Microsoft Defender for Endpoint Reviews

Our main use case for Microsoft Defender for Endpoint is as a safety plan because we're in hospitality.

Microsoft Defender for Endpoint benefits my company by saving on labor costs since we don't have to put in extra effort to maintain it. It's self-sufficient.

Microsoft Defender for Endpoint gives us information about attacks and security, and easy access to data, similar to a spreadsheet. It gives us the information we need. It helps provide quick responses.

Microsoft Defender for Endpoint seems safe, which is the main thing we were looking for, and it works reliably in catching the things we used to catch. We see many random hacking attempts and fake emails, and it cuts them off before anything happens.

Microsoft Defender for Endpoint works mainly behind the scenes. We know we are safe and feel we can relay accurate information to customers.

Microsoft Defender for Endpoint's coverage across different platforms in our environment has no issues. Microsoft seems to have it covered, unlike other software that isn't compatible.

I have tried integrating Microsoft Defender for Endpoint with other software products, and it seems compatible with all of them.

Microsoft Defender for Endpoint has helped reduce our mean time to remediation significantly. It is doing all the work for us, so we don't have to spend our own time on it. It has reduced our mean time to remediation by about 75% to 80%.

Microsoft Defender for Endpoint has helped free our SOC team to work on other projects since we don't have to waste time, as this solution does the work for us. We have saved about 70% to 80% of time because we don't have to focus on certain tasks, allowing Microsoft to handle it for us.

It's pretty easy to use, works with compliance issues, and is reliable.

It sends us data, which is clear-cut. We don't have to do anything extra.

Microsoft Defender for Endpoint can have more options and more AI capabilities in the future, because everything keeps changing.

I have been using Microsoft Defender for Endpoint for about six to seven years.

I have no complaints about the stability and reliability of Microsoft Defender for Endpoint; it feels solid.

There is plenty of room to expand, which is not a problem since we have been bringing in different brands over the years. Compatibility is its main feature. 

The technical support for Microsoft Defender for Endpoint is available around the clock, and that's not an issue at all.

I was using another solution six to seven years ago to address similar needs. It has been a long time, and I'm struggling to remember which one it was.

We have seen a return on investment when using Microsoft Defender for Endpoint, as it saves labor by reducing the need for staff to focus on it.

It isn't cheap, but it's reasonable and fair.

I considered a few other solutions before choosing Microsoft Defender for Endpoint, but that was quite a while ago, and I don't even know if they exist anymore.

I would rate Microsoft Defender for Endpoint a ten out of ten.

Public Cloud

We are an MSP. We've got a lot of clients that use Microsoft Defender for Endpoint as their EDR system. We support that.

A lot of the use cases for Microsoft Defender for Endpoint check the boxes for the EDR solution for that client. We use the endpoint portals to work through any alerts. Mostly, we feed all of the Azure Office 365 security logs into our SIEM and then take those alerts if we have to do more work, and see if we can get more details from that.

The automatic attack disruption feature in Microsoft Defender for Endpoint works great. Microsoft Defender for Endpoint's auto-deployed deception techniques also work great. It hasn't bothered me, so it just does its thing, which helps a lot because we have many things to deal with.

The visibility into the company's attack surface provided by Microsoft Defender for Endpoint is good. It's all in one place, which is great. I can see where things are going and make sure that it's deployed on all the machines that we work on.

Microsoft Defender for Endpoint has affected the security posture of our clients' organizations. It does its job fine. For some clients, we don't have to worry too much. Even if we're not getting tons of alerts from it, it's at least there, doing its job.

Microsoft Defender for Endpoint's coverage in client environments is comprehensive. Every device we support is a Microsoft Windows device. It covers pretty much all the endpoints and workstations for those clients.

Microsoft Defender for Endpoint has helped reduce our mean time to remediation. A lot of the reduction is due to the automatic disruption, so we don't have to sit there. It also gives us another data point to look at where the vulnerability might have been.

It has helped me free our SOC team to work on other projects or tasks. It has saved 5% to 10% of our time.

The features of Microsoft Defender for Endpoint that I prefer most are the detections. It just works. Malware getting on a machine and running is a big deal, so we can trust it to sit there and scan and have real-time protections.

The log searches for Microsoft Defender for Endpoint are pretty difficult to navigate. It needs a better UI or more intuitive search and filter mechanisms to make it easy to get through and filter through all the data logs.

At the company, we've been using it for a long time. I've been here for about three months.

The stability of Microsoft Defender for Endpoint is good. I've never had it be unavailable. It's always available when I need it to be.

It has been able to fulfill our needs. Everyone we work with is pretty small, so it's not usually an issue.

I have never interacted with the customer service of Microsoft Defender for Endpoint, as it just does what I need it to. Based on my other experiences with Microsoft technical support, I would rate them an eight out of ten.

Positive

We use Microsoft Defender for Endpoint along with some other products. Some of our clients choose to stick with Microsoft. There are other EDR products that we support as well.

I've deployed it for a client. It was pretty smooth and simple. They're small shops, so there wasn't a whole lot of craziness to do with it.

The biggest return on investment for me when using Microsoft Defender for Endpoint is the time saving. It's an easy recommendation. If I have clients wanting to dive into more security products for their environments and are hesitant about going with an endpoint solution or a different software vendor, it's an easy recommendation.

It's all pretty easy. For some clients, it's an easier sell because it's just an add-on to their existing Microsoft licensing and Office 365 licensing.

I would rate Microsoft Defender for Endpoint a nine out of ten. The log search features are difficult. If I don't have visibility into another product, the log search functions of Microsoft Defender for Endpoint are pretty difficult to navigate.

On-premises

We utilize Microsoft Defender for Endpoint as our EDR solution, which stands for endpoint detection and response. Through this solution, devices are integrated. If new vulnerabilities or novel attacks emerge, Defender for Endpoint promptly identifies them. It serves as our primary EDR solution amidst the variety available in the market.

The current surge in Defender for Endpoint's popularity is attributed to its real-time detection capabilities. Additionally, we can execute SOAR actions, namely security orchestration response. For instance, if we need to isolate a device from the network or run an antivirus scan on a machine, Defender for Endpoint facilitates these tasks.

Consider a scenario where one of the devices becomes compromised. During the investigation, if a malicious IP address is identified, it can be blocked using Defender for Endpoint.

Microsoft Defender for Endpoint offers excellent visibility. We can observe all the details regarding the attack process, such as the type of activity that occurred, including the entire MITRE ATT&CK framework. This enables us to view the initial actions, the device involved, the IP address used, and the extent of the impact on users and devices all through a single interface.

Microsoft Defender for Endpoint definitely assists us in prioritizing threats throughout our enterprise. Based on the signatures, the alert categories are related to high severity, medium severity, and low severity. Therefore, we can determine which alerts require our focus and prioritize them accordingly.

I am currently the Subject Matter Expert for Microsoft within my organization. This encompasses the entire Microsoft security suite. I specialized in working with Microsoft Sentinel. In the past, I was a part of the Microsoft Sentinel team itself, back in 2017 when Sentinel was in its pilot version, known as Azure Security Insights. 

It's very easy to integrate the Microsoft solutions. We have data connectors and APIs readily available. There are no difficulties. If we teach an unfamiliar person for a week how to use Defender for Endpoint and Microsoft Sentinel, they can likely gain insight into the basics of integrating Defender for Endpoint, Microsoft Sentinel, Defender for Identity, or Defender for Cloud Apps.

These solutions work natively together to deliver coordinated detection responses across our environment. When an incident is detected in Microsoft Defender for Endpoint, the same incident will be captured in Microsoft Sentinel within a few minutes. The integration capabilities with both Microsoft and third-party solutions are valuable.

The comprehensiveness of threat protection provided by these Microsoft security solutions is combined into a single interface. We can access all necessary features from one place. The combined solutions offer us User and Entity Behavior Analytics, Endpoint Detection and Response, on-premises, and cloud application security. While no single product can handle everything independently, by implementing basic security practices across all Microsoft products, we achieve a comprehensive threat detection system.

The bi-directional sync capability is a feature that allows us to enable safe devices in both Defender for Cloud and Defender for Endpoint.

Sentinel allows us to ingest data from across our entire ecosystem. If we are utilizing third-party firewalls or other products, we can employ APIs to integrate those solutions with Sentinel.

Sentinel allows us to examine threats and respond comprehensively from a single location. Within this location, we can utilize SOAR playbooks to accomplish different tasks, such as blocking all compromised email sign-in sessions with just one click.

Sentinel is a comprehensive security product, owing to its integrated SOAR, UEBA, and threat intelligence capabilities. UEBA employs built-in machine learning to identify users with high, medium, and low-risk profiles. The user interface also includes a feature that enables us to log out of the user. Threat intelligence has the ability to assimilate all access information from third-party solutions and identify threats originating from the internet. Sentinel consistently operates proactively to prevent compromises. 

I used to utilize Splunk back in 2015, but I have recently transitioned into being a Microsoft security advocate due to the cost optimization benefits. Microsoft Sentinel's pricing is based on the data we ingest. We have the flexibility to choose different models, such as the pay-as-you-go model or the bandwidth model. For instance, if we ingest 500 GB of EPS, we will incur charges for that usage; however, a 20 percent discount is applicable in this scenario. The pricing is directly linked to the amount of data we ingest, which is advantageous. I prefer not to ingest certain security events that are intended for operational purposes. By excluding these events, I can effectively reduce the overall cost of using Microsoft Sentinel. Additionally, being a cloud-native tool eliminates the need for any physical hardware. With just one click, the entire installation process is completed.

There are three ways Microsoft Defender for Endpoint has benefited our organization. The primary advantage is the optimization of our organization's scanning process. We have established a bi-weekly scanning process that runs at midnight, encompassing all machines. This stands as the foremost enhancement. The second advantage revolves around obtaining visibility into vulnerabilities within our environment. Considering our role as an MSSP, responsible for managing over 25 clients, this visibility holds paramount importance. Within Defender, a particularly noteworthy feature is the enabled management. This provides us with the latest information regarding vulnerabilities within Microsoft products as well as third-party software. The third and final advantage pertains to responding to emerging threats. For instance, in the case of a new attack, such as the recent CVE 3688, which targets a Microsoft Office vulnerability, including a zero-day exploit lacking an available solution, our Microsoft-oriented threat intelligence block comes into play. Through custom query languages deployed within Defender, we have the capability to identify anomalous activities. Additionally, this third point ties in with the Application Guard rules. These rules have proven instrumental in proactively preventing ransomware attacks. They operate by automatically obstructing any suspicious processes occurring within the Office environment.

Defender for Endpoint assists in automating routine tasks and identifying high-value alerts. We have APIs established, allowing us to develop our own dashboards using the Defender for Endpoint APIs. For instance, we can utilize Power BI to generate a security report, providing a comprehensive overview of the organization's internal activities.

It has eliminated the necessity for multiple dashboards. This pertains to the MXDR dashboard, which stands for Microsoft Extended Detection Dashboard, as well as the Detection Response Dashboard. Essentially, we have consolidated these into a single comprehensive dashboard, developed entirely by Microsoft. This unified dashboard streamlines the process of accessing organizational insights. As a result, there's no longer a need to access different security products to view their respective dashboards. Within Defender for Endpoint itself, we offer an array of security reports, all conveniently accessible with just one click. For those who may not find the reports relevant, we also provide the option to utilize our in-house developers for Power BI integration. This entails having a centralized dashboard where data from all products is collected and displayed in one location, facilitating a holistic view of security reports.

The integration into a single dashboard has simplified our security operations. Previously, our team had to perform numerous manual tasks for all customers. Therefore, with automation, when we present the report to the customers, they are quite impressed with having everything in one place. 

Microsoft Defender for Endpoints' threat intelligence assists us in preparing for potential threats before they materialize, enabling us to take proactive measures. We identify these proactive threats due to the presence of a threat entry system. If any IOCs are obtained, they are undoubtedly identified by Microsoft Sentinel. Moreover, we have set up indicators ingestion for Defender for Endpoint. This process involves creating steps to acquire data from third-party sources and directly inputting it into Defender for Endpoint. Since Defender for Endpoint has a capacity limit of 15,000 indicators of compromise, we can only ingest data up to this extent. Any surplus data will be automatically removed, provided their IOC scores fall below 60 within a month. Consequently, new IOCs will replace the removed ones.

It has saved our organization around 30 percent of our time in terms of not having to worry about malware. When any malware does get in, it is automatically remediated. Now, the main portion of our time is dedicated to conducting in-depth investigations and identifying other occurrences.

We have cut our organization's costs in half compared to our previous solutions. This is mainly due to the automation of most tasks, which means we now only need ten people to manage 20 customers, a significant reduction from the 30 engineers we needed before.

Microsoft Defender for Endpoint has significantly reduced our time for detection and response. Our Service Level Agreement entails detecting issues within 15 minutes and responding within 30 minutes. Defender for Endpoint has greatly contributed to these time savings. The incidents that we used to address using Splunk required extensive coordination within our team and with our customers, leading to substantial time consumption. Previously, resolving a single incident took around 40 minutes. Presently, this process takes approximately 15 minutes.

The most valuable feature is the timeline, which allows us to view the details of an event 30 minutes before and after.

Forensic investigation is a valuable feature of Defender for Endpoint.

We can run the virus scan across our entire environment.

We can block suspicious URLs and quarantine malicious files within the Defender for Endpoint portal.

Some of the integrations that Defender should include involve the use of the web app. Utilizing the web app implies that the Defender API should be accessible through mobile devices as well. For instance, if there exists a mobile application, it would be beneficial. Let's imagine a scenario where I'm traveling and I receive a new alert. With a Defender mobile application, I could easily isolate the threat, conduct an investigation on my mobile device, or even automatically escalate or assign the alert to my engineers.

There are certain third-party apps that haven't been integrated with Defender. I would be delighted to witness the integration of those apps with Defender for Endpoint. 

The deployment of Defender for Endpoint should be made smoother via Intune.

I have been using Microsoft Defender for Endpoint for five years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint is scalable.

The technical support is fine but it takes time to reach them.

Neutral

We previously used Splunk but switched to Microsoft Defender for Endpoint because of the cost and smoother operation.

With the proper training, the initial setup is straightforward.

When conducting customer onboarding, the deployment will require a minimum of three days. Therefore, we must ensure everything is executed flawlessly and follow security best practices. Emphasizing precise deployment is crucial. Hence, deploying without careful planning is not an option, aiming to prevent any issues in a larger environment. In contrast, a smaller environment can be deployed within two days.

For a large organization with over 5,000 employees, a team of up to six people is required for the deployment.

We are achieving a 15 percent return on investment, which is contributing to the growth and impact of our company.

If we are acquiring everything in a single place, the front end becomes cost-effective. We won't need to purchase five separate products for various tasks. Instead, it's one product designed for five tasks, which is certainly a cost-effective approach.

I rate Microsoft Defender for Endpoint an eight out of ten.

We also utilize Defender for Cloud. Defender for Cloud is employed specifically for the Azure product. If we have servers deployed within Azure, the system handles alerting, traceability, and security. Therefore, we certainly use it.

We have three locations where Microsoft Defender for Endpoint is deployed. One is in Australia, another is in Qatar, and the third is in India. Consequently, we employ approximately two hundred personnel.

No maintenance is required for Defender for Endpoint on the customer's end.

A single-vendor security solution approach is better than a best-of-breed strategy. We all are using Microsoft laptops and OS.

I recommend completing a POC before adapting Microsoft Defender for Endpoint.

Hybrid Cloud

Microsoft Azure

Our primary use case for Microsoft Defender for Endpoint is desktop security.

Defender for Endpoint has improved our security posture by ensuring that malicious websites aren't accessed, thereby enhancing desktop and network security.

The visibility into our attack surface provided by Defender for Endpoint is good.

Defender for Endpoint has significantly reduced our SOC team's workload by automating threat detection and response, allowing them to focus on other critical projects. This increased efficiency has minimized security concerns and freed up several hours per week for the team.

We are primarily a Microsoft environment, but we also utilize a few Macs. Microsoft Defender for Endpoint functions effectively across both platforms.

Web filtering is the most valuable feature of Microsoft Defender for Endpoint because it effectively maintains security for website access.

There is a need for improvement in reducing false positives. Defender flags vulnerabilities based on registry keys or temporary files that are not necessarily vulnerabilities. This creates a lot of false positives. There could also be better clarity in navigating through the GUI to identify and resolve vulnerabilities.

A disconnect exists between the subject-matter experts and Microsoft's Level One support teams, causing delays in issue resolution. Repeated interactions are necessary due to Level One's lack of tools and knowledge, hindering efficient problem-solving and negatively impacting our experience with Microsoft support.

I have been using Microsoft Defender for Endpoint for about three years.

Defender for Endpoint is a stable product with reliable uptime.

The support from Microsoft is somewhat lacking. The level-one support seems disconnected from subject matter experts, leading to back-and-forth delays in resolving issues.

Neutral

CrowdStrike's GUI is more user-friendly and provides easy-to-follow instructions, while Defender for Endpoint requires more effort to access detailed file information and vulnerability assessments. For instance, locating a specific device involves navigating through reported vulnerabilities, clicking on associated devices, and then searching for the device name to identify the vulnerabilities and their origins. The switch to Defender for Endpoint was likely motivated by cost savings and compliance requirements.

Defender for Endpoint is a good security product that provides a good return on investment.

I would rate Microsoft Defender for Endpoint a seven out of ten. It has effectively improved our security posture, but there are areas where support and usability can be enhanced.

On-premises

Currently, I'm working to build out DLP policies in Defender for Endpoints.

Defender for Endpoint enables us to see vulnerabilities on certain endpoints and investigate the attack surface. We've improved our Security Score to the industry standard. The solution has reduced the mean time to remediation, but it's hard to give a precise number because it varies on a case-to-case basis. Automatic remediation of certain vulnerabilities has allowed our SOC to work on other projects. 

Attack surface reduction and limiting attack surface vectors are valuable features. It's helpful to isolate specific devices and get super granular with the features they offer. The visibility into the attack surface is good. It gets highly granular. I don't work on that side, but the people who do tell me they get more visibility. 

Defender for Endpoint is complex, and the documentation is detailed. At the same time, it's hard to navigate sometimes. You have to go through tons of documentation to find what you want.

I have been using Microsoft Defender for Endpoint for one and a half years.

The stability is great. I haven't seen any outages with Microsoft.

It's pretty easy to scale with Microsoft, as they make it easy if you look into the documentation.

I rate Microsoft support eight out of 10. Customer service has been pretty good. I don't have any complaints.

Positive

We've had E5 licensing for a while now, but our security stacks were spread across multiple resources, so we are currently consolidating.

I don't work much with the costs, but I have not heard of any issues with pricing, licensing, or setup costs for Microsoft Defender for Endpoint.

I rate Microsoft Defender for Endpoint eight out of 10.

Public Cloud

Microsoft Azure

I use Defender for Endpoint every day, for example, when a user downloads an unwanted application, we get an alert. Sometimes we have suspicious processes in an endpoint, and we receive an alert for those activities.

Microsoft Defender for Endpoint helps in detecting different alerts and potential threats by providing alerts and timelines with detailed explanations, which is useful to understand and close or address the issues.

In Microsoft Defender, there is a security portal that allows advanced hunting. You can query and access useful information from logs and events, which is powerful and efficient. Additionally, the timeline feature helps in understanding which process launched what and identifying errors.

Sometimes, there are difficulties in downloading a file considered as malicious. We encounter a bug that requires several attempts to download, which is a bit of a challenge.

I have been working with Microsoft Defender for Endpoint since February, which is approximately eight months.

The stability of the solution is rated an eight out of ten. It is quite stable.

The scalability of the solution is rated as eight, suggesting it is reasonably scalable.

I contacted Microsoft support for personal use of Defender, and they were very nice, providing solutions quickly. This was a positive experience.

Positive

Before using Defender for Endpoint, I used SentinelOne. Defender is easier to use than SentinelOne.

For the initial setup, I’d give it an eight out of ten, suggesting it’s quite straightforward.

The price for Microsoft Defender for Endpoint is about three euros, which is considered reasonably priced. I'd rate it seven out of ten for cost.

I have previously evaluated SentinelOne before using Microsoft Defender for Endpoint.

I'd advise others to use Microsoft Defender for Endpoint because it's a good solution with many experts behind it. Additionally, it's compatible and easy to use with Windows environments.

I'd rate the solution eight out of ten.

Hybrid Cloud

Other

Our customers use Microsoft Defender for Endpoint to protect their hybrid environments. We onboard the hybrid environment to the Azure Security posture with proper Intune integration. This setup ensures that devices are protected and secured with anti-malware, antivirus, and other protective measures. We deploy this primarily in hybrid environments.

Microsoft Defender for Endpoint provides a unified management interface allowing customers to manage their on-premises and hybrid infrastructures from a single pane. The integration with Intune enables control over devices like laptops, enhancing security. Automated Investigation and Remediation features are vital for advanced threat protection and beneficial for device protection. The ability to manage both devices and users efficiently is advantageous.

One area that needs improvement is the integration cost of logs with external solutions like Sentinel, which can be expensive. Additionally, Microsoft could allow storing logs locally within the Defender panel to reduce costs. It would also be beneficial if policies could be configured without relying on Microsoft Entra ID, allowing for better integration with local directories.

I have been working with Microsoft Defender for Endpoint for three to four years.

Sometimes devices do not sync properly with the Endpoint. We often need to diagnose whether the issue lies with the Endpoint or the device. This can delay proper deployment.

Microsoft Defender for Endpoint is stable with no major issues reported. However, syncing of devices sometimes encounters problems, requiring us to investigate the root causes.

Microsoft Defender for Endpoint is scalable enough to handle various devices across environments, whether they are laptops, Android devices, or operating in hybrid environments. Customers mostly use it in hybrid setups.

The initial support process can be lacking as first-line support is sometimes not well-versed technically, resulting in repeated exchanges to finally engage a knowledgeable support person. This process is often slow and time-consuming.

Neutral

Setting up Microsoft Defender for Endpoint requires technical knowledge of Microsoft Entra ID and policy configurations. While it is not easy for all customers, skilled technical personnel can handle it without major issues.

The pricing of Microsoft Defender for Endpoint is reasonable. It costs $15 per VM for the P2 plan, which is seen as affordable for customers. Additional add-ons are priced at $5.

Microsoft Defender for Endpoint is a comprehensive and scalable solution for protecting on-premises and hybrid infrastructure. It provides strong protection and management capabilities. Customers are advised to use this solution for its robust features like advanced threat protection and easy integration with other Azure applications. I rate Defender for Endpoint nine out of ten.

Hybrid Cloud

Microsoft Azure

We use Microsoft Defender for Endpoint as an Endpoint Detection and Response (EDR) tool, as well as for vulnerability management.

I appreciate how easily Microsoft Defender for Endpoint integrates with our environment and the wide variety of logs it provides compared to other EDR tools. The policies provided are quite effective and easy to implement, which simplifies the onboarding of newcomers. We continually test new policies, making threat detection and response efficient. Automation capabilities have allowed us to create workflows that automate detecting true or false positives.

I believe that vulnerability management could be improved by making it easier to pull reports and providing more detailed information on how Microsoft Defender for Endpoint detects vulnerabilities. Our partner vendor mentioned that these updates might get more granular in the future.

I have been using Microsoft Defender for Endpoint for the past couple of years.

Initially, I experienced performance issues that hampered our servers. However, after setting appropriate exclusions, everything seemed to work fine.

Microsoft Defender for Endpoint is scalable. I did not encounter any limitations in terms of scalability.

When I had performance issues and needed clarity regarding certain legitimate applications being blocked, I raised a few tickets with Microsoft. Their responses have been adequate. Overall, I would rate them eight out of ten.

Positive

I used Symantec and Trend Micro before Microsoft Defender for Endpoint. Symantec was an on-premises solution, and we needed a cloud-based solution. After our company merged with a client, we switched from Trend Micro to match the client's tools, including their use of Microsoft Defender for Endpoint.

The initial setup was straightforward as we had ample experience in multiple migrations and deployments. We did not face any significant challenges in implementing Microsoft Defender for Endpoint in our environment.

Our implementation strategy was to install Microsoft Defender for Endpoint as a dummy software initially. With the help of our qualitative system engineering team, we deployed it on all machines, enabled monitoring mode, and compared it with current antivirus software. Eventually, we completed the deployment, disabled the previous antivirus, and made Microsoft Defender for Endpoint our primary. The process went smoothly without any outages or escalations.

Overall, I recommend Microsoft Defender for Endpoint due to its features and capabilities, which cover more loopholes than other EDR solutions. I rate the solution nine out of ten.

Public Cloud

Other