to the next tier. Getting through to that next tier of engineer is where we start seeing value, but once issues go into the product group, the feedback can feel as though it falls into a black hole. I license support because it is required, and while it provides value, it requires a lot of energy in advocating for our needs.

Positive

Prior to using Microsoft Defender XDR, we came from the on-premises world in Microsoft, with System Center being the closest solution we had. It was not nearly as transparent in what was happening, and we had to do a lot more event log monitoring. This is our first real step into this realm, and it was not practical before because I could not justify all the extra infrastructure, training, and teams required. Microsoft Defender XDR makes it doable for us, as we get all of the logging and information while filtering to surface the critical issues.

Our experience with deploying Microsoft Defender XDR was very straightforward since we were existing customers of the various portals and components beforehand. The hardest part was getting through the marketing message and gaining clarity on what Defender is and understanding the vision, but once that made sense, the implementation process was smooth.

Microsoft helped us on that journey, as we probably opened tickets, but it was also about figuring things out ourselves.

I cannot quantify the return on investment from using Microsoft Defender XDR specifically, but we are diligenced by investors and auditors. This is a key part of our messaging around our controls and frameworks. We pay for these premium licenses, leverage the tools, and take advantage of them, thus instilling confidence in our investors and stakeholders, which is critical for the business.

My experience with pricing, setup, costs, and licensing of Microsoft Defender XDR is tied to our E5 subscription, which is very straightforward for us. We also purchase the uplift for our mobile users on F3s for the security enhancement license because of the value these tools bring. The cost justification model is very straightforward and intuitive, focusing on getting as much value as possible out of the E5 subscription.

I did consider competitive solutions before moving to Microsoft Defender XDR. During evaluation of other solutions, I realized that implementing a whole other system would involve significant costs for training, which made Microsoft Defender XDR clear for us as an SMB customer due to its integration story and offering. When thinking about going on the zero trust journey and ensuring we can attest to our controls, the extra integrations would just add complexity and cost. We quickly determined that was not a viable path for us, and we have been pleased with how the product is evolving and changing.

I assess the integration of AI in guiding security actions within Microsoft Defender XDR as of interest to me, although I do not have personal knowledge of that feature. We have used it for trial purposes, such as when my team is not sitting there all day running KQL queries, the ability to ask the system to help understand from the database of Sentinel what users have touched certain files or come from specific IP addresses in the last forty-eight hours and receive a query that serves as a starting point is helpful. I view it as an accelerator and a training tool, a mentor to help my team become more knowledgeable and learn about what capabilities are available.

I am not using the Threat Hunting feature, but I assume that is voice-based hunting. I do not know what predictive shielding means.

Based on all of this experience and feedback, I would rate Microsoft Defender XDR support a seven on a scale of one to ten because the platform and tools are great in allowing quick submissions, but there is room for improvement in communication.

My main use case for Microsoft Defender XDR is endpoint management. With the E5 licensing that we have, we use Microsoft Defender XDR to manage all our endpoints.

The feature I like the most in Microsoft Defender XDR is XDR. I appreciate XDR because it has taken us a while, but we are a global company with people in a few countries. We are now fine-tuning the processes, and we can have centralized alerts that we send out to Teams messages. We can have eyes on alerts and can clean up infected computers or help people in a very short amount of time. This is how Microsoft Defender XDR benefits my company most.

At the moment, we are still fine-tuning the process of using Microsoft Defender XDR to prioritize incidents. We set the high-risk ones to email out to make sure that people get eyeballs on the alerts quickly, particularly the critical high alerts and risky users.

Sometimes I find that the integration of security and identity access management in Microsoft Defender XDR affects my identity protection strategies as the interface keeps changing and the products keep evolving over the years. In general, we appreciate that you can change the views from devices to people and gain a more holistic overall picture of what is going on through the timeline. We can get some history of what the user was doing and how the device was behaving to make a more informed decision on the event and what actions need to be taken.

Every now and then, Microsoft Defender XDR seems to go through and aggregates almost a week's worth of incidents and wraps them up, indicating a huge problem. I think that is being a bit zealous in its helpfulness. There might be a bunch of informational mediums or something in there. We do not go in there and log, clean, turn off, or close out every single incident. If we did that, that might reduce the noise, but we do not know yet. We have been told to either create a support ticket or do suppression rules.

I have been using Microsoft Defender XDR since about 2018.

The incident queue assistant in Microsoft Defender XDR may help improve the efficiency of SOC workflow, but I am not sure. I have not rated that one.

Neutral

We evaluated another product before choosing Microsoft Defender XDR. Back in the day with Windows 7 before we got E3 licensing, we were using third-party products. That evolved, and we moved to E5 and that bundle included Microsoft Defender XDR, so we started that rollout and transitioned off. It was a bundle of things and not a sole decision.

Deploying Microsoft Defender XDR is relatively easy. It depends on who sets the policies and how much oversight you want to implement. If you want a policy to block USB ports and do other things, you can, but for some people that matters and for others not. It depends on what your policies are. If you set a high bar, you will get a lot of alerts. If you set a low bar, then not so much, but that is up to every organization.

The return on investment from having Microsoft Defender XDR is that it will identify alerts for us, but if we do not have eyeballs on it and we do not take an action, then an event will still occur. It has helped stop real threats, including users clicking on malicious links. That is pretty much the number one entry point into credential theft and others.

We are not that small. With the initial pricing in US dollars, not everyone in every country can afford that pricing. It was a pretty substantial financial impact.

I do not have access to Security Copilot yet for Microsoft Defender XDR. When that becomes available as announced, we will get 400 compute units in the next few months, and then we will use it. For us as a small business, we deemed it was too expensive. We have two and a half thousand end users globally.

I do not use the threat hunting feature in Microsoft Defender XDR. I have not heard of it.

Predictive shielding is another feature in Microsoft Defender XDR. As an administrator of the tenant, there are many things to manage. We need to be careful that we do not want to impact the user too much. We do not want to slow down their endpoints when they are using laptops. We do not want to impact it too much.

In Australia, we use Dell products and Microsoft products, so we do not have very many issues. Other countries on different devices might experience some issues, but mostly it depends on your policies.

I would rate Microsoft Defender XDR about an eight overall. I am not sure what a perfect rating would look like, but it comes down to people needing to review their policies. If you set a policy five years ago and do not look at it, that might not be suitable anymore. We set policies before security baselines became available, and we do not have enough time to go back and see whether we would want to use a security baseline or other new features. There might be a better, easier way to do things, but we have not looked at it. My overall review rating for Microsoft Defender XDR is eight out of ten.

Microsoft Azure

My main use cases for Microsoft Defender XDR are as an intrusion protection platform and detection.

What I appreciate most about Microsoft Defender XDR is the visibility it provides through a breakdown of incidents that come through.

Regarding how these features have benefited my organization, when potential threats and attacks came in, I was able to track down the ingress point of attackers and lock down and fix it for future problems.

The impact of the shielding on my protective security measures has given us a better overview of our entire platform, helping us get a better understanding of where we sit.

I don't have anything at this time regarding how Microsoft Defender XDR can be improved or what additional features should be included in the next release.

I have been using Microsoft Defender XDR for about five years.

I have not experienced any downtime or crashes.

I have not faced performance issues.

Microsoft Defender XDR scales fine with the growing needs of my organization.

I have not expanded usage.

We haven't had to contact customer service or technical support.

On a scale from one being the worst and ten being the best, I would rate my customer service and technical support at an eight just because I don't have a real opinion on it right now.

Positive

Prior to adopting Microsoft Defender XDR, I was using another solution to address similar needs.

I was using a solution that was already included with our license suite with Microsoft, which led me to consider a change.

My experience with deploying Microsoft Defender XDR was seamless.

It works well, and I faced no challenges.

I have seen a return on investment.

It helped stop multiple intrusion points where we would have had millions in lost revenue if the attackers got in.

My experience with the pricing, processing, setup costs, and licensing has all been seamless, included with our E5 licensing.

Before selecting Microsoft Defender XDR, we were looking at Threat Huntress and Red Canary.

What stood out in the evaluation process was that it was already integrated with our ecosystem and ready to go, with no additional agents needed.

The advice I would give to an organization considering Microsoft Defender XDR is to make sure you have someone monitoring it at all times and to review all the threats.

I perceive the integration of security and identity to assess the management in Microsoft Defender XDR identity protection strategies as essential.

I assess the integration of the AI in guiding security actions in Microsoft Defender XDR, and I haven't used any of the AI options.

I haven't really come across the incident Q assistant helping improve the efficiency of my SOC workflow.

I am not using the Vibe hunting feature.

I would describe the process of using Microsoft Defender XDR to prioritize incidents in my security operations as seamless and simple.

I would rate this review at nine out of ten.

Hybrid Cloud

Microsoft Azure

My main use case for Microsoft Defender XDR is security operations.

The feature I like the most in Microsoft Defender XDR is called attack disruption; it's an automatic feature of the tool that stops attacks automatically.

Microsoft Defender XDR is very comprehensive, covering a lot of the services, tools, and applications that we use, so it's very efficient, and it works out of the box.

Microsoft Defender XDR has improved the efficiency of my SOC team significantly; it saves them time, and it simplifies the messaging, resulting in consistent messaging.

Microsoft Defender XDR can be improved as a solution because it's still quite costly; it's part of E5, E5 security, so the cost is still quite high, especially considering SME and C customers, or SMB customers. The cost to get to full XDR is sometimes still prohibitive.

I have been using Microsoft Defender XDR for the last two years, and it's a fairly new product.

I have used customer service support at some point; it's very challenging, sometimes rating four, sometimes an eight, so perhaps a six. You have to work through many contacts before you get to a decent level of technical capability.

Neutral

I would describe the deploying experience of Microsoft Defender XDR as seamless, taking days to hours, not weeks to months; it's very quick, and the onboarding is quite straightforward and easy.

I have seen a return on investment from Microsoft Defender XDR; certainly, consolidation from third-party tools provides a good return on investment, absolutely.

Before adopting Microsoft Defender XDR, I considered other third-party solutions such as CrowdStrike, Proofpoint, and Mimecast, as examples.

I chose Microsoft because of the skills to support it, the return on investment we have discussed, and its simplicity, as well as trust in Microsoft's vision and capability; if you consider the Gartner Quadrant, Microsoft is a leader in that space.

With Microsoft Defender XDR, I protect against identity threats, email threats, and endpoint threats, so it's a threat protection tool for us.

The process of using Microsoft Defender XDR to prioritize incidents in my security is done automatically by the tool.

Microsoft Defender XDR is excellent; it saves time, especially for my team that deals with hundreds of incidents.

I perceive the integration of security and identity access management as key; it's absolutely key for us. We need that integration because identity is the control plane, so that integration for us is key.

I assess the AI integration in Microsoft Defender XDR as working; it's still developing, new technology, but I would rather have the AI capability than not.

I am not familiar with the impact of predictive shielding on my proactive security measures.

I assess the stability and reliability of Microsoft Defender XDR as very good; it's five nines, isn't it? The reliability is generally very, very good.

I would rate this review a 9.

Public Cloud

Microsoft Azure

My main use cases include a lot of incidents and alerts, investigations, remediating vulnerabilities, updating applications, and extensive threat hunting using KQL queries.

The features have helped my company by enabling us to respond quickly. We're pretty agile as a lean team, which makes it easy for us to correlate an incident, see where it occurred, and understand what the remediations are, thus allowing us to respond more quickly to events.

I really appreciate the advanced threat hunting feature in Microsoft Defender XDR as it makes it easy for me to track information. I haven't tried Security Copilot yet. From what I see, it makes my job faster.

My experience with Microsoft Defender XDR in terms of securing endpoint and network devices across a multi-platform environment has been pretty good. We do manage and patch our third-party applications via ManageEngine. For every device we've onboarded into our tenant, it's been pretty good in pushing anti-virus tools towards it or scanning for any weird incidents or alerts that pop up, so it's been great for that.

Based on what I've seen with Microsoft Defender XDR and the large amount of threat data Microsoft has access to, I'm confident I would trust Microsoft Security to handle the majority of all our threats from any threat actor who's essentially putting our company at risk. I'm very confident that Microsoft provides a pretty secure platform.

I evaluate the effectiveness of detecting cyber threats across SaaS applications using Microsoft Defender XDR as very good. There's a particular alert that I see every time one of our users uses their work email to sign in to applications they're not supposed to or applications that aren't sanctioned within the app registry within Defender. It's been great with that, and I enjoy that part of the application as well.

The level of incident level visibility across the cyber attack chain when using this product is pretty thorough. For most incidents, there's always a link to either maybe an IP address or some more information. There's usually some all sorts of information on the type of attack or virus, essentially. There is a lot of information that's displayed in visibility.

We use it to manage hybrid identities. It hasn't affected anyone negatively. We can provision an email for an exterior user to control access rights. 

Microsoft Defender XDR could be improved with a lower price. My main suggestion would essentially be what Copilot is providing, which is a single pane of glass, so I don't have to go to different windows. That's just a workflow consideration for me. It would be great to have all the information centralized into one particular data app. If I need to open up extra ones, I can, however, I would appreciate a future where everything I need is right there on one single pane of glass. Beyond that, there's really nothing else I see that I would want Microsoft to improve.

I have been using Microsoft Defender XDR since 2023.

The stability and reliability of Microsoft Defender XDR are great. I'm personally a big Microsoft fan and Microsoft isn't going anywhere anytime soon. I'm a big proponent of their services and what they offer.

When it comes to scalability, I'm not surprised. I honestly feel that at some point, everybody is going to be using Microsoft for everything. I trust that whatever scale they think can have access to your tenant will work.

I would evaluate the customer service and technical support of Microsoft Defender XDR as satisfactory. If I had to give it a rating out of ten, it would be a solid eight. It's a big company, so it's kind of hard to get people. We also go through a different vendor. I need to verify that. For the most part, they're pretty prompt with our responses, so I don't have any complaints there.

Positive

I was not using another solution in my present company before choosing Microsoft Defender XDR. At my former company, we used a myriad of different things. We had ManageEngine for endpoint support, Splunk for a SIEM, and I forgot what we used for basic anti-virus, so it wasn't centralized or streamlined—just a bunch of different tools put together as opposed to Microsoft giving us one central spot.

The biggest difference between those products and Microsoft Defender XDR is just the ease of work. To be honest, at the end of the day, almost everything runs through Entra and everybody's identities already. Having a tool that directly connects to that without having to set up a data connector is the biggest benefit.

The deployment happened before I started working with the company. Currently, we are getting more of our infrastructure into Azure. We're still working on migrating a lot of things into Azure. However, Defender and Azure work seamlessly. 

The biggest return on investment when using Microsoft Defender XDR for me is saving time for the most part. Incident alerts are one part of my job, investigating. Being able to streamline the process of investigation and closing out tickets saves me time to do other things, such as planning ahead for next year and conducting more research. But if I'm bogged down with incidents and alerts, it's hard to do my job.

Microsoft Defender XDR has saved me at least 50% of my time. It has drastically improved how much time it takes me to close up an incident, which I think Copilot might make even better, so we'll see.

My experience with Microsoft Defender XDR regarding pricing, setup costs, and licensing is that I haven't had to deal with that directly myself. My director handles it. I am the one doing the research while he signs off on it. We will be addressing that later in the year when we visit our cyber roadmap for next year, however, essentially, we're evaluating how much data we really ingest and the corresponding costs, so I can't give a definitive answer yet—we're still using this in a trial period.

We use Microsoft Defender XDR to manage and secure hybrid identities. We have our Azure identities, but we also manage external users with Defender as well.

This has not affected Louis Partners & Customers in a negative light. For the most part, it's pretty quick and easy to set up, and we haven't run into an issue where an external user doesn't have access, or a situation where we provision an email for an external user and they don't have the appropriate rights to certain data. It's been pretty great so far.

On a scale of one to ten, I rate Microsoft Defender XDR an eight.

Public Cloud

Microsoft Azure

As an MSSP, we work with customers who have Microsoft Defender XDR. We manage it for them 24/7 and 365 days, acting as an extension of their team. We leverage what they've got in their licensing, often E5 or E3 with the security add-on, to get the best information for our analysts to improve investigations, triage, and respond on their behalf, as the XDR stack allows us to do this extremely well.

We do this for a lot of different customers. We've got customers all across the country. Some of them have global distribution, so it's pretty significant.

The incident-level visibility across the cyber attack chain when using Microsoft Defender XDR is great. The biggest advantage is having a more integrated platform. What we've seen by working with customers who have disparate technologies is that those are rarely implemented properly. They don't have good configurations or the right configurations turned on, and then they do not get the value out of those products, and those products aren't working together. Technologies that aren't implemented properly or lack good configurations fail to deliver value. When we implement Microsoft Defender XDR, we see a more integrated experience with better telemetry, giving us clearer insights into their environment as compared to using disparate products.

Due to this integrated approach, the impact of using Microsoft Defender XDR on our SecOps team's effectiveness in handling cybersecurity incidents is fantastic. We've worked with other products in the past that weren't as powerful or robust. Since making the switch, our customers are benefiting more from these products working together, providing a full picture rather than just a piece of the pie.

Microsoft Defender XDR's capability to automatically disrupt advanced cyber attacks is awesome. The automations in play are fantastic, although we often opt for manual investigation to ensure that the automated actions taken were the correct responses. From a first-level response perspective, it's extremely powerful.

We use Microsoft Defender XDR to manage and secure hybrid identities. In terms of access management, it gives a lot more provisional access, where we can make sure that we've got the right access for the right level of employee. As they change profiles or leave, we can go and change pretty easily, so that all this access is not floating around in the customer's environment.

The feature of Microsoft Defender XDR that I preferred the most traditionally was its focus on endpoint protection, but now identity is right up there with endpoint security. Identity is important because different compromises start at the identity level. This allows us to understand what actions are being taken, who is doing them, and whether it is actually them. It provides better information for us to assess the situation, decide if it's real, and determine if further investigation is needed.

Microsoft Defender XDR can be improved with continued development of automations and automated playbooks, but overall, we've been really happy with it, and I don't have a long list of changes I would make.

The customer support aspect can be better because it's the biggest complaint I hear about Microsoft. They can improve the ease of support and licensing processes.

I have been using Microsoft Defender XDR for about a year and a half or two years. We use it for our customers. We manage it for them.

The stability and reliability of Microsoft Defender XDR is fantastic.

Microsoft Defender XDR scales extremely well with our company's growing needs, especially if Intune is in place. As we build out operations, such as during M&A, having everything set up allows us to migrate customers seamlessly.

We do a lot of troubleshooting ourselves, so we don't utilize their support frequently. I have heard from customers that it's not the easiest, and sometimes, it can be complex to reach the right person for specific needs, which is an area we prefer to handle ourselves.

Positive

The factors that made us change from other solutions to Microsoft Defender XDR include the issues with disparate tools that promise much but fail to deliver. Once we saw how Microsoft Defender XDR is purpose-built to work together seamlessly, it became clear that we could deploy it. We could witness how it functions as one cohesive platform instead of troubleshooting multiple products.

It's pretty easy, especially if Intune is in place. Otherwise, it can be a little bit complex. That's another area that we lean into. We're trying to get Intune fully deployed. We're working with customers who don't have Intune. We strongly encourage it, or we help them get it. If they don't, we'll get some workarounds, but we'll ultimately try and get them to Intune so that it makes that experience much easier as they continue to add employees. They may go through M&A or bring on a new system.

The biggest return on investment for us is that by being on the platform, we can sunset many legacy tools. Many customers don't realize what they can access through the stack. It enables them to cut out old tools with redundant functionalities, freeing up the budget for their security programs elsewhere.

It can be complex to navigate since customers have varying licensing agreements across Microsoft. If they go straightforward with E5 for all users, it's simple, but combinations based on budget constraints can complicate things.

There are certainly savings when using Microsoft Defender XDR, which can range from 30%, 40%, and even up to 50%. However, outcomes depend on the specific environment and the tools previously purchased that can be replaced.

I did consider other solutions before choosing Microsoft Defender XDR, but it was a quick decision because many of our customers were already moving in that direction. Some of the names I remember include SentinelOne, Cylance back in the day, Sophos, and Symantec. These were among the traditional EDR products we looked at before switching to Microsoft.

Microsoft ranks at the very top among the platforms we considered. We frequently tell customers that if they aren't considering it, they should be, because everyone is using Microsoft in some capacity already. We see better security outcomes. Gartner rates them in the top right quadrant, and consistently, it's recognized at the highest level.

I would rate Microsoft Defender XDR overall as a nine out of ten, as I rarely give a ten.

Microsoft 365 Defender has many use cases. It includes four different services: Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Microsoft Defender for Cloud Apps.

Microsoft Defender for Identity protects on-premises identities and synchronized identities from on-premises to the cloud. It ensures that identities are not compromised and that domain controllers are protected. This service is especially helpful for large enterprise customers who cannot move to the cloud entirely.

Microsoft Defender for Endpoint ensures that endpoints, such as laptops and mobile phones, are managed and protected. It is important that all four Microsoft 365 Defender services are integrated and share signals with each other. This allows for more comprehensive security and threat detection.

Microsoft Defender for Cloud Apps focuses on application-related issues. It allows us to sanction or unsanctioned applications, manage shadow IT and prevent users from uploading documents to external cloud storage or sending emails with unapproved documents.

Microsoft 365 Defender Portal integrates all four Microsoft 365 Defender services into a single portal. This makes it easier for security engineers to view logs, events, and incidents from all four services in one place.

In addition to Microsoft 365 Defender, it is recommended to have a Security Orchestration, Automation, and Response solution. Microsoft's cloud-native SOAR solution is called Sentinel. Sentinel is a powerful tool that can be customized to meet the specific needs of our organization. It is also cost-effective because we only pay for the features we use.

KQL is a powerful tool that can be used to create custom queries for Microsoft 365 Defender. CQL is similar to the PowerShell language, so it is easy to learn for IT professionals who are already familiar with PowerShell.

The visibility into threats is good. We can see all the information we need using the Microsoft 365 portal. There are recommendations that we need to follow, as well as explanations and descriptions of the threats. These descriptions explain what the threats can do, how they can scale, and how to protect our environment against them. I think that Microsoft is doing a very good job of sharing knowledge with customers, even about zero-day activities that are just being discovered by security researchers. I really appreciate Microsoft's openness and willingness to share this knowledge with its customers.

Microsoft 365 Defender helps us prioritize threats across our environment. This is important because if there is a known threat that we can find within the portal, we can see the information that the threat is trying to access, such as domain contrast. Microsoft 365 also provides us with numbers, values, risks, and scores that point to our environment and indicate which threats are vulnerable. For example, if there are ten Windows server machines that need to be patched, Microsoft 365 will tell us. If we do not patch these servers, they will remain vulnerable and we could be in trouble. Microsoft 365 provides us with a lot of information about our environment, which is very useful. This information helps us to identify and prioritize threats, and to take action to mitigate them.

We integrated Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Cloud Applications, and Microsoft 365 Defender.

With a Microsoft E5 license, all the Microsoft 365 Defender suite services are available. Once we purchase those services, we can get the best value by integrating the solution. This is a one-click process that should be the first step for everyone who has the license and is taking the security solution.

The solutions work together seamlessly to provide coordinated detection and response across our environment. This is important because small and medium-sized businesses cannot afford to have thousands of security analysts monitoring their environments for threats. With these integrations and Microsoft cloud-based solutions, SMBs can outsource their security teams to Microsoft. Microsoft's security team is constantly monitoring for new threats, vulnerabilities, and risky activities. They deliver this information to SMBs through email and other channels. This allows SMBs to focus on their core business activities without having to worry about security.

The comprehensiveness of the threat protection provided by these Microsoft security products is important. It is important to understand how they work, how they are configured, and how they share information with each other. It is also important to understand the activities that they perform and to be able to highlight the important aspects of those activities. This includes understanding what happens, why it happens, what could happen, and what mitigation steps are being taken. All of this information is key to understanding how these products can protect our organization from threats.

Microsoft Sentinel enables us to ingest data from our entire ecosystem. Without being able to share data from our different solutions and products into one data storage, we cannot really monitor that data. If we have visibility on one data storage on one product, and we have visibility on a different product that stores data in different storage, we have to control both separately. With Sentinel, we can have Log Analytics. We have a single Log Analytics workspace where we can ingest data from any solutions, products, external third parties, network appliances, cloud-based solutions, or on-premise-based solutions. We can ingest all this data into Log Analytics sources. Within the Linux workspace, something is based on top of that and is capable of monitoring the logs and finding suspicious activities.

Microsoft Sentinel enables us to investigate threats and respond holistically from a single location. This is the most important feature of any cloud-based SIEM solution. We must be able to take action immediately, and with Sentinel, we can do just that.

Given Microsoft Sentinel's built-in SOAR capabilities, UEBA, and threat intelligence, the security protection provided is comprehensive. The integrations and AI-based, machine learning-based features built into Sentinel are the main pillars of the cloud-based security solution. This is how a next-generation security solution should be built. It should help prepare and maintain security by integrating with other services. It is not enough to simply configure Sentinel wisely. Microsoft must also continue to improve the service by adding new features. Thanks to these basic pillars, Microsoft can continuously improve Sentinel.

When we first set up Microsoft Sentinel, we can define which logs we want to ingest and how long we want to keep them. We can configure the retention period for each log type. The retention period determines how long Microsoft Sentinel will store the data before it is deleted. There are three types of logs that we can ingest into Microsoft Sentinel without paying for them, Audit logs, Microsoft 365 change logs, and Microsoft 365 online logs. For all other log types, we will be charged for storing the data after 90 days. If we have a Microsoft 365 subscription and we have integrated Microsoft Sentinel with our environment, we can monitor Exchange service for free for 30 days. This is because we can ingest the data for free and we can store the data for 30 days without being charged. It is important to test our environment and configure the retention periods for our logs so that we can understand how much Microsoft Sentinel will cost us. Microsoft Sentinel provides detailed workbooks that we can use to analyze our costs.

Microsoft 365 Defender includes four services and four products, which can help organizations a lot. We don't need to hire as many security analysts. What we need to work on is making sure that the security engineers who are working with the Microsoft 365 Defender suite are up to date on the technology. We need to allow them to study, keep studying, improve, share knowledge, and gain hands-on experience, not just theoretical knowledge. Thanks to the Microsoft 365 developer tenant, we can set up a tenant for testing purposes for free. This is great, and we can all use these developer tenants to test different business use cases and see how they work. Microsoft Defender can help organizations a lot if they are really paying attention to how it should be configured. They should follow Microsoft guidelines on how to prepare each service and how to prepare the environment. 

Microsoft 365 Defender helps automate routine tasks and the findings of high-value alerts. It has a configuration capability that allows us to automate different tasks, which can be very helpful. Automation is always a key goal when purchasing a new product or service, as it can help to streamline processes and save time. When automating a new product or service, it is important to consider the expected results and how they can be best resolved.

When configured correctly, automation can have a significant impact on our security operations. Automation plays a big part in Microsoft 365 and Sentinel Integration. Once we can access the portal, there are services where we can use more automation than in other services. For example, we can configure Microsoft Defender Cloud Apps to automatically block risky applications with a risk score under five. This can be very useful, as it frees us up from having to manually monitor new applications and manually block risky applications. This automation is one of the main goals of the security department. It can take some time and effort to implement, but it is worth it in the long run. With Microsoft, automation is a cost-effective solution.

Microsoft 365 Defender helped eliminate the need for multiple dashboards by providing a single XDR dashboard. In 2020, there were different portals and different dashboards for each service within Microsoft 365 Defender. These services are now being migrated into a single portal, the Microsoft 365 Defender portal. This allows users to view all of their security data in one place, without having to switch between different portals. The integration process is still ongoing, and some features have been removed from the old portals. However, users can still access all of their data by following the new updates and how they are being integrated into the Microsoft 365 Defender portal. Overall, the new Microsoft 365 Defender portal provides a more unified and user-friendly experience for managing security data.

Microsoft 365 Defender Threat Intelligence helps us prepare for potential threats before they hit. Microsoft shares threat-related information they gather from different sources and vendors. They not only describe the threat, but they also recommend activities within our environment to help us protect ourselves. This is a valuable service because it allows us to take steps to mitigate threats before they impact our organization.

Microsoft 365 Defender saves us time. I used to have to open multiple portals to check for threats, but now I can do everything in one place. This has freed up my time so I can focus on other tasks. In addition, Microsoft 365 Defender has helped us to reduce the number of security analysts we need to hire. This is because the solution is able to detect and respond to threats more effectively than we could on our own. Overall, Microsoft 365 Defender has been a valuable addition to our security team. It has helped us to save time.

Microsoft 365 Defender helps us save costs by providing all the information we need in one place. The ability to monitor and respond from one place is a key element of the entire threat investigation process.

Microsoft 365 Defender's most valuable feature is the ability to control the shadow IP.

We found that sometimes integrations work, but testing them can take some time. Sometimes, configurations take much longer than expected. We have a configuration in place that needs to be synchronized with another server. However, the servers are four hours apart, so this can cause delays. In general, I believe that the time it takes to configure and test a service should be shorter. Sometimes, it can take a couple of hours to test a single configuration setting. Other times, it is only ten or fifteen minutes, which is normal. However, sometimes, even immediate actions can be triggered by configuration changes, and some settings can take up to eight hours to complete. I believe that this time can be improved.

Microsoft is making a lot of improvements to its services in a short period of time. This is a good thing, as it means that the services are constantly being updated and improved. However, it can be challenging for customers to keep up with the changes. For example, a customer may read about an update, understand it, and share it with their colleagues and boss. However, it may take days or weeks to test the update and get the necessary approvals. This can be especially challenging for large customers with many users or machines. In some cases, Microsoft may change a service before the customer has had a chance to implement the previous update. This can be frustrating for customers, as it means that they have to constantly learn new things and adjust their workflows.
On the one hand, it is important for Microsoft to keep updating and improving its services. This helps to ensure that the services are meeting the customers' needs and that they are staying ahead of the competition. Microsoft should also be mindful of the challenges that these changes can create for customers. One way to address this challenge is to provide customers with more time to implement changes. Microsoft could also provide more information about upcoming changes so that customers can plan ahead. Ultimately, Microsoft needs to strike a balance between keeping its services up-to-date and providing customers with a smooth transition to new features.

I have been using Microsoft 365 Defender for six years.

Microsoft 365 Defender is stable.

Microsoft 365 Defender is scalable.

We have users across different areas in Europe. We provide support to multiple companies that use Microsoft 365 Defender, with user counts ranging from 1,000 to 10,000.

The technical support quality varies depending on who responds to our call.

Positive

I previously used Zimperium, which is one of the top three mobile security platforms in the world. Our organization decided to purchase the Microsoft 365 E5 license, which includes Microsoft Defender for Endpoint services that can be used to protect mobile devices against mobile threats. Once our contract with Zimperium was over, we transitioned all of our mobile devices to Microsoft Defender for Endpoint. We moved from the old solution to Microsoft because they provide a great service. They provide a lot of features, and they also provide a very good price.

The cost of Microsoft products depends on several factors, including contract negotiations, the number of licenses needed, the length of the contract, the type of contract, and whether the organization is a long-term partner or a new customer. Microsoft is constantly adding new features, which can cause the price to increase. However, the cost is worth it to protect the environment. Currently, no other company can provide such a complex product at such a competitive price and be as responsive to end-user feedback and continuous improvement.

On average, we pay around 55 euros per user for the services and features we receive. This is a good value for a large company, but it may be too expensive for a small business.

I give Microsoft 365 Defender an eight out of ten.

Microsoft 365 Defender can be complex, the engineers should follow the updates and ensure that they have up-to-date knowledge of the services and products.

I prefer Microsoft Defender for Cloud Apps. It is the most customizable and feature-rich solution of the three. I like that we can fine-tune security controls to specify what applications can do or what users can do within an application. This is possible due to the integration with Microsoft Defender for Endpoint, Microsoft Information Protection, and Intune or Microsoft Endpoint Manager. This allows us to block activities that we do not want to allow in our corporate environment. We can also scope the solution to user applications, document types, classifications, and whether the device is compliant.

Microsoft 365 Defender services are still new to many customers. Some customers do not even have a Microsoft 365 license, so they cannot use these services. Once we purchase a license, we have access to these services. However, these services are new to our environment. We need to ensure that we have a security engineer with experience in these services. We can either hire an engineer or contract with one. We also need to ensure that the engineer shares their knowledge with our existing security engineers. This will ensure that everyone is on the same page and knows how to use the services. We also need to have a design for how we will use these services. We need to have a clear picture of what we want to achieve. This can take months or years, especially for large companies. If we are a large company, we may also need to move away from our current solutions. Our current solutions may not be cloud-based. We may still have contracts with other vendors for one or two more years. We will need to have a plan for how we will migrate our services to Microsoft 365. This can be a lot of time and effort. We need to prioritize the tasks that we want to onboard and decide which services we want to use or configure. This is an issue for a large company. For a small company with only a few users, this can be much easier and go much faster.

The number of people required for Microsoft 365 Defender maintenance is based on the number of users in the organization.

Public Cloud

Microsoft Azure