Microsoft Defender XDR Reviews

It has helped us identify a lot of loopholes within our environment and mitigate risk. It has improved user experience as well.

The visibility into threats provided by the solution is amazing. If you have Sentinel, you can integrate it with Microsoft 365 Defender. You can then access all of the logs at once with a code. You would be able to quickly analyze and react to any threat.

We are able to prioritize threats with this solution. Depending on the type of license you have, you will be able to access different capabilities. We place very high importance on prioritizing threats because the easiest way to get attacked is through the user or the endpoint. You must have multiple layers of security.

We use several Microsoft security products such as Sentinel, Defender for Office 365, and Microsoft Defender for Cloud Apps (Cloud App Security). Microsoft has the highest form of integration, so these solutions integrate in a straightforward manner. Once Microsoft Defender for Cloud Apps is unlocked, you can connect to third-party applications as well.

These solutions work natively together to deliver coordinated detection and response. The threat protection that these Microsoft security products provide is comprehensive and very effective.

We use Microsoft Defender for Cloud and make use of its bi-directional sync capabilities. It gives us access to reports and makes reporting much easier as well.

Microsoft Sentinel enables us to ingest data from our entire system. Data ingestion is very important to our security operations because it makes it easy for us to know if there are any vulnerabilities or threats. It flags it, and we can analyze it and also create a query, which brings to light threats. We can then mitigate the threat or attack breach on the device.

Sentinel enables us to investigate threats and respond holistically from one place. It makes life easier for us and helps us not to be caught unaware. There are many forms of alerts that notify you immediately of any threats. You can set up automations, which might even fix the issue or mitigate the issue immediately without the need for intervention. That is, you can create a rule to automatically fix a particular problem.

Sentinel captures a lot of logs, and you'll be able to create action plans through the application to directly handle particular threats. The integration has been done already, so automatically it will send a signal to the environment or to the solution you have integrated with to carry out a particular action.

The cost of Sentinel is on the higher side compared to that of other standalone solutions.

We can automate routine tasks and write scripts to carry out difficult tasks, which makes things easier for us.

This solution has helped us to save 60% to 70% of our time.

Microsoft 365 Defender provides one XDR dashboard, so we don't have to look at multiple dashboards. In the Import Center, all you need to do is to select the solutions that you want, and it will give you multiple options on different categories and different data. It's amazing and straightforward, and you won't need to open other tabs.

We have been able to prepare for potential threats before they hit and take corrective steps. We can immediately identify users or systems that have viruses or malware. We can also find scripts that have errors underneath them. We can discover each element from the history and delete it. It covers a lot of aspects, and the integration with Sentinel helps as well.

Because there's someone actually monitoring everything, when there is a threat or any form of abnormality, all they would need to do is to create a rule or a query to create a particular section and add the action that needs to be carried out. It's easy to get to reports as well. Overall, the solution has decreased our time to detection and our time to respond by 60% to 70%.

Microsoft tends to provide too many features, which makes the solution prone to bugs.

Also, 365 Defender needs to be more flexible during deployment. When it comes to causal admittance, at times it seems slow.

We have been using this solution for about three years.

The stability is okay. Microsoft has evolved a lot, so they tend to make sure that the solution is up to date and up to par with best practices in the environment. They add new features as well.

It's very scalable.

The level of support you get depends on the knowledge of the engineer who has picked up your ticket. I'd rate technical support at seven out of ten.

The initial deployment is straightforward as long as you meet the prerequisites. 
It doesn't really take a lot of time to deploy. All you need to do is to set up the policy, then assign the license to the users. Microsoft handles the maintenance of the solution.

Defender Plan 1 is tenant-wise, and Defender Plan 2 is per-user, which makes it more expensive. To have certain features, you would need to purchase the E5 license. For all of the capabilities that the tool provides, the price, though it can be high, is fair. 

I don't think having a single vendor's security suite is the best because once the threat actors are in through the surface, it's easy for them to penetrate. This is because they'll know all the cracks in that particular product. However, if you have another vendor protecting you as well with a different signature database that is separate, then the attackers have multiple walls that need to be cracked.

An average-sized organization can go for the Business Premium plan. Larger organizations can go with E5, which comes with the full functionalities of Microsoft 365 Defender. Overall, I'd give this solution a seven out of ten.

We are a managed security service provider, and we use Microsoft 365 Defender to provide EDR and endpoint, and email protection to our customers.

Microsoft 365 Defender has great threat analytics integration. It has visibility into threat incidents that occur across different organizations, and this is directly integrated into the tool. Rather than checking for indicators that are available online, we can directly look at which endpoint or user has been impacted in the organization, and this makes our job easier.

Another valuable feature is vulnerability management. The inbuilt vulnerability management service automatically scans devices for vulnerabilities and separates them as critical and non-critical. We don't need to have a separate vulnerability assessment device.

In terms of prioritizing threats, we have come across vulnerabilities and threats that are present in our customers' environments and have been able to discover the devices that are vulnerable to particular attacks. We have then been able to immediately inform our customers and help them update to the latest version of the particular software that was vulnerable. There are automatic response actions in the tool so that a threat can be remediated within the tool itself.

I also like the lab devices that are available within the tool itself with which we can do all the tests. We can simulate some threat activities in these lab devices that are provided by Microsoft and don't need to prepare a separate device to validate it or to simulate a threat tag duty.

The threat intel integration provides great visibility into threats. Microsoft has a huge team that handles threat intel research, and their findings are integrated with their tools like Defender or Sentinel. The features within the tool itself work very well. There's an automatic threat handling module available in the tool, and there are lots of threat handling queries specific to different attack campaigns. We can run those queries to know if any IOCs related to those are present in the devices. Also, there are several inbuilt analytics rules available.

We have integrated Microsoft Sentinel and Office 365, and Defender and Sentinel as well. Some, like Office 365, are natively integrated, and there are connectors available for those that are not. It is easy to integrate the solutions. For example, to integrate Defender and Sentinel we just deployed a connector. There was a short latency period, but other than that, it was seamless.

The automatic investigation and remediation (AIR) feature helps to automatically investigate and terminate many of the malicious files. Without this feature, we would have the difficult task of going to each and every endpoint to delete a particular file or prevent execution.

Microsoft 365 Defender has eliminated the need to look at multiple dashboards and has given us one XDR dashboard. We have a wider range of visibility from a single pane of glass, which also makes it easier to manage.

Regarding saving time, the key has been the fact that everything can be managed from a single pane of glass where we have visibility into all of the endpoints and users. Previously, we had to look into each device belonging to the customer before deploying a solution. Automatic remediation and vulnerability management features have saved us a lot of time. The time-savings have resulted in saving us money as well.

Offboarding latency should be reduced. Even after a device has been successfully offboarded using a particular offboarding script, it still shows up as onboarded.

Licensing is also confusing, particularly with regard to Microsoft Defender for Endpoint.

A good feature to add would be automatic patch deployment. Currently, the vulnerability management feature shows all of the vulnerabilities present in different devices that have been onboarded. It shows what manual actions can be taken or what patches can be deployed, but automatic patch deployment is not an option. It would be great if a patch can also be deployed right from the tool.

I've been using Microsoft 365 Defender for 1.5 years.

Other than a few times where we faced issues with hanging, the solution has mostly been stable.

It's a very scalable tool that can be used in a very small environment or in a very large environment. Everything can be managed from a simple dashboard and can be scaled up or down depending on the customer's environment.

We have had to rely on technical support quite a few times, and they have been very responsive. I'd rate technical support at nine out of ten.

Positive

Because it's a cloud solution, Microsoft 365 Defender is easy to deploy.

I prefer to go with a best-of-breed strategy rather than with a single vendor's security suite, but the tool would need to integrate with as many products as possible, as in an open XDR strategy. However, if you can't integrate with multiple devices by having an open XDR tool, it's best to have a single vendor's tool in order to have greater integration.

If you are looking into Microsoft 365 Defender, my advice would be to make sure that you know your licensing requirements. If you already have a Microsoft-based environment, then this solution may be a good fit as it will integrate with all other Microsoft products. Also, Microsoft is constantly improving their solutions, and it's a good time to be in the Microsoft security sphere.

Overall, I'd rate Microsoft 365 Defender at eight on a scale from one to ten.

We manage around 5,000 computers inside and outside our company. I use Defender to work on our security score by deploying security policies. We apply all the security recommendations to our computers and patch all third-party applications. We check every day for malware to alert our security teams.

Seven months ago, our security score was 50 score and it's now 84. We applied all the security policy recommendations coming from the solution and we became aware of the vulnerabilities and fixed them all, one by one.

We can also automate some tasks and that reduces daily work. And if we get an alert, and we know it is not a false positive, we automate things so that we don't get that alert again.

And if we find malware or a threat, we transfer it to level-one technical support to check and, after that, to the security team. But a lot of times, it catches malware and takes action to block it automatically.

Defender has also saved us money, about 30 or 40 percent. When we had Symantec, we suffered one attack against our company and we lost a lot of data and a lot of servers, and that was a lot of money. Since switching, Defender has been perfect, catching all malware and taking action automatically.

It has also decreased the time it takes me to check everything. I now spend only one or two hours a day monitoring things.

I like that it's fully integrated with Windows, Microsoft 365 Exchange Online, and Outlook. It is better than other antivirus solutions because it's fully integrated with all Microsoft products. It's easy to integrate them and onboard all Windows devices from SCCM. That is really amazing. Everything is clear in Defender. It's not difficult.

Also, everything for security is in one dashboard. It's great. It's not only for Defender but email and everything else. it makes things very easy. I can check everything at once.

The dashboard should be easier to use. There is also improvement needed in the reporting when it comes to exporting or scheduling reports.

I have three years of experience with Microsoft 365 Defender.

It is very stable.

It is also scalable.

On-prem, we have around 300 servers, a mix of Linux and Windows. We also have around 5,000 clients, all using Windows 10 and 11. We have a plan to migrate all on-prem servers to Azure. In the next six months we are looking to migrate 90 percent of them to the cloud. 

I like their support sometimes.

Neutral

We used Symantec for antivirus and security and we migrated all users from Symantec to Microsoft 365 Defender. It's easier to use than Symantec or McAfee and we can use it anywhere because it's a cloud solution. Also, with Symantec, we suffered an attack and it did not do anything. In addition, we already had an E5 license with security so we decided to use this license more fully.

I onboarded it to all machines using the configuration in SCCM. It was very easy. It didn't take much time.

We checked McAfee but we went with Microsoft because it has improved its product very quickly. Microsoft Defender of five years ago is not like it is now. Five years ago it was nothing, but Microsoft has improved it very quickly.

It works with Microsoft Sentinel and integrates well with that, but we do not use Sentinel in our company.

Microsoft 365 Defender is an extension of Windows Defender. Windows Defender is an AV that is integrated with Windows OS, and with this extension, you also get the EDR functionality for security purposes. Microsoft 365 Defender gets more access to the device and provides more insights and control over that. Apart from the Windows platform, it also includes other OSs, such as Linux and macOS.

We do have multiple options for deployment. We did deploy it on the cloud. We got the on-cloud license, and we onboarded our devices to the portal. The portal is deployed on the Azure cloud.

It helps us prioritize threats across the enterprise. We also have options to prioritize a specific device and monitor it. We can keep a device on high alert or on the watch out for each and every event. There are different severity levels, such as critical, high, medium, and low. We can set severities on any of the devices. Based on the set severity level, Microsoft 365 Defender can track events, and we can monitor those events from the console.

We get more insights and more information about the devices that we have. Because most of them are Windows devices, we have integrations with Intune or SCCM. It is easy to transfer all the information and see everything in one single portal. If we want to configure anything or control the devices in the whole organization, it is easy because all of them are in the same environment. It is easy to manage and control them.

There are fewer compatibility issues and errors and a better ability to track events. With third-party solutions, I used to see more issues related to compatibility and setting the ports. For each and everything, we had to either go through the support documents or through the support to get information. Most of the Microsoft documentation is publicly available. It is not that you only get that when you open a support case. That's an advantage compared to others.

It helps to automate routine tasks and the finding of high-value alerts. We have KQL or SQL queries that we can set up. We can schedule them so that it automatically queries for a specific device or all the devices and gives us a report that we can simply export.

Its threat intelligence helps to prepare us for potential threats before they hit and take proactive steps. It has helped us to recover a few devices. Because it is integrated with the OS, we get information about failed logins.

It saves time and manual labor. Previously, we used to use a deployment portal such as Filezilla or GPOs. We used to manually update the signatures, but now, it is automatic. It saved me pretty much half a day's work.

It has decreased our time to detect and our time to respond. It has saved half a day's work. The sensor constantly connects to the console. In case of an issue, we get an email immediately. We also get a notification in the console. Previously, we used to manually scan the device or query something and then get the results. Because it is automated, we don't need to manually do that. Previously, we used to manually isolate or block a device, or we used to work with different teams to get the device offline, but now, we can simply search the device name in the console and isolate a device from there, which is convenient for us.

The EDR features are valuable. By getting the EDR features, we have more control over the device. We have information about events in real-time and more protection against zero-day threats and zero-day vulnerabilities. We can monitor every event or action that a device is going through. We can get an idea if it is something malicious or if we have to take any actions.

Because Microsoft 365 Defender is integrated with the OS, we get more insight into the events or threat activities. With a third-party solution, we could have some limitations or compatibility issues with the OS, whereas with Microsoft 365 Defender, there are no compatibility issues for Windows, and we get more insights and more information on the threats simply by logging into the console.

The onboarding and offboarding need improvement. I work with other vendors as well, and they have an option to add a device or remove a device from the portal, whereas with Microsoft 365 Defender, we need to do that manually. However, once you do that, everything can be controlled through the portal, but getting the device onboarded and offboarded is currently manual. If we have an option to simply remove a device from the portal or get a device added from the portal, it would be more convenient. The rest of the features are similar. This is the only area where I found it different from others. I would also like to be able to simply filter with a few of the queries that are already there. 

It has been almost three months.

I would rate it a seven out of ten in terms of stability. It is quite stable but it can be improved for a few scenarios. It is still new for macOS and Linux, and for these OSs, I would rate it a six out of ten in terms of stability.

It is scalable. We are using it pretty extensively. It is for multiple departments, and there are multiple teams handling it. In the tenant I have, there are 2,000 devices that are currently onboarded. We also get information about which devices are not onboarded. I can see that a few hundred devices are not onboarded. We also have a few other clients or partners who are using it but on a small scale. 

It is good. We do get constant responses and inputs from them whenever we raise a case. They are quite helpful. I would rate them an eight out of ten.

Positive

I started working with this solution because I changed my organization. That was the major reason. 

Being able to get the information simply from a single portal and the integration with other portals have been some of the benefits. Previously, we used to get data manually, and then we used a SIEM or event collector to send that data to other portals. Now, we can integrate with other Microsoft portals, such as Intune, and get the same information there as well. That's one convenience I have found.

I am not involved with tenant deployment. I am involved with the onboarding of the devices. If you have the right knowledge, it is completely fine. They do have an admin console. You can deploy multiple tenants and also control through that console, but I don't have access to that. I only have access to my own tenant. I only have control over that. We can also include a tenant for a specific organization from the admin console. That admin console is deployed on Azure.

Most of the maintenance is automatic. Because we allow Windows updates, most of the Defender updates are also included in Windows updates. We don't have to specifically go and check. If we see any alert or we find any suspicious events or something on the console while we are investigating, then it might need manual checks. We do get some recommendations through the console itself for what we can do to improve the device security score. So, it requires some maintenance, but that's only when we detect something or we are investigating something. For maintenance, we have different teams in each section. We have around 15 to 20 people.

I don't have the metrics, but we started to see its benefits within a couple of weeks from the time of deployment.

Its licensing and pricing are handled by someone else. My role is limited to incidents or issues with the portal, but you get what you pay for. It is worth the cost.

We did compare it with VMware Carbon Black and McAfee. We did check Symantec as well, but Symantec didn't have EDR capabilities. So, we dropped it. The final call was Microsoft because we found the integrations and other things easy. It saves time for us because we don't need to go through another team or get a separate team involved just for data transfers.

I would definitely recommend this solution. Getting the product is easy. You simply get the license, but after getting the product, you need to go through the deployment and configuration of the product to match your environment. You can just try out the product and experiment in your own way and learn each and every feature. The documentation is completely public. 

I would rate it an eight out of ten because there are a few areas where it can be improved.

We are a Microsoft partner and we have clients who are Microsoft 365 administrators in several companies. They are looking for ways to secure their tenants and make sure that their security is top-notch. That's where Microsoft Defender comes in. We use Microsoft 365 Defender for security and compliance to secure tenants from malicious attacks, including spam and phishing attacks. And when it comes to compliance, it is used for data privacy and data protection to ensure that very sensitive data doesn't go out to the wrong location.

It makes security and protection very seamless.

And Defender saves me time. For instance, if I get notified that a user isn't receiving emails from a particular person, I know that the first thing I have to do is a message trace. It saves me time to an extent because I have a go-to location. With message trace, I'm able to trace emails from, for example, abc@givendomain.com over the past two days. It gives me information about what actually happened in the mail flow. I'd rate the time it saves me as a seven out of 10. 

It has also saved us money, on the order of 50 percent. And our time to respond has improved to the level of a six out of 10.

The features of the solution are vast and wide.

The most valuable feature is the content search feature in the compliance portal. It is very useful because it covers both audit log search and content search. The audit log search is very useful because, most of the time, you see several changes within the admin portal and it's hard to keep track of what happened. Our customers want to get to the root cause and see the activity that must have triggered those changes. That's where the audit log search comes in. They've enhanced the feature in such a way that it has a vast range of search options so that an analyst can carry out a full search.

The content search feature has also advanced to a point where you can carry out several searches with your keywords. You can point it to a certain location, such as Exchange Online or SharePoint Online, or Teams Online. You can narrow the search down to a particular individual or group of individuals. When administrators report that they have lost content or accidentally deleted a mailbox or the mailbox content, the content search feature is a good way to recover the content.

Another top feature is threat management. It helps prioritize threats across the enterprise.

In addition, you can navigate to the security compliance portal and set restrictions to block IP addresses from different locations. You can also choose to flag domains that are sending malicious attacks and block them and update the anti-spam policy to make it more strict to prevent attacks from happening in the future.

Many people don't realize that Microsoft Azure, Exchange Online, and the security and compliance portal all sync together. For instance, within the Azure portal, you can set security restrictions and policies to help secure your tenants, but most administrations do not know about that, including things like multi-factor authentication, conditional access policies, and privileged access.

We've had reports from clients about compromised accounts because someone got access to a password that they shouldn't have. Multi-factor authentication helps eliminate this. As for conditional access policies, you can set certain policy restrictions to certain locations or IP addresses so that emails or sign-ins only come from particular locations. That helps secure your environment against malicious sign-ons to your accounts.

The good part of it is that these products have already been integrated. When you sign on as an admin you have global admin rights and that gives you access to all these features. You will see Exchange Online, security and compliance, and Microsoft Azure. All you need to do is click and it takes you to the portals.

Overall, the comprehensiveness of the threat protection is at 95 percent. It's not 100 percent because of updates not being done on the Knowledge Base and technical know-how.

The alert feature allows you to set the severity of alerts. If there is a malicious or suspicious sign-on, an alert triggers immediately letting you know, as an administrator, to check what's going on in that account. For example, there was a time when one of our users' accounts was about to be compromised. We got an email notification which was sent to all administrators on the tenant. I was able to block that activity in real-time and then set the system to trigger more alerts for such sign-ons in the future. I also blocked the IP address. That particular feature has helped. The alert arrived in real time to prevent the account from being compromised.

When changes are done within either the admin or security and compliance portals, there should be a real-time update to administrators about the changes. Many times I'm supporting a case where someone says, "I used to do this like this, but I'm unable to do it that way anymore. What happened?" And I will have to say, "Oh, sorry. That doesn't work like that anymore. It's now done this way." So there should be a way to notify people about changes like that, and prompt information when changes are done within a portal.

I would also like to see regular updates about new features in the Knowledge Base. There are cases where I'm using a Knowledge Base article to try to educate a customer, but when I check the feature on the admin portal, and in the article, they don't look alike. For instance, it's saying, "Go to settings. From settings, go to options." Meanwhile, on the portal itself, I'm seeing "Settings, go to more settings, then go to options." It would help a whole lot if feature updates were updated in real-time in the documentation.

Also, the message trace feature for investigating mail flow issues should add more detailed information to the summary report. The summary report is what the administrators are able to understand. The extended reports are a very deep dive and the administrators will only understand them if they reach out to support engineers. But if they could extend the summary report a little bit, and make it more descriptive, ordinary administrators could understand what happened and that the emails failed at this or that point. That way they would know the location to go to try to correct it and prevent it from occurring again. Making that summary report more extensive and detailed would be of great help.

I have been using Microsoft 365 Defender for a little over three years.

Overall, it is stable. 

There are a few bugs but they generally don't impact the reliability. The bugs are not the kind that impact the work done by an organization. Processes can continue while they fix the bugs.

It is scalable.

It is used across multiple departments with anywhere between one and 200 endpoints.

Their response time is okay, it works fine, but the time it takes to resolve escalated cases needs improvement. An escalated case is when there is a bug. You could literally have reported a bug and it's still not resolved the following week. Bug fixes take a long time, especially when a very essential feature is not working as expected.

Neutral

It took me three to five months to understand it because it has a vast number of features. If you do not understand it, one click could mess up a whole lot of things.

Microsoft should provide lower-level licensing options. They should do it in such a way that even an individual could purchase a license, and it should be entirely flexible. An individual should be able to access the solution at a very affordable rate.

Most administrators, in my experience so far, are reaching out to third parties for email filtering and to manage threats in their organization. According to them, Microsoft 365 Defender isn't giving them the information they need. And I realize that this is not correct. What they're missing out on is the proper information or technical know-how to utilize the features.

For example, if someone uses Barracuda as their third-party filtering service, I begin to ask questions such as, "Okay, why did you choose to use the Barracuda service when we have the ability to create good anti-spam policies that could help secure your tenant? You can create anti-phishing policies and rules that will help restrict IP addresses." Often, what they say is that Barracuda is better because it gives them more information and real-time data. At that point, I ask them to let me provide a deep dive into the features of Microsoft 365 Defender. I use the documentation and Knowledge Base articles to explain its features, one after the other, and they begin to say, "Oh wow." They didn't know these features actually exist. They'll begin to look at the possibility of utilizing the Microsoft solution since they have paid for it. Why should they pay additional money to a third party to get services that Microsoft provides? They feel very happy about the information I provide.

So far so good. The Microsoft 365 product hasn't given me a reason to want to check for other products and move to something else.

For the best and most seamless user experience, it's best to go with a single vendor because there could be a lot of complications going with a best-of-breed strategy. It's easier to understand things with a single vendor.

When you don't understand a feature, ask questions and reach out for support. There are some features that are being used wrongly or that are underutilized.

Also, test the product beforehand. They provide trials so you can test the solution and see if it meets your expectations.

Microsoft 365 Defender is one of the first layers to our security. It's our first layer security product, e.g. we use it, then we also use Exchange Online Protection for email, Safelink, etc.

We always recommend these products to our customers, e.g. if the customer is using another third-party product. We are always recommending these compliance and security products, e.g. Microsoft 365 Defender, Cloud App Security, etc.

We usually recommend cloud security because it connects all of these security and compliance products in one center to take logs and make them meaningful, plus you can also create alerts. We are also recommending it because of Microsoft Teams usage, especially because in Microsoft Teams, users sometimes do mass deletion, mass download, etc. We always say: "Let's connect your Cloud App security with your Azure Information Protection, with Microsoft 365 Defender and your Microsoft Teams, your Engula, etc. We find cloud security to be very useful.

What I found most valuable in Microsoft 365 Defender is that it's able to scan emails and protect users from dangerous links or attachments. This is important in a first layer or base layer security product such as Microsoft 365 Defender. You can even combine Microsoft Defender for Endpoint with this solution to get the most benefits.

I also find Microsoft 365 Defender user-friendly, so that's another valuable feature of this solution.

What could be improved in Microsoft 365 Defender is its licensing. It needs to be more consolidated, because there are so many plans for Microsoft 365 Defender, and every other year, there will be new licensing options, e.g. plan one, plan two, etc., that become more and more different from each other. The most valuable product would be the most expensive product, and customers usually say: "We really need the last version, but that's really expensive for us, because we are in Turkey and the currency is very, very high now." Three years ago, this wasn't a problem, because $1 was three or four Turkish liras, but now it's 15.

In the licensing options, it would also be better if there can be some optimizations, similar to what Power BI Pro offers. There are two options in Power BI: user-based and capacity-based. It would be good if there can be another option for one consolidated product for the whole company with a higher price, but you cannot depend on user count.

What I'd like to see in the next release of Microsoft 365 Defender is for them to provide more details in the alerts and notifications they send out.

We've been a partner for Microsoft for 10 years.

I found that the stability of Microsoft 365 Defender is good.

Scalability is good in Microsoft 365 Defender.

What we have is Premier Support from Microsoft, e.g. we are a CSP partner, so we were required to buy Premier Support and Cloud Consulting from Microsoft. We are really happy with the support we've been receiving for Microsoft 365 Defender, but on the customer side, they don't have Premier Support, and sometimes, depending on the case, they're not very satisfied with the support. 

Our satisfaction is five out of five, but our customers would only have three or four out of five, in terms of their satisfaction with Microsoft 365 Defender support.

The initial setup for Microsoft 365 Defender is really easy. It's not very complicated. I didn't see any other difficulties with setting it up, but customers sometimes think it's not very easy. They purchase consulting services from us, so it doesn't bother us, but sometimes the customer says: "I don't know how to start, but I use Microsoft Security." Microsoft is very late in the security niche, so customers sometimes say: "We have Symantec", or they would mention that they have other products from other vendors, and these vendors are very reliable for many, many years.

In the last three or four years, though, customers start to depend on Microsoft Security products, but they are not early adopters, because they usually tell us: "When we buy the product, some policies cannot be used, but after sometime we can use it." It's not really a problem, but I wanted to relay some of the feedback we get from our customers.

The most valuable licensing option is expensive, so pricing could be improved. Licensing options for this solution also need to be consolidated, because they frequently change.

We've been dealing with the latest version of Microsoft 365 Defender.

For an average project, deployment of Microsoft 365 Defender can take a week, but we do need some change management models, because we still need to train the users about safe links and attachments, so we sometimes have to expand the average time, but implementation is not very hard. If we only do the implementation, one week is more than enough.

We rely on just one to two persons, particularly engineers, for the deployment and maintenance of Microsoft 365 Defender.

My recommendation to others looking into implementing Microsoft 365 Defender is that reading the documentation is really good. If you are a Microsoft partner, you'll also have benefits, e.g. CDS tenants and demo tenants that are free to you for one year, so you can test the products first, before you implement. If you are a partner, my advice is to use your Microsoft partner benefits.

I'm giving Microsoft 365 Defender a rating of eight out of ten.

We use the solution for endpoints. 

What I like most about the product is its all-in-one solution. With Microsoft Defender XDR, we get coverage for various aspects like endpoint security, cloud security, and image-related cases, all within a single platform. This eliminates the need for multiple products or technical controls to address incidents. The main benefit became evident immediately after deployment, especially in its ability to analyze files and phishing emails quickly. By submitting suspicious files or emails, we receive quick results on whether they are legitimate, suspicious, or malicious, saving time. 

The solution could enhance the threat Intelligence feature by making it more relevant to specific industries. Much of the threat intelligence information isn't directly applicable to our environment. It would be beneficial if the threat intelligence were tailored to the industry, such as healthcare or fintech, where the solution is being used.

Additionally, the MDCA feature could be improved to provide more accurate data on how much data is uploaded or downloaded from the cloud. This might involve better implementation from our infrastructure team, but clearer and more precise reporting on cloud data activities would be valuable.

I have been using the product for eight to ten months. 

The solution works smoothly. 

The tool's scalability is good. 

If we open a case on the Microsoft portal, a support person from Microsoft helps resolve the queries. From our side, it usually involves two or three people. The Microsoft support person sometimes brings in another expert to resolve technical queries.

We've submitted our queries, and a tech support engineer comes through on a chat, a Zoom call, or another type of call. We discuss the queries with them, and they usually resolve the issues in one or two sessions.

Sometimes, if one engineer can't resolve the query, they will bring in another engineer, which can take an additional one or two days. 

Neutral

We chose Microsoft Defender XDR because it provides a one-stop solution. Everything related to endpoint security, email security, or cloud applications is integrated and visible in a single window. If we were to use other solutions, we would need to implement three different products to achieve the same level of integration and functionality.

We had some issues while deploying the tool's on-prem version. Support helped us resolve them. The cloud version is easy to deploy, while the on-prem version takes one month and doesn't require any maintenance.  

I rate the overall product an eight out of ten. If a new customer is going to buy Microsoft Defender XDR, they should clearly state their needs in front of the Microsoft team. They need to specify what they want and what features they require. It's good for the Microsoft team and the customer to understand all the requirements before deployment clearly. This way, any potential issues can be addressed beforehand, making the deployment smoother.

We typically use Defender's default settings and are implementing MITRE ATT&CK use cases on Microsoft Defender this year. We do manual threat hunting and check to see if there is a trending attack. We have the latest IOCs and sweep across the organization looking for them. 

When implementing Defender, we usually use its advanced hunting features to determine particular techniques used across the whole environment. We use multiple Microsoft security products, including Defender for Endpoint, Defender for Cloud Apps, Sentinel, email and collaboration, data loss prevention, and Microsoft Purview.

Defender XDR enables us to prioritize threats according to the algorithm or our custom rules. We can prioritize threats and have the option to automate the response. For instance, let's say we are facing a sticky key hijack. When you press shift several times at the login screen, you can open the command prompt of that particular host. That is a vulnerability of Microsoft Windows. When this happens, we can automate a priority alert and also isolate that endpoint from the network immediately. 

The solution reduces our remediation time by enabling our security analyst to respond quickly, make some automations, and edit the rules to detect any potential threats. The extent to which the solution reduces the remediation time depends on the analyst's skill. If the security analyst is good, Defender XDR will help them.

XDR saves money if you are using Microsoft products. XDR is more inclined toward Active Directory, a Microsoft product. No other XDR can integrate with Active Directory so seamlessly and use it to its fullest potential. Microsoft also offers multiple sub-products. If we purchased third-party solutions for email, endpoint, XDR, cloud applications, etc., and managed them on a single platform, it would be more expensive than Microsoft solutions. When we do a cost-benefit analysis, Microsoft Defender XDR offers a better value. 

I like Defender XDR's automation capabilities. XDR isn't automated by default, but you can automate it to respond. If an attack is performed anywhere within the organization, you can isolate that instance from the network. This is what I can figure out for it. When integrated with Sentinel, you can set up playbooks to automate all the alerts gathered on Sentinel from different Microsoft solutions. Sentinel has a wider range of capabilities than XDR. 

Defender XDR has good threat visibility, but it could be better in some areas, like when we are hunting for a specific host. For example, let's say we are investigating email services, and want to trace an email account to its host PCs and investigate the emails in its inbox. We want more visibility into the email side of investigations. It would be better if these features could be more integrated into the console like you could have a tab for Cloud Apps to see the cloud applications a user had communicated with. 

Microsoft's threat analytics are somewhat helpful for anything related to Microsoft products. For instance, it can update us about any single sign-on vulnerabilities or something along those lines. However, Microsoft was very late in terms of the recent LockBit attacks. LockBit compromised some significant organizations, and Microsoft didn't provide the report fast enough. It was reported on my normal cybersecurity information websites first. The site analytics are a bit weak when it comes to non-Microsoft clouds.

Defender XDR is capable of providing intelligence reports about threats specific to Microsoft components, but if we are implementing a Microsoft solution across an organization, many other products and side factors must be considered. I feel like Microsoft falls behind some other vendors in threat intelligence.

When we do investigations, it would be better if Microsoft could populate the host dashboard more. When we open any host for investigation, we want the entire timeline of what is happening on the host, including all the users logging in, their hardware, Windows version, etc. 

I have used Defender XDR for nearly 2 years. 

We haven't faced issues with stability. XDR doesn't lag during investigations. We've seen a few minor bugs in the XDR console but not often. There have been no major issues that disrupted our operation. 

Defender XDR has good scalability. If you want more endpoint visibility, you don't need to scale your organization much. You only need to integrate that particular endpoint by running a script and deploying an agent to it. 

I haven't contacted Microsoft support about XDR, but my client has. One of the alerts was triggering incorrectly based on a default setting. We asked their team to investigate why the solution was excessively triggering. I just disabled the default rules and made custom policies. Now, everything is working fine.

I previously used CrowdStrike EDR. It's hard to compare the two products because CrowdStrike EDR was focused on endpoint detection, so it cannot investigate emails or have any other XDR capabilities. One is an XDR and the other an EDR. 

We compared Microsoft Defender XDR to Trend Micro's Vision One. Defender's advantage over Vision One is ease of use. Managing and enabling policies is much easier on Microsoft Defender. There's a considerable difference between their default rules. In some cases, alerts will trigger in Defender, but not Vision One. Overall, Microsoft Defender XDR is preferable over Vision One.

I rate Microsoft Defender XDR 7 out of 10. It's a useful product for a professional security analyst who knows how to increase the visibility. You only need to make some front-end changes and put the data on host names into XDR. 

If someone asked me whether a best-of-breed or single-vendor approach is better, I would support mixing different products. Each security vendor has its own intelligence base. By including other vendors, I am gaining visibility into more indicators of compromise. Nevertheless, I would still pick Microsoft Defender XDR and Sentinel together because they are well integrated. All the big companies and banks use Microsoft. Windows is a popular operating system across the world. Defender and Sentinel are better integrated with Microsoft systems.