Microsoft Defender XDR Reviews

The primary use case involves using Microsoft Defender XDR as a comprehensive security solution. This includes securing endpoints, user devices, SQL databases, containers, and third-party cloud solutions such as AWS and Google Cloud.

Microsoft Defender XDR is a complete package of different Defender solutions, including Defender for Endpoint, Defender for Office 365, Defender for Cloud, and Sentinel SIEM, among others. With Microsoft threat intelligence information, it detects various types of threats, including insider attacks, malicious content, and data exfiltration.

There is no comprehensive visibility, making it less user-friendly. The visibility of different types of threats should be improved. This aspect is not as developed compared to third-party vendors. Improvements are needed in automated response capabilities.

I have been working with Defender XDR for around two years now.

I would rate the stability of the solution as seven out of ten due to compatibility issues across different devices.

The scalability would also be rated as seven out of ten. It is suitable for enterprise-level deployment but has room for improvement.

For technical support, I would definitely give a rating of nine out of ten.

Positive

The setup process is simple; enabling features just requires the right licenses and is essentially an on-off switch on the portal.

I would rate the pricing as eight out of ten, indicating it is a reasonable cost for the product.

Overall, I would give Defender XDR an eight out of ten. While it is a good enterprise solution, there is room for improvement in different areas.

I work for a managed security service provider, where a dedicated team at our Security Operations Center manages the entire 365 Security Stack for our clients. This means we're constantly monitoring alerts, prioritizing incidents, and responding actively, leveraging automation features where possible. We also play a crucial role in the onboarding process, setting up and integrating security solutions with our platforms for efficient alert management and incident response. Furthermore, we handle policy configuration and hardening, ensuring effective security controls are in place. We actively maintain these policies, fine-tune them as needed, and adapt them to new features and updates, collaborating closely with clients throughout the process. In essence, we own and manage the security platform for our clients, providing them with comprehensive protection and peace of mind.

Microsoft Defender XDR is working towards a unified identity and access management system. While currently, separate role-based access controls exist for different Defender XDR components, a major challenge is that some solutions remain tenant or subscription-based. However, Microsoft has a migration plan in place to address this. We can currently utilize both centralized and individual RBAC models, though it's important to note that the centralized approach is still under development and may not be as user-friendly as the individual models. Nonetheless, the centralized model offers fine-grained control over access permissions, which can be beneficial for organizations with specific requirements or concerns. For instance, we can grant or deny specific analysts the ability to automate remediation or isolation events or to modify security settings. While the level of detail can be overwhelming for those unfamiliar with granular access control lists, it ultimately provides powerful capabilities for managing access to Defender XDR. Overall, Microsoft is actively working to centralize all IAM under a single portal, demonstrating a commitment to improving user experience and access control.

Microsoft Defender offers two main identity protection solutions. Defender for Identity: This is their on-premise Active Directory security solution. It's essential for organizations with on-premise identities and helps analyze specific events within our local Active Directory. Microsoft has been investing heavily in this product, and it has improved significantly in the past year. The second is Microsoft Entra Identity, formerly Azure Active Directory Identity Protection: This is a cloud-based service ideal for organizations with cloud identities in the Office 365 ecosystem. It's almost a mandatory service if we want strong security controls for our open and centrally accessible platform. It excels with risk-based security settings, conditional access policies, and risk-based situations based on device type, compliance, location, and more. It's one of the best solutions within Microsoft 365 SAC due to its ease of implementation, rapid risk reduction, and extensive security features.

Microsoft Defender for Cloud's security reach extends beyond just Microsoft technologies. It analyzes data from various cloud platforms, including AWS and GCP, not just Microsoft Azure. This data feeds into the centralized 365 XDR dashboard, bringing together telemetry, alerts, and advanced features like AI, machine learning, and KQL query support for hunting threats. Defender for Cloud acts as a gateway to this broader security, integrating with individual solutions like app protection for Zoom, Dropbox, and ShareFile. These protected applications generate alerts and data that also flow into the 365 XDR dashboard, providing a unified view of our security posture.

The effectiveness of detecting lateral movement depends on the specific solutions in place and their proper configuration. I have a background in penetration testing, so I've witnessed this firsthand in various environments. Microsoft Defender for Endpoint, an EDR solution, offers a strong chance of preventing initial access, suspicious commands, and remote code execution. This, in turn, helps hinder lateral movement at its earliest stages. It also detects suspicious activity originating from external sources and even alerts on potentially compromised devices that aren't yet onboarded. Microsoft Defender has made significant advancements, providing both active monitoring and passive detection capabilities. For lateral movement specifically involving domain accounts, Defender for Identity, an Active Directory monitoring solution, is adept at detecting similar attacks. These include extracting golden tickets, keys, DCSync attacks, and more. Notably, recent advancements in October introduced artificial intelligence and machine learning capabilities to detect hands-on keyboard threat attacks. This feature is remarkably effective. In my most recent engagement, I successfully identified a known attacker who had compromised a high-profile account and promptly contained that user account. Containment restricts the account's ability to connect to external services. For instance, if the attacker logs in as that user, they're unable to access file shares, Outlook, or other services. This level of protection is challenging to achieve in today's complex organizational environments, as general detection methods often fall short. Behavioral analysis is crucial, and Microsoft has invested heavily in developing these capabilities within its solutions.

Defender's core strength against attacks lies in its ability to adapt to ever-changing threats. Specifically for endpoints, Defender Endpoint serves as the main defense line. It analyzes a wealth of data, beginning with endpoint detection and response through the Defender for Endpoint solution. This solution identifies suspicious activity, generates alerts, and analyzes them. Certain criteria, undisclosed by Microsoft, trigger incident creation when the likelihood of a real threat is high. Properly configured, these incidents automatically trigger investigations, replicating manual SOC analyst work. Investigation packages are collected, analyzing network connections, files, processes, and real-time entities for suspicious activity. Processes can be automatically executed or terminated, quarantined, and files isolated. Continuous monitoring persists until the investigation concludes and is marked as resolved. Additionally, Microsoft Defender continuously searches for and investigates potentially impacted devices related to the original incident, adapting its response as the situation evolves.

Many organizations are replacing their EDR solutions with Microsoft Defender, or upgrading from paid antivirus solutions. While I won't mention specific vendors, consider a common antivirus platform costing two to ten dollars per month for basic protection. We recommend leveraging the free Windows Defender Antivirus included with supported operating systems and adding an EDR solution. Defender Endpoint works seamlessly with native Windows Defender Antivirus, being embedded in the Windows TCP/IP stack, making it an excellent pairing. However, in most cases, both are still desirable. Generally, Defender for Endpoint catches 90 percent of threats, while antivirus covers specific signatures. Defender has made significant strides in endpoint security, so there's no need to underestimate its capabilities. The built-in Defender Antivirus offers many valuable features, and Defender for EDR further enhances them. Although numerous EDR players exist, and individual assessments are crucial, I find Defender for Endpoint very intuitive with excellent incident management. It also boasts a significantly shorter learning curve compared to other EDR solutions I've used.

I'm not utilizing Microsoft Defender XDR in the traditional sense for my organization. Primarily, it's our clients who are using it. It's a bit of a mixed bag. Some clients choose to use the solution even though it might be more expensive, but they gain enhanced protection for their investment. Others can reduce costs because they were previously overpaying for separate EDR solutions, antivirus platforms, and cloud monitoring tools without enjoying their full benefits. For these clients, leveraging the included features within their licensed package proves advantageous. It's fantastic that organizations with the E5 or E5 Security add-ons have access to these powerful features, often without even realizing it. We help bring them to light and enable clients to get them up and running effectively. So, in that sense, they're gaining significant protection and technically saving money.

The centralized dashboard is a huge time saver for several reasons. Previously, each security solution had its dashboard, making it tedious and time-consuming to jump between them and remember all the different URLs. Onboarding new team members was also a hassle, requiring me to curate a list of all the necessary URLs. Combining everything into a single unified dashboard eliminates these issues. Consolidating alerts into distinct categories (alerts and incidents) is another significant advantage. Simply dumping all alerts into one view is ineffective, as many organizations have discovered. Categorization saves valuable time by making it easier to identify and prioritize critical issues. Furthermore, the automated investigation capabilities of XDR in Defender for Endpoint offer significant time savings from an operational perspective. Features like user containment, device auto-quarantine, and native incident investigation workflows streamline the process of reviewing, analyzing, and responding to alerts. Additionally, the ability to collect investigation packages further expedites the incident response process. 

From the perspective of Microsoft 365 XDR, the main benefit is a single, centralized dashboard offering the holistic visibility organizations crave. This is particularly valuable when dealing with multiple vendors, as fragmentation can make achieving this visibility difficult. Microsoft 365 Defender shines when deployed within organizations heavily invested in the Microsoft ecosystem. For those heavily reliant on Defender products like Defender for Endpoint, Defender for Office, and now even Microsoft Sentinel, 365 Defender provides that coveted single-pane-of-glass view, eliminating the need to jump between different dashboards. This centralized view is the key attraction of 365 XDR for organizations already heavily invested in Microsoft tools.

Overall, the unified dashboard is a great step forward. However, for new users unfamiliar with Microsoft and these products, it can be overwhelming. The abundance of sub-dashboards and sub-areas within the main dashboard can be confusing, even if it all technically makes sense. While it's great for our technical teams and C-Suite to have access to a centralized risk dashboard, it needs to be simplified for less tech-savvy users. The numerous dashboards and interfaces, despite being unified, can be daunting for new users. Ideally, Microsoft could streamline the interface and consolidate information to improve accessibility. When incidents occur, the action center for response actions can be unclear, especially for users unfamiliar with the platform. It can be difficult to find out where, when, and how remediation actions took place. A more intuitive and transparent action center would be helpful.

I've been using Microsoft Defender XDR for four years now. Microsoft has consistently changed the naming, initially using individual dashboards before centralizing everything.

Microsoft Defender is stable. In the time I have been using 365 Defender, we have had only one major case.

Microsoft Defender scales well, especially when considering the specific solutions we choose. Bringing everything into Unified View makes managing this scalability much easier. We've deployed the 365 Defender suite across clients of all sizes, and it consistently demonstrates strong scalability, thanks in part to its low maintenance requirements. This minimal management overhead also contributes to overall scalability.

The technical support quality depends on our support package. If we have standard support, it isn't always the best, but if we have premier support and we pay for that support, it is a lot better. So, again, it goes into the support package, and who we get on the end, I can say they will assign someone pretty quickly and just depends on when they get back to us, kinda how complex our situation is. I don't have as much issue with Microsoft support, but we have premier support.

Neutral

Microsoft could improve the onboarding process for Defender for Endpoint. While the current approach involves deploying a package, I'd prefer more control from the cloud. Ideally, onboarding and offboarding could be managed directly from the console, eliminating the need for additional policy management solutions. While there's no one-size-fits-all solution, Defender for Endpoint's onboarding isn't entirely straightforward. Implementing strong security practices remains crucial, and leveraging existing OS security features is essential. However, some crucial policy settings must be enabled through local policy group policies or Intune, rather than directly from the Defender console. This lack of centralized management, unlike say Microsoft 365 Defender, creates an inconsistency in policy application.

The deployment requires me and one IT admin.

We are the integrator, so we build and implement Microsoft Defender XDR for our clients.

Microsoft Defender XDR is included in our license.

I would rate Microsoft Defender XDR an eight out of ten. It excels in its core functionalities, although there are some areas for improvement. Overall, it's a robust security stack that stands out among its competitors.

Microsoft 365 Defender is more than just a name, it's a comprehensive suite of security solutions. However, the specific services included depend on the licensed SKU purchased by an organization. From a security perspective, having identity and email security is crucial, but ultimately the decision depends on the organization's risk tolerance and budget. Microsoft 365 XDR, a newer name introduced by Microsoft, isn't a separate product, but rather a high-level dashboard that provides an overview of our organization's deployed Microsoft security solutions.

It's difficult to directly compare 365 Defender, a software suite, to XDR, a unified platform for extended detection and response. While organizations could build their central unified view or even find other vendors offering similar solutions, integrating seamlessly with existing infrastructures would be a significant effort. This puts Microsoft in a strong position to provide a unified view, making XDR stand out in this regard. While platforms like SOAR share some similarities in terms of user integration, they don't quite match the comprehensiveness of Microsoft's XDR platform.

Microsoft Defender primarily consists of Software as a Service offering, meaning cloud-based services with minimal hardware maintenance required. Think of it like an online application we access and use, instead of something we install and maintain on our own. Updates to the Defender engine, specifically the Defender for Endpoint Engine, are seamlessly delivered through Windows updates. The other solutions within Defender also require minimal maintenance. Defender for Identity might occasionally suggest health checks to perform, sometimes generating alerts about outdated sensors or new security recommendations from Microsoft, e.g., disabling TLS 1.1. These alerts might arrive via email and often simply require updating sensors to the latest version. However, the specific maintenance needs depend on the individual solution we're using within the Microsoft 365 Defender suite. Overall, we can expect maintenance to be very minimal.

Before diving into new security solutions, take some time to understand your specific needs. Research what areas require the most protection and prioritize accordingly. If you have existing solutions that need replacing, Microsoft offers several options that can seamlessly integrate. However, if you're simply looking to bolster your security posture, there's no need to go all-in at once. Microsoft makes it easy to gradually expand your service offerings and incorporate new security packages. It's worth checking your current license queue, as you may already have access to some of these solutions under your existing Microsoft cloud subscription. Most organizations have some level of Microsoft presence, so depending on your specific SKU, you might already be eligible for these solutions. So, do your research and focus on the areas that require the most immediate attention. Remember, you don't need to jump into everything at once, as Microsoft offers a comprehensive suite of security solutions accessible through the 365 dashboard.

Microsoft Defender XDR is used as an additional layer of protection we moved to Microsoft 365. It helps protect both our cloud infrastructure and endpoints.

We conduct regular phishing tests and have seen a decline in breaches because our users pay more attention to what's coming into their inboxes. We've seen fewer incidents.

The email protection feature is the most valuable because our risks primarily lie there, and it seems to be the most popular target. 

Sometimes, digging into the information and knowing where to go can be difficult. It would be better if much of that information were immediately visible, especially when looking at endpoints or users.

I have used Microsoft Defender XDR for around four years now.

The stability has been great. I haven't noticed many issues.

Regarding scalability, we're not a very large organization, with about three hundred people worldwide, so it has worked for us so far.

I rate Microsoft customer service seven out of 10. I have been able to get the help I need, but I know other technicians have had difficulty getting support.

Neutral

Previously, we had on-prem solutions and used Cisco Firepower as our main security. The pandemic accelerated our switch to Microsoft Defender XDR in 2020, as Skype for Business was going away, leaving Teams as the only option and leading us to look more to the cloud.

Moving all our mailboxes up to the cloud was pretty seamless. There weren't many hiccups, so I thought it went well.

We worked with Softchoice to initially get the ball rolling. They had someone come in to guide us through the steps.

On my side, it's difficult to speak about the return on investment, but we've improved our security posture.

I rate Microsoft Defender XDR an eight out of 10. It functions well for our needs and has not presented many performance issues. It's easy to take action, and we have not found many pain points.

We have it deployed as part of our security stack for our endpoints.

The technicians working on the issues have a clearer idea of a higher priority issue versus a lower priority. 

I like that Defender is easy to use and the alerts are all in one central location.

Some of our older hardware experienced a slight bump in CPU and memory usage. Although I don't have empirical data to back that up, I would suggest possibly more streamlining in the software.

I have been using Defender XDR for seven months.

We haven't had any issues with it, so I don't have any problems with its stability.

From what I have seen, it's easy to roll out to new onboarded machines and servers.

Microsoft support is not very good. You get stuck in low-level support for way longer than you should, instead of them escalating the issue up the chain. This is kind of the same with all Microsoft support, not just XDR.

Positive

We had BitDefender EDR, which is a pretty similar product, but we switched because we were trying to put everything under the Microsoft umbrella. We got good pricing on it and were happy with the results of the testing we did. Defender XDR officers richer insights into Defender XDR. It's a better overall experience. 

I don't personally crunch those numbers, so I don't know. But I know that we're committed to this for the future, so I would assume that we're doing okay.

Defender XDR is priced comparably to other solutions on the market.

I would rate Defender XDR as an eight or a nine. There is always room for improvement.

We use the standard Microsoft services and solutions for our entire IT infrastructure, so we leverage most 365 Defender services, including Sentinel, Defender for Identity, Defender for Endpoint, Defender for Cloud, Defender for Cloud Apps, and Defender for O365. We use all those solutions to secure our IT infrastructure and environments.

We deliver Microsoft services to users worldwide, including SharePoint and Exchange Online. Gmail is the one minor exception where we do something slightly different. 365 Defender currently covers 5,000 endpoints and between 10,000 to 15,000 identities. There are more identities than endpoints because we don't give everyone a company laptop. 

A larger organization absorbed my company that moved to Microsoft security products a little while ago, so it was natural to do the same at my company. The biggest benefit of going with Microsoft is that it's a huge company with lots of resources to put into security.

Most devices use the Microsoft's operating system and products these days. They get a lot of data from all those users, which helps them stay ahead of the competition. They process a few billion security-related signals daily, helping them deliver a better solution to us.

Introducing 365 Defender and Sentinel was the best decision we ever made. Many organizations have most of these components in place but aren't effectively leveraging them. 

They might be using a managed services provider that forces them only to use products from their partners. Still, they have an enterprise license with Microsoft that includes Microsoft Defender for Endpoint, which is part of the 365 solution. I think it makes more sense for people to use Microsoft security solutions too.

We can automate security tasks to a degree. There are several automation options, but it depends on the definitions of analytics rules, queries, etc. Microsoft provides many of those in its out-of-the-box catalog with many additional third-party queries that you can use. You can fully automate things as soon as you have your queries defined. Getting there might be a little difficult. 

Microsoft 365 Defender saved me from looking at multiple dashboards. There are still separate dashboards for Sentinel and 365 Defender, but the same alerts and incidents are generated on both consoles. The only difference is that 365 Defender won't show you anything you've customized on Sentinel. 

There is a separate Microsoft-specific intelligence dashboard that Microsoft keeps up to date. As soon as there is a specific threat that may affect our organization, it shows up on the dashboard, and we can see the sources of the attack, the path, and all the other information you need. It's useful, but I don't think our security operations center is using it. They only rely on third-party threat intelligence resources. 

We've saved time using 365 Defender because rolling it out is easy. The hardest thing is pushing it out to all the devices you are managing. Using a third-party device management solution might be slightly more complicated, but it's straightforward within the Microsoft ecosystem. 

I'm not sure how much money we've saved overall, but they previously used McAfee EDR for antivirus, which was costly. Most of our existing solutions are Microsoft, so we were already entitled to use Microsoft Defender for Endpoint. We weren't using Microsoft security solutions because someone decided they preferred McAfee many years ago. 

The McAfee contact was around a few million, and the full Microsoft enterprise license was also a few million. Using the security solutions bundled with the Microsoft license probably cut our costs in half.

It's hard to say how much our detection and response time decreased because we didn't have a comparable solution. Instead of going to a portal for McAfee or making Splunk ingest all kinds of profiles, we could dump all the data into a more analytical tool to get all these alerts.

Having a single pane of glass for all Microsoft security services makes everything much easier. A security analyst can go to a single portal and see everything in one view. The integration of everything into one portal is a huge benefit. 

Defender provides a lot of detailed information about your environment. It may be challenging for people without much experience to get the data they need because it can also be overwhelming. At the end of the day, Defender gives you almost all the information you need for anything you want to do, and Microsoft is working to extend that further. Some areas may not be fully integrated into 365 Defender yet.

There's also a vulnerability management feature. It installs an agent on all your devices to check where you're vulnerable, so you can resolve the issue. Once you get hit by an attack, you can disrupt the attack using an advanced AI.  

We use all of the Microsoft security solutions. They do an excellent job of making it simple to integrate the security features. It's easy if you have a little experience, and there is a lot of documentation if you are entirely new. 

The various Microsoft solutions work seamlessly together, especially the Sentinel part. Attack disruption is almost fully automated.

Sentinel can ingest data from our entire ecosystem with some additional work. Technically, you could ingest anything. It would be easier if there were an out-of-the-box way to integrate it, which already exists for many components. However, several third-party products do not have out-of-the-box connectivity, so you may need to do some fairly complex work. On the other hand, it is relatively simple to ingest data from most big-name products.

Sentinel enables us to investigate and respond to threats from one place, which is essential because IT environments are increasingly complex. There are so many servers, cloud services, applications, etc. Using multiple portals to view security incidents doesn't work anymore. 

You still need to configure Sentinel to ingest data from other third-party solutions, but much of the data is readily available if you primarily use Microsoft products. There's a lot of overlap between Defender and Sentinel, but as soon as you go outside the Microsoft domain, you must start using Sentinel. 

Sentinel is comprehensive. It stacks up well against some of the other big names in the SIEM space. Microsoft plans to add even more advanced features like behavioral analytics. AI is a huge topic right now, and Microsoft is ahead of the curve compared to other solutions in the security quadrant.

It already integrates natively with the Microsoft ecosystem, but there is still room for a minor improvement in third-party integration. Another issue is that the portal is sometimes less intuitive than you would like. That's probably because they're consolidating various security products, and there are a few legacy things left over that complicate matters in some cases. 

Still, if you gave someone who works in security access for the first time, that person would be impressed and wouldn't have any specific complaints. You only start to notice a few small things once you used them for a while, but nothing is significant. 

Microsoft 365 Defender combines several Microsoft solutions, and I used the component solutions of 365 before they were consolidated into one solution. For example, I started using Defender ATP four years ago, but I've only used 365 Defender for around three years.

Overall, the stability is top-notch.

I haven't seen any limits to 365 Defender's scalability. I don't know if you would have issues once you start adding 200,000 endpoints. There might be some glitches here or there. Scalability seems to be an area where Microsoft's cloud solutions excel. 

I rate Microsoft's support a four out of ten. Support is hit or miss. Microsoft wants you to buy premium support contracts. Though they call themselves professional support, it's almost like throwing questions into a black hole. You get an answer, but it's never helpful. 

If you invest in what they call "Unified Support," it's slightly better. You get good answers quite often, but it sometimes takes a long time. They should be going to the public group to discuss technical features, and they don't do that.

In some cases, their answers make no sense. I recently caught a support person making a statement I knew was incorrect, so I had to go back to somebody in the product group at Microsoft to get them to confirm. In my opinion, it's better to invest in a support partner. These companies specialize in this. They might know a fix or shortcuts to get high-level support. Their IT department may have contacts with people in Microsoft's public group, so they can get answers faster. 

Neutral

Before my company was acquired, we used a few solutions, but they also started drifting toward Microsoft in the last year. They were also shifting from third-party solutions to Microsoft solutions. They used McAfee for endpoint protection and eventually switched to Carbon Black. 

If you asked me five years ago if I would recommend a Microsoft security solution, I probably would have said "No," but they've come a long way in a short time and made a lot of investments in that area. Seven years ago, I would also have chosen something like McAfee or Carbon Black.

365 Defender is a cloud-based solution, so you don't plan and deploy the individual components like a traditional endpoint solution. You have components installed on-prem, like the firmware for endpoints, and you run Lambda for Cloud on your servers, which may be in the cloud. We also have servers hosted in a Microsoft. Our environment combines multiple things. 

I was primarily responsible for the deployment. I found it mostly straightforward, but I also have experience and a Microsoft expert certification on many of these topics. If you've never done this before, the good news is that Microsoft documentation is excellent. It gives you all the steps that you need to take. But then it will take you a bit longer to follow the instructions. I can almost do this with my eyes closed, but it will take a lot longer for someone new to this. 

If you have some experience, you could theoretically set this up in a few days. It wouldn't be completely deployed because you may need to write several analytics rules in Sentinel, depending on your environment. The integration with Microsoft apps is one click.

I did the planning, but our IT partner did the hands-on work. The design stage took a little longer here. We discussed which features to enable and which might cause our users too many problems. That process took about two or three months. The actual deployment was finished in a few weeks. The only limiting factor was that we needed to ensure all the endpoint software was installed, which took some time. 

After the deployment, there is a little maintenance, but it's pretty automated. We need to be extra careful in some areas. Microsoft often releases new features that replace and disable existing features. Administrators may need to go into the various services and change settings. You also need to push updates to the endpoints. 

Microsoft does this automatically, but you can use a device management solution. How often do you want to do this, and how quickly? Do you want to delay specific updates to the antivirus engine for testing purposes? 

For example, Microsoft messed up about four months ago when they pushed out an update automatically to all the global endpoints. Depending on our settings, it causes certain file types to be seen as malicious and deleted from user devices. 

For example, it was deleting shortcuts. You can imagine if you came into the office on a Monday morning, and all the shortcuts have been deleted. It might make sense to test the updates to ensure they're working. You have many options to manage this, so it's flexible in that sense. It's just a matter of your organization's cybersecurity priorities. 

Microsoft customers can opt into server health notifications. You get a lot of notifications, but they may not affect your organization, and not all of them are serious. 

365 Defender can get expensive because you pay per gigabyte of data ingested. On the other hand, much of the data available in the other Microsoft security solutions are made available relatively cheaply—sometimes at cost or for free. Integrating only a limited set of third-party solutions with Sentinel would be cost-effective. It's much more affordable if companies only have Microsoft solutions. 

Data ingestion and log storage costs are relatively expensive, and you also need to consider the labor investments in fine-tuning all the analytics rules, etc. However, those costs will be similar to any product.

Microsoft licensing is highly complex, so you must carefully pick the license you need. People tend to choose the cheapest license or take a more expensive one to ensure that all possible features they need are covered. The price difference between those two options is vast. 

Some of these services are there without a license. That's problematic because the Microsoft agreements state you must license them. You might assume that you can use it. There are no restrictions in some cases, so some companies may have a problem. If Microsoft finds out, they'll get stuck with a bill because they were using something without a license. 

I rate Microsoft 365 Defender a nine out of ten. Microsoft is doing extremely well, and they plan to add a lot of new features, which is going to be exciting for many people in the security area. 

I always recommend a proof of concept, but I believe you'll be fine if most of your environment is Microsoft. These solutions also support Apple hardware, so that shouldn't be a problem either. If you're entirely using Microsoft products, I would say it's a no-brainer, especially if you are already invested in a Microsoft 365 license.

At the same time, Microsoft's licensing is extremely complicated, and there are several different licenses that go up in price quickly. You might need a licensing consultant because they know the details. You could also go in the opposite direction there. Somebody might try to sell you the most expensive Microsoft plan because they believe you need it, but you lose money if you're not using it.

Security 101 tells you, "Don't bet on a single vendor." I agree with that on a certain level because what happens if Microsoft gets compromised? But on the other hand, the native integration you get from using Microsoft security solutions is worthwhile. 

I've had this conversation with my CEO at some point. They raised the question of what would happen if Microsoft were compromised. I told them that Microsoft is one organization, but each of these product groups acts like its own startup in the sense that there is a subset of infrastructure devoted to each. If one part of Microsoft is compromised, it does not mean the whole of Microsoft is compromised. I always tell people to let go of that principle, but I understand the desire to introduce additional tooling. 

We provide MXDR services. Initially, they are professional services such as setup and deployment, and then after that, we provide Day 2 services, which include working on the incidents and alerts the products generate, determining which one is a true positive and which one is a false positive, taking response actions, and maintaining a steady state.

We are expanding use cases with Defender for IoT integration. Now that the E5 license includes the enterprise IoT sensors, we are getting more of that telemetry to our SOC. Because most SOCs do not have that telemetry, it is something that we have had a couple of clients invest in. 

In terms of our in-house usage of this solution, there is not a lot of in-house infrastructure when it comes to workstations and things like that. As a security company, we are pretty infrastructure-light.

It helps with the well-rounded investigation where it does the automated investigations and does a lot of enrichment for you, so the SOC analyst does not have to play run and go fetch as much. They can go deeper into an investigation in a shorter amount of time.

It does not necessarily provide unified identity and access management. Most of that comes from Entra ID, but it absolutely provides security visibility. For identity protection, the combination of Azure Identity Protection and Defender for Identity in the same place is the most powerful part because it is your on-prem identity world and your cloud identity world. Those two things are connected in most environments. Most of the people who have issues or most Microsoft customers have hybrid environments. That means they have two IMs and a bidirectional trust. One is the old-school one, which is Active Directory, and that lets everybody in with a username and password, whether you are good or bad, and then the newer one is the one that has conditional access, and that is Entra ID. Most corporate environments have both, so you have all of the weaknesses of both systems in one nice little package. From a defensive monitoring standpoint, we get a lot of cases, and most clients have that situation. Most clients that we see for incident response, and who are dealing with whether they are going to have our business online tomorrow, are in that hybrid situation.

In terms of covering more than just Microsoft technologies, most of 365 Defender is focused on its own technologies. There is that extensibility to be able to bring in threat indicators. The Zeek integration in Windows provides a lot of functionality, but most of the time, when we are getting that third-party signal, it is via a SIEM. That is where we go look for that third-party cross-correlation signal. The XDR signal is in that 365 Defender portal, and using things like custom detections is helpful there, so you can do SIEM-like functionality, but not on a third-party data set. This third-party correlation is the logical place for Sentinel. Some of the federated search between the two and being able to see both datasets in both places relieves that pain. The vast majority of our MDR clients are using 365 Defender and Sentinel, but there are definitely people who have E5 licensing but still have QRadar, Splunk, or something like that. Sometimes, we have somebody who starts with just 365 Defender but has a Sentinel adoption plan because they have a year left on their QRadar contract. The cool part about Sentinel is that it is software as a service, so you can start small and then add to it. You can start with what we call Sentinel Light, which is basically just the free data connectors. A lot of times what people do is that they have E5 licensing in their contract, and they start with 365 Defender. They then start with free data sources in Sentinel and incrementally add server logs or Palo Alto logs as their budget allows them.

365 Defender has enabled us to discontinue the use of other security products. There is always realization in terms of whether we still need, for example, Tenable agents with 365 Defender TVM. The answer is probably not. Normally, it is building out that process where we are going to remove Tanium because we now have Intune, so everybody has that adoption roadmap. Typically, you go for the things that create the least amount of friction when you are going through that adoption roadmap and you save the things that are going to be painful, such as DLP, for the end. It is always about dollars. When it comes to security budgets, potentially, you are replacing five to six line items on your security budget with one. I have been getting extra functionality on top of it for Teams and things like that. When you make the business case to the decision-makers and you get all of the information at the table, it is normally a pretty overwhelming case.

The savings depend on what their actual spending is and how many other security vendors they are purchasing. For most information security professionals, half of their day goes into vendor meetings and maintaining those vendor relationships. You have active relationships, contract relationships, etc. You have all these different relationships, and you have to go out to their conferences, their dinners, and things like that, so you end up dealing with vendors all day instead of actually doing the work. There are two types of costs. There is that hard cost, which is pretty easy to define, and there is also that soft cost of what if you had this common security fabric that you could take, customize, and then add to it. That is what the Microsoft security play is. Instead of bolt-on security, it is built-in security, and then you can still add to it. You can still add custom tools like Velociraptor and all the other tools that complement the Microsoft security suite, but what you do not have to do is play with vendors all day and do the bolt-on security play, which is, "Install our agent and everything will be good. There will be 99% ransomware protection." That is not how real life works.

It saves time and brings operational efficiency. As threat hunters, looking for an initial compromised assessment, going into a SIEM, and looking through a SIEM can take a lot of time. With 365 Defender, I can run four or five queries on you, and if they light up, I know you have problems. If they do not light up, you are probably alright. It is about being able to get there relatively quickly and assess the situation. Should we go ahead and send out the notice and call the general counsel, or is this just a little thing we need to run down and keep traps on? The time saved depends on where they are coming from. If it is a relatively old school company that has got an old school SIEM, and then they have a next-gen antivirus and a separate EDR solution, they could be doing 100% manual investigation, so it is saving them 300% because the chances are that they were not even investigating all their alerts. 

The ability to hunt that IM data set or the identity data set at the same time is valuable. As incident response professionals, we are very used to EDRs and having device process registry telemetry, but a lot of times, we do not have that identity data right there with us, so we have to go search for it in some other silo. Being able to cross-correlate via both datasets at the same time is something that we can only do in Defender 365. We do not get it in the other products.

From an integration standpoint, it is always improving overall. With Security Copilot coming out, as partners, we are waiting for the GDAP support so that we can actually see Security Copilot on behalf of customers if they subscribe to it. I assume that will happen in the next couple of months, but there have been smaller improvements like that. I started with the Defender ATP product back in 2019. In terms of where it started versus where it is now, it is very different. A lot of the automated defense capabilities for auto-remediation and the threat and vulnerability management features that are coming out are the most exciting because they answer that CISO question, which is, "How covered am I for ransomware?" Most of the time when people answer that question, it is a very generic answer. They can look at the top twenty methods that most ransomware groups are going to use to see how protected they are, but they are probably not going to do that well, or they are pretty secure, and they are probably going to do pretty well. It gives more of that real-world experience that most people do not have. 

We have been using this solution for about four and a half years.

From a partner standpoint, typically, we do our best not to contact support. We are very sensitive about how we spend our time. The more time we burn on something, the less profitable we are. Normally, playing kick-the-ticket-around in any support organization does not help, so most of the time, our engineers can arrive at some type of solution without engaging anybody else. If we do have a hard blocker that is well-defined and well-documented, we typically escalate that through the product team and not through the support channel because the more time we spend on the phone with support, the less we believe in our overall relationship, so we just avoid that activity, and we feel good about the relationship.

We definitely have had some major instances with large customers where something bad was happening and they needed immediate resolution, but they did not even get a callback for 48 hours. When you are in the middle of that relationship just doing the SOC servers, you wonder why you are getting 300 attack alerts in an hour. You then escalate and call everybody inside of Microsoft. You blow up the horn right on Friday because these things always happen on Fridays. It is a bad situation for everyone. The one thing that I have learned especially with MDE is that most of the time, the people who can fix your issues are in Tel Aviv. A lot of times, if I put an entire well-documented explanation together and drop it in Teams to somebody, I will get a response at 2 AM, so the next day, I will check my messages first thing, and a lot of times, it is like, "That issue is fixed now." I know where I need to go when I need to get things solved, but calling any help desk, including our own internal help desk, does not work. 

In the right context, Microsoft's support can easily be a seven or an eight out of ten adventure. In the wrong context, it can easily be a two or three adventure. It is like rolling the dice. Sometimes they come up with snake eyes, so it is all about expectations.

I also deal with Azure a lot because most of the time, I am responsible for our backend systems. We are rebuilding our entire platform in Azure. We did a greenfield build, so I am teaching a lot of Java developers on Azure. Their default answer when something does not work is that Azure is broken. I know that Azure is not broken. They are doing it wrong. I then show them, but their general thought is, "Why don't we just open a ticket with Azure support?" My response is, "Why do you want to wait three hours for them to tell you the same thing, which is, that you are doing it wrong?" A lot of it is engineers learning. If they have the appropriate exposure and investment in education, it helps with digital transformation, but it also helps with security transformation. A lot of times organizations buy things and then tell their engineers to implement them. Nobody bothered to send them into training first, so they are doing their best with the information they have. They did not send them to Microsoft Ignite. They did not send them to any of the great local resources. We have all these different meetup groups where you can see the difference in people. You get to know who is succeeding with Azure or succeeding with Microsoft Security. When you get stuck, you know whom to call and ask how to do something because you are not able to figure it out even after wasting six hours. You can ask them to at least point you in the right direction. That is a better solution than calling an 1800 number because it is going to be more focused and more prescriptive.

We support a couple of other security vendors as well, which always gives us a great comparison to how they are doing. It is the difference between holistic security and non-holistic security. You get one set of data. It could be a good set of data, but it is not mixed with the other data points. When you got an email alert here, and then you got an identity alert, and then you got an EDR alert, and then you got the domain controller alert, you can go through that entire kill chain versus those separate technologies. With separate technologies, you are going to spend an hour and a half putting that story together, and chances are they are already on ten different servers by now, so you are behind the gun. You know the story, but now, you have a bigger story because it just blossomed over there.

In terms of comparison, there are quite a few other XDR products, and all of the XDR products suffer from the same kind of challenge, which is—they are only as good as the data they have available. For instance, if you are a 365 Defender shop, but you are using Okta, a lot of that identity information is not flowing through 365 Defender. It is flowing through Okta, so it is 60% to 70% blind. Trend Micro has its XDR solution, but if you do not have all the things deployed, and you only have 30% of the things deployed, you are looking at 30% percent of the data. That is one of the key components. When we deal with an IR situation, we have a lot of people who are like, "We have E5. We deployed Defender for Identity. We deployed Defender for Endpoint to some of the endpoints, but not all of these servers yet because that is scheduled for next year." In such scenarios, we have limited visibility. We can see certain things, but those other alerts tell us some other things are going on on some endpoints that we cannot see. That is the situation that you have to solve rather quickly, so halfway-done deployments are the issue. When we see them, we know why they are calling us because it was always bound to happen. It is then that classic situation where they will have to do it all in two days on Saturday and Sunday. They will have to completely redo it and finish off that deployment because this is what they needed to do for threat eradication.

I have helped clients deploy it. I have helped a little bit with the internal deployment. We do not have that much infrastructure. Most of our infrastructure is containers, and 365 Defender does not come into play. That is mostly the Defender for Cloud Storage.

In terms of the time it normally takes for different users to get fully deployed and functional with the solution depends on the users and the infrastructure. Those are two different things. For humans, typically those enablement sessions can go in a matter of weeks, and then it is also a matter of the client investing some of their own time in their own lab and things like that because you are never going to learn a tool unless you get hands-on with it. Watching me work on it is not going to teach you that much. You have to work on it, and then because Microsoft security is a holistic security and not a bolt-on thing, you are also dealing with some tech debt at the same time. If they have had 2012 servers and they have not updated those servers in eight years and there are no security patches, you will have to resolve some of those dependencies before you can onboard those servers to Defender. It is not Defender's fault. They should have been patching those all the way anyway. That is according to the best practices, but they were not, so now you will have to wait three weeks for the server team to update these and then you onboard them to Defender. Every corporation has different change controls. If it is a small corporation with only four or five thousand endpoints, there are probably three or four guys who can pretty much do whatever they need to do. A big corporation with a hundred thousand endpoints will have to put that through change control and then four people have to sign off in blood. It is a much bigger thing and lots of paperwork has to happen.

Normally, a good accelerator project takes three to four weeks. That includes going through the basics, making a deployment plan, doing a test group, and then validating that all of those policies are going to work in the environment. One of the big advantages that changed just in the last year is the built-in configuration management. When I initially started with 365 Defender about four or five years ago, we had a problem where a lot of people would run the onboarding packages but forget to deploy the policy, so it did not work as well as it could. The difference those other platforms had was that they had built-in policy management, so you make your settings and apply them to your group of endpoints, but now, it is there in Defender. Previously, with Defender, we had nine different ways to do it, such as configuration manager, registry, and PowerShell, and clients struggled with that because none of the options were perfect for all their endpoints. With the built-in configuration management, you have that feature parity now. You can do built-in policy management for Windows, Mac, and Linux endpoints, and that speeds up deployments. As the deployment engineer, you do not have to say, "Here is the list of ten different options. Let us select which one is going to work for which group of devices." Now you can just say, "We have a good solution. It is probably going to work for about 99% percent of your devices. You might have a few offline servers or old Linux servers. We will have to do a slightly different custom solution for them, but we have a 99% solution. Let us go ahead and get started on it," and that is very good because you do not necessarily lose the room when you are explaining it to your security team members who never had to do something like that. You can just say, "We have a solution here, guys. We are good."

When we go through all of the information security training, typically, we are trained on other systems, so there is a learning curve for most information security professionals. If there is executive sponsorship to say, "We are going to invest in learning our Microsoft security tools so that we get maximum bang for our buck out of them," that typically goes very well. Microsoft has programs, such as accelerators and the ESIS programs, that enable partners to guide that mission. 

Our deployment engineers have done the Sentinel and 365 Defender deployments for four or five years. They work on these projects all day and every day. A lot of time, they are just helping other people who are doing their first project and saying, "Oh, you probably do not want to load it on these servers.", or "This is the shortcut for this issue." They are just guiding them on that process and helping them avoid some of the mishaps and things that people normally struggle with. Once you get them fully deployed, the ROI starts showing up daily. It is just a matter of getting them to that steady state versus that halfway-done state because a halfway-prepared defense never performs well in combat.

I would rate 365 Defender a nine out of ten. It is a very powerful tool. My favorite gig is explaining it to other incident response professionals and saying, "Now that the customer has an E5 license, and this is all deployed, let me show you this. You run this query, and you bring all of this stuff back. This is how you create custom detections that will automatically isolate things if anything jumps off on this device." I can explain that in a two-hour crash course. If you can explain it the right way to other professionals, they end up realizing how powerful it is. It works great.

I'm managing the SIEM, but the SIEM is heavily integrated with 365 Defender and all the other components. Defender is a natural extension of Sentinel, and our entire SOC team leverages the solution. We utilize it daily for everything related to incident response from an advanced threat-hunting perspective.

We do some KQL-based threat hunting and have set up some custom detections built into the platform, so we can raise an alert about a threat when we see it. Right now, we're onboarding our server environment to push Defender for server agents to see what that looks like. 

Defender is used widely by our SOC for everyday investigations. Our attack surface reduction teams use it for vulnerability information. Other teams at the company use the telemetry data, but it's primarily our SOC using it for incident response. 

Defender XDR has simplified our security operations because we don't need to shift around various portals. If I respond to an initial access event involving phishing emails, I can go to the endpoint and the user's identity in one console instead of having four or five different tabs open for multiple products. 

Since adopting Defender XDR, we haven't consolidated anything because the corporate leadership purchased the E5 license with all of Microsoft's other security solutions. All of those are still in play, but some of Defender's features are creeping into other spaces where it could potentially replace some of their products. 

It allows things like indicator blocking. You can block file caches now. You can block URLs, domains, etc. We might have handled that somewhere else with DNS and stuff like that. We might be blocking domains or adding different intelligence to handle that from the endpoint perspective so the threats are stopped before they get to the network. There are certain functions that Defender might not necessarily take over, but it can augment the entire approach to that security design. It could replace those solutions, but I'm not one to have all my eggs in one basket. However, that's not my decision to make.

Having everything in a single pane of glass saves some time, but it's hard to quantify. It reduces the time needed to respond. It correlates the data in a certain way that probably decreases time spent on manual data aggregation by about 30 minutes per incident. We can aggregate the logs from third-party solutions in Sentinel, run KQL queries there, and look at them together to make some assumptions. That's a significant time saving, but I don't think we're tracking that. 

The way it gathers data is fundamentally different. It's all right here, and I don't need to do separate queries. I can look through the timeline and export the data to a CSV if I want to sift through the data. It likely reduces the time it takes to respond dramatically. One problem we have internally is that we can't deploy Defender for Endpoint on everything. I can't deploy it on a many legacy OS due to the compatibility. It's challenging to address those things when you get so used to having all of this telemetry. When working through that, the advantages of using the platform become clear. It incentivizes us to stop using some of those assets because we can't see anything on them the same way that it gets represented in the M365D. We don't have direct telemetry ingestion into the cloud portal where we can collect logs from all those assets.

The most valuable feature is probably the aggregation and correlation of the different telemetry points with Defender for Identity, Defender for Endpoint, and Defender for Cloud Apps. All of these various things are part of that portal. We've wanted that single pane of glass for years. 

We've become early adopters of almost all of the features that they offer through the portal, so we've become good at working through the leading-edge quality of the new features and deciding whether or not we want to implement something in production based on that. We have a close relationship with Microsoft's team, and they present us with opportunities to enable new features, but all of the training is done internally. We have a close-knit team structured between our level two, level three and engineering team. And so we'll come together and say, "Here's this new thing we can do with Defender for Identity. We can reset users' passwords on-prem through the portal." We'll discuss these things and whether to implement them, but it's just our team.  

Defender provides unified identity and access management. There's probably some more granularity that could happen within the existing access control model. You can apply default labels for security admin and this or that. It depends on how you design it. A lot of our security admins can do at-will actions. We want them to be able to do anything else requiring an elevated set of privileges that allow you to design roles or stuff related to assets or identities. 

You have an audit trail for who's doing what, which is great. I think they could make the roles more granular. That would be ideal. Integrated identity and access management capabilities are core to the solution because you don't want people to have too much access. You want to control it to a point. We need people to be able to do what they need to, but I don't want everyone to have domain privileges because they can log into a domain controller through the portal. 

These are the kinds of things the portal lets you do, like the interactive sessions with Defender for Endpoint. However, I would like to see a just-in-time access approach that allows me to do something, and once I'm done with the action, it shuts off that capability.

Defender feels restricted to Microsoft products, but if we augment its capabilities with Sentinel, you can pull all your third-party data sources and everything into the SIEM. That immediately adds a different value to the product. Having some level of normalization on the data helps, but the ability to take data from third-party sources and correlate it with Microsoft sources is beneficial.

The solution stops the lateral movement of advanced threats like ransomware if you set it up correctly and are willing to accept the possibility of false positives on automated isolation, app restriction, etc. It entirely depends on what your team can do with rule tuning and use case detection. 

Our team does customized detections entirely based on what's happening in our environment. We have direct tuning capabilities.  We don't have an automated isolation-based task applied to out-of-the-box rules. That would be scary. We do our best to ensure false positives don't happen. If they do, we can control the outcome and make sure it can tune out the false positives. 

Defender can stop attacks and evolving threats because it can correlate data and make assumptions based on it. If you feed it all of your data, it will do an incredible job. It's dependent on your environment, but I think it does an excellent job of detecting perceived threats. At the same time, you still need a human being to monitor and tune it. 

The advanced threat-hunting capabilities are phenomenal, and the security copilot enhances that, but some data elements could be better or have more context inside of the advanced tables themselves. The schemas feel a little limited to what they're building into the product. It's probably just a maturity thing. I imagine we'll see the features I want in the next year.

Once you've onboarded your servers to Defender, they're housed on Azure. When those things are brought into the 365 Defender portal, I can see clearly that some of those are Azure resources. There is a subscription and the resource group. That data doesn't exist in the tables. We don't want to run automated remediation against our domain controllers, but you can't exclude those using Azure resource tags. You can't tell it to exclude assets from this resource group. 

That data doesn't exist inside the tables you use to build your thresholds or custom protections. I could see where they could improve the data they present to you in the tables. I assume that it will come with time. There's so much happening. Every time I open the portal, there's a new feature. 

We have used Microsoft Defender XDR since earlier this year and prior to this the Microsoft 365 Defender solution. We were early adopters of the platform and changes to the different products being integrated.

I rate Microsoft support seven out of 10. Sometimes, the support teams are great. However, sometimes we know more about the tool in some cases than the people we're talking to. We use it so heavily that our internal team has a better understanding of the toolset than the average SME should. We use it every day, so we live in the portal. I can't comment negatively or positively on the support. It depends. Sometimes, you might get somebody who knows what's going on, but in other cases, we have to figure out the solution on our own. 

The worst thing I can think of is when we need to reclassify a domain that they've called incorrectly. In that situation, you send a request into the abyss. you never get a response, and it's like, okay. Do I have to keep checking back over and over again to see if this has been reclassified? 

Neutral

We've experimented with other providers at this point, like Carbon Black. I think Defender meets the enterprise-grade criteria for our needs, but there are some nuanced differences between the solutions. 

I think it's hard to compare due to the sheer volume of the E5 ecosystem in one location. No other tools have that. If you bundle all the Microsoft solutions, it doesn't make sense to compare them to third-party solutions. Defender stands out in terms of gathering data and the way it presents everything in the incident timeline. The only thing it could do better is the filtering capabilities when you're pulling back the data from the timeline. 

Data is expensive if we want to leverage the telemetry that exists within the 365 ecosystem and bring that into Sentinel. I can't pipe that data in without paying an ingestion cost. I know how much data exists in each one of the tables that are there, and it would cost a significant amount of money to bring that in. 

I rate Microsoft Defender XDR 10 out of 10. I don't know of anybody else that's even remotely close to doing what they're doing. It's reduced my work in terms of identifying things. I might be in a position where I'm engineering, but I'm still technically on the response team. I'm using the tool the same way, and it has gotten better and better every time they add something new.

My role is to monitor Microsoft 365 Defender. We investigate various alerts and incidents that occur there. We utilize the solution to block any malicious domains, URLs, or other harmful elements that could affect our environment. Microsoft 365 Defender is our tool of choice for this purpose, and it helps improve our secure score. We assess the available remediation options to determine if they are suitable for our enrollment. Additionally, we use it for email analysis and make use of all the features provided by Microsoft 365 Defender.

Microsoft 365 Defender offers excellent visibility into our environment. We have a dedicated team that focuses solely on handling threats. As for me, I mainly deal with the architectural aspects of the overall environment. However, we rely on Microsoft 365 Defender for threat detection, and in the future, we plan to implement Sentinel as well. The reason for choosing Sentinel is that its integration is much more compatible, as Microsoft does not send various logs for other third-party tools like QRadar or any other tool. Therefore, we have decided to move forward with Sentinel.

Microsoft 365 Defender assists in prioritizing threats across our organization by offering real-time threat analysis. However, it does not provide upcoming threat alerts, such as identifying vulnerable technologies for our environment. To secure them, we can access the security score and follow the recommended actions. The platform displays current metrics and trends.

We are currently in the process of integrating Microsoft Defender for cloud apps and Microsoft 365 Defender, with 80 percent completion. Both solutions work together to deliver coordinated detection and response across the environment. We have one unified dashboard to monitor and control both solutions from a single place.

To create a fully comprehensive threat protection environment, we will integrate Sentinel with Microsoft 365 Defender and Microsoft Defender for cloud apps. This integration will allow us to receive additional data related to threats that are currently not shared by Microsoft.

Microsoft 365 Defender is an excellent tool. It is compatible with Teams and Outlook, making it ideal for threat detection and mail security in a Windows environment, which is commonly used by many corporate entities.

Microsoft 365 Defender is helpful in automating routine tasks and identifying high-value alerts. The Microsoft dashboard facilitates the remediation of alerts by grouping alerts of the same kind, which is beneficial.

Microsoft 365 Defender helps reduce the number of dashboards we need to look at, but it does not completely eliminate them.

Microsoft 365 Defender has saved us time by consolidating many of our solutions into a single tool.

Microsoft 365 Defender helps reduce our MTTD, but Sentinel would help decrease our MTTD even further.

The 'Incidents and Alerts' tab is a valuable feature where we can find triggered alerts.

Microsoft Cloud App Security has now transitioned its alerts to 365 Defender. As a result, all alerts that were triggered in Microsoft Cloud App Security are now visible in Microsoft 365 Defender.

It is beneficial that we can search for any of the devices. If we choose any of the devices, it will display the alert, incident, and the entire timeline related to that particular device. These are the features covered, including the ability to run antivirus directly on the device, isolate the device, and apply restrictions. These are the positive aspects of the solution. The same applies to 'Identity' as well. 

We can also investigate that router using email. The image represents the user's complete inbox. We can find out who the main users are, what the titles of the emails are, and how much malware we have received, including the number of phishing emails. We can see all this information in that explorer. Additionally, that thing is also beneficial.

There is a section titled 'Action and Submission.' When we submit any kind of share value for evaluation to Microsoft, they take a significant amount of time for the process.

When discussing the secure score, which includes overviews and recommended actions, some of these recommended actions are not applicable to us, particularly those related to Microsoft Internet Explorer, which we do not use in any of our environments. Nevertheless, there are instances where options to disable macros and various configurations appear, even though they shouldn't be present.

I have been using Microsoft 365 Defender for two years.

Microsoft 365 Defender is stable.

Microsoft 365 Defender is scalable. The solution can handle numerous endpoints, and as our user base grows, the number of endpoints automatically increases.

Many times, the engineers assigned to our tickets are not very knowledgeable about the solutions and features.

Neutral

I would rate Microsoft 365 Defender an eight out of ten. There are many rapid and independent changes happening each month or every other month, making it difficult to keep track of them.

I prefer adopting a best-of-breed strategy instead of relying on a single-vendor security suite. I have observed this approach being implemented in numerous organizations.

Microsoft 365 Defender surpasses most platforms available in the market in terms of advancement and offers extensive integration with other Microsoft solutions. I highly recommend this solution.