No more typing reviews! Try our Samantha, our new voice AI agent.

Microsoft Defender for Identity vs NetMon comparison

 

Comparison Buyer's Guide

Executive Summary

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Microsoft Defender for Iden...
Ranking in Identity Threat Detection and Response (ITDR)
3rd
Average Rating
8.8
Reviews Sentiment
6.8
Number of Reviews
28
Ranking in other categories
Advanced Threat Protection (ATP) (8th), Microsoft Security Suite (5th)
NetMon
Ranking in Identity Threat Detection and Response (ITDR)
15th
Average Rating
7.6
Reviews Sentiment
6.1
Number of Reviews
12
Ranking in other categories
Network Monitoring Software (51st)
 

Mindshare comparison

As of July 2026, in the Identity Threat Detection and Response (ITDR) category, the mindshare of Microsoft Defender for Identity is 8.8%, down from 16.7% compared to the previous year. The mindshare of NetMon is 2.1%. It is calculated based on PeerSpot user engagement data.
Identity Threat Detection and Response (ITDR) Mindshare Distribution
ProductMindshare (%)
Microsoft Defender for Identity8.8%
NetMon2.1%
Other89.1%
Identity Threat Detection and Response (ITDR)
 

Featured Reviews

Peter Arabomen - PeerSpot reviewer
Security Engineer at Fidelity Bank Plc
Has supported hybrid identity management while integrating well with cloud directory services
The only challenge I have with Microsoft Defender for Identity is the latency. I may not put that entirely on Microsoft, because latency could be network related. At times when trying to authenticate, the prompt is delayed. We tried implementing passwordless authentication, especially for on-premises workloads, but we haven't been able to achieve that. Passwordless authentication is part of the identity functionalities, particularly when it comes to enforcing passwordless for on-premises workloads. In terms of improvements, you can't create OUs on Azure AD. Regarding giving users privileges on what they can do across different OUs, I haven't seen that feature on Microsoft Defender for Identity. Microsoft Defender for Identity needs to be able to plug into third-party applications that are not Microsoft. For instance, with a human resource application used to manage users and leave requests, when staff leaves the organization, they are first exited from that application before AD. Integration between Azure AD and third-party applications would allow automatic syncing when removing staff. The initial setup of Microsoft Defender for Identity is not hard. However, setup is one thing, and getting value from the application end-to-end is another. It can be set up and running from the first day but not functioning optimally. Initially, when we did the setup, it wasn't optimal. Over time, with continuous improvement, which we're still doing, we've gotten to a comfortable level, but there's still room for improvement.
SR
Pan India IT Infrastructure Management / End-user Services at Tata Group
Has supported real-time event detection and reporting accuracy while database integration has required extra effort
Sometimes it may be difficult to incorporate new additional databases in NetMon, and we faced some challenges at that time. However, currently, it is not giving many challenges.It is difficult to integrate NetMon with other databases. We can customize NetMon's monitoring views, but it is done by the team who handles it, as it is outsourced.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"It is easy to set up. Based on the number of devices you would like to set up, you can use scripts, Group Policy, etc. It takes five minutes to set up."
"The best feature is security monitoring, which detects and investigates suspicious user activities. It can easily detect advanced attacks based on the behavior. The credentials are securely stored, so it reduces the risk of compromise. It will monitor user behavior based on artificial intelligence to protect the identities in your organization. It will even help secure the on-premise Active Directory. It syncs from the cloud to on-premise, and on-premise modifications will be reflected in the cloud."
"It gives companies a lot of insights that they didn't have before and has increased the security posture significantly."
"The basic security monitoring at its core feature is the most valuable aspect. But also the investigative parts, the historical logging of events over the network are extremely interesting because it gives an in-depth insight into the history of account activity that is really easy to read, easy to follow, and easy to export."
"All the integration it has with different Microsoft packages, like Teams and Office, is good."
"Microsoft Defender for Identity provides excellent visibility into threats by leveraging real-time analytics and data intelligence."
"We use AD Connect to sync on-premises AD to Azure AD, and so far, it has been effective."
"I would rate Microsoft Defender for Identity at nine out of ten."
"We are using NetMon's real-time traffic analysis regularly with a team of four members who effectively monitor all alerts and events, which has helped them identify whether there could be a severe incident."
"The analytics feature is the most valuable feature."
"It has a very strong artificial intelligence engine."
"The initial setup is straightforward because we can deploy an open server."
"Visibility is a valuable feature, the ability to see even if the traffic is not going into the firewall"
"NetMon's best feature is traffic analysis."
"In general, this is a good product."
"It is a stable solution...It is a scalable solution."
 

Cons

"For users operating in mixed environments, while Defender for Identity offers robust protection for on-premises AD, additional solutions or configurations might be necessary to ensure seamless security management across Azure and on-premises AD systems."
"Feedback on sync issues with the Microsoft portal highlighted its slow nature, with syncs sometimes taking eight hours."
"There is no option to remedy an issue directly from the console. If we see an alert, we can't fix it from the console. Instead, we must depend on other Microsoft products, such as MDE. That is a significant drawback. It simply works as a scanner, which can sometimes put enough load on the sensors. Immediate actions should be possible from the dashboard because. It can prevent issues from spreading further."
"There are issues with the alerts in Microsoft Defender for identity-related intra-protection detection anomalies. The alerts are missing some data, which makes it difficult to determine the exact sign-in event associated with the alert."
"When the data leaves the cloud, there are security issues."
"And when you are working in a priority IP address, Identity is not able to know that those IPs are from the company. It sees that the IPs are from Taiwan or from Hong Kong or from India, even though they are internal IPs, resulting in a lot of false positives."
"The solution could improve how it handles on-premises Android-related attacks."
"Microsoft should look at what competing vendors like CrowdStrike and Broadcom are doing and incorporate those features into Sentinel and Defender. At the same time, I think the intelligence inside the product is improving fast. They should incorporate more zero-trust and hybrid trust approaches. They need to build up threat intelligence based on threats and methods used in attacks on other companies."
"The main concern is that LogRhythm has not improved NetMon but instead introduced a separate product, which many customers, including us, would prefer to be integrated into a single platform for easier management."
"I would like to see better integration with multiple products. Integration is not something that is readily available for most of the products."
"One thing that surprised me was the current version of LogRhythm does not natively support Windows 2016."
"There is an issue with tunneling in relation to how the connectivity is established between the end devices and where NetMon is installed. On the console, I often observe that there's a difference of a few seconds or maybe a minute, and this lag time should not be there."
"Our customers would always like to see additional features."
"Sometimes it may be difficult to incorporate new additional databases in NetMon, and we faced some challenges at that time."
"The training for this product is not very good and needs to be improved."
"LogRhythm's support team isn't responsive enough - it's common to wait a day or two for someone to deal with a case."
 

Pricing and Cost Advice

"You won't be able to change your tenants from where you deploy them. For example, if you select Canada, they will charge you based on Canadian pricing. If you are also in London, when you deploy in Canada, the pound is higher than Canadian dollars, but your platform resources are billable in Canadian dollars. Using your pounds to pay for any of these things will be cheaper. Or, if you deploy in London, they will charge you based on your local currency."
"Microsoft Defender for Identity comes as part of the Microsoft E5 licensing stack."
"The product is costly, and we had multiple discussions with accounting to receive a discounted rate. However, on the open market, the tool is expensive."
"Defender for Identity is a little more expensive than other Microsoft products. Identity and Microsoft Defender for Cloud are both a bit costly."
"It is very affordable considering that other SIEM solutions are much more expensive and have many more licensing restrictions and fees."
"LogRhythm's licensing part is something that depends on the license you want since they offer it on a perpetual and subscription basis."
"I don't have visibility into the pricing of LogRhythm NetMon as it's handled through our commercial partnerships."
"NetMon's licensing costs about $85k per year, with some extra costs for support."
"The price of this solution is too high, so it should be made more practical and more valuable for the customer."
"The product is expensive for smaller companies."
"Pricing is okay. There were some competitors that were extremely expensive and there were some which were really inexpensive but LogRhythm stayed in the middle of them."
report
Use our free recommendation engine to learn which Identity Threat Detection and Response (ITDR) solutions are best for your needs.
902,894 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
13%
Computer Software Company
10%
Manufacturing Company
10%
Comms Service Provider
7%
Financial Services Firm
12%
Transportation Company
12%
Construction Company
11%
Comms Service Provider
10%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business8
Midsize Enterprise5
Large Enterprise15
By reviewers
Company SizeCount
Small Business2
Midsize Enterprise2
Large Enterprise7
 

Questions from the Community

What needs improvement with Microsoft Defender for Identity?
I really would have to sit down to think about how Microsoft Defender for Identity can be improved. I didn't take stock in what needs to be improved because I appreciated having the tools right the...
What is your primary use case for Microsoft Defender for Identity?
My main use cases for Microsoft Defender for Identity include Conditional Access, checking risky users, remediating risky users, and user sign-ins. I can easily remediate or determine what the user...
What advice do you have for others considering Microsoft Defender for Identity?
I don't really use Microsoft Defender for Identity a lot because my new role doesn't allow me to take time to do so. I don't really use the threat intelligence feature of Microsoft Defender for Ide...
What needs improvement with LogRhythm NetMon?
Sometimes it may be difficult to incorporate new additional databases in NetMon, and we faced some challenges at that time. However, currently, it is not giving many challenges.It is difficult to i...
What is your primary use case for LogRhythm NetMon?
We have outsourced our SIEM solutions at the moment, and we are using it.We have been using LogRhythm in our organization as a SaaS offering. We have outsourced it as part of the actual scope where...
What advice do you have for others considering LogRhythm NetMon?
We use AWS as our cloud provider in a private cloud environment.It completely depends upon when incidents happen. To find the root cause analysis, we need to first gather the logs from the team. It...
 

Also Known As

Azure Advanced Threat Protection, Azure ATP, MS Defender for Identity
LogRhythm Network Monitor
 

Overview

 

Sample Customers

Microsoft Defender for Identity is trusted by companies such as St. Luke’s University Health Network, Ansell, and more.
Sera-Brynn
Find out what your peers are saying about Microsoft Defender for Identity vs. NetMon and other solutions. Updated: June 2026.
902,894 professionals have used our research since 2012.