Microsoft Defender XDR Reviews

We use it for endpoint protection, monitoring network traffic, and enabling automation of issues, we utilize Microsoft Defender XDR. If we are specifically referring to Defender for Endpoint, it is a perfect solution to monitor user behavior and activities across all of our web portals. This provides an easy way to analyze and generate reports about user online activities.

Microsoft Defender XDR's security extends beyond Microsoft technologies and that is crucial for us.

Defender 365 stops the lateral movement of advanced attacks. An attack disruption would cause a lack of availability of our systems and corruption of data if there is a breach.

Microsoft Defender's ability to stop attacks includes an ability to adapt to evolving threats which is extremely important.

Microsoft Defender has enabled us to discontinue the use of a few different products. We consolidated our antivirus, web filtering, and EDR, and we had an endpoint monitoring tool that we now use Defender for.

Reducing the number of solutions we use has significantly impacted how our security team operates. This is because everything is now managed under one control and one tenant. This unified approach facilitates a natural integration with the various Microsoft products we rely on for collaboration, data storage, email communication, and other critical resources essential to our company's operations.

The discontinuation of many of our security products has reduced manual correlation.

Microsoft Defender has saved our security teams 20 percent of their time by providing a single console to manage everything. 

It helps prioritize threats across our company. It is a product that I use every day. I go into the portal all the time. It is very crucial to my security strategy.

We use additional Microsoft solutions. Most of them are available with E3 or E5 packages, including governance and DLP tools. We have integrated most of the ones we are using. Doing so was not that easy but not that complicated. It requires a lot of knowledge. They work natively together for coordinated detection and response, which is a critical component of my endpoint strategy for security and control. Without that, I would have a huge gap and I would have to find a different product.

One of the aspects I use it most for is as a basic antivirus installed on endpoints.

One of the biggest downsides of Microsoft products, in general, is that the menus are often difficult to find, as they tend to move from place to place between versions. It's unclear who makes these decisions, but simplicity would be a highly welcome change. A great way to achieve this simplicity would be to have built-in wizards within the products to help users accomplish tasks. This would eliminate the need to guess where to find the necessary options to enable or disable features.

The features I would like to see added to Defender are improved web filtering capabilities and a WAF service. However, I may be mistaken, and Microsoft may already offer a similar solution. I understand that our finance department rejected most of the Defender for Azure services due to their cost, but I lack the information to judge their expense myself. I believe that, as with the Azure environment itself, which was initially considered expensive but became increasingly popular over time, the Defender for Azure solution will also gain traction if its price becomes slightly more competitive.

When it comes to visibility into threats, 365 Defender is slightly complicated, and much more complicated than competitors like CloudStrike. That's just the "Microsoft way" where everything is usually slightly more complicated. The interface is not clear.

Also, it is not clear when the system is offering a recommendation or just a way to validate something. It is not clear what will be automatically done and what you will have to do yourself.

I have been using Microsoft Defender XDR for almost five years.

Microsoft Defender XDR is stable.

Scaling it is not easy and not complex. It's in between. With Microsoft, sometimes it feels like they hide the menus and you need to search for them with a magnifying glass.

The quality of technical support I receive varies depending on the country from which it originates. Sometimes, I feel I possess greater technical knowledge than the support representative and find it more productive to research solutions online, such as through Google. Conversely, I find that teams based in Europe or the United States typically provide more professional and informative responses.

Neutral

Previously, we used ESET, Cisco Umbrella, and JumpCloud for endpoint security, along with Cisco web filtering. I found Defender convenient due to its integration within our existing Office 365 environment. Since Office 365 is built on the Azure platform and integrates seamlessly with other Microsoft services like email, SharePoint, and others, it was more natural to use everything under the Office 365 umbrella rather than navigate to third-party solutions.

Implementing Microsoft solutions has proven more complex than initially anticipated. Due to ongoing changes, the project remains in progress. Migrating from our previous third-party solutions and establishing full functionality required several weeks, potentially extending to three months.

We hired One Pass, an American consulting firm, for our project. However, I am dissatisfied with the work they delivered. One Pass is a large company with too many people communicating with us simultaneously. We had difficulty speaking to the appropriate person because individuals either transferred us to other employees or were unavailable due to vacation.

My advice is to read up on best practices so that you know what the best way to deploy it is. Otherwise, it will be a mess.

It is very effective as long as you don't need real-time information. For me, that's okay. When there is a need for real data, on the spot, which is not available from Defender, it is available CrowdStrike. But for the way I run my business, it is okay.

In terms of a best-of-breed strategy rather than a single vendor’s security suite, I would go with a single suite.

I would rate Microsoft Defender XDR an eight out of ten.

Microsoft Defender XDR is deployed across our organization, encompassing multiple locations, departments, and continents. With approximately 200 international users, we rely on a team of four in-house administrators for security management. Additionally, we utilize the services of external companies for first-line support, who also handle specific tasks within our Microsoft 365 environment.

Public Cloud

Microsoft Azure

We are a security consulting company that assists clients with their Microsoft 365 and Azure security and workloads. We can help optimize the use of their purchased feature sets and licensing, ensuring they get the most out of their investment for security and other workloads and features within the 365 and Azure environments. As information flows between their 365 and Azure environments, we offer expertise to ensure clients are utilizing all available resources effectively.

The majority of our deployments follow a hybrid model, which is currently the norm. Although there have been instances where organizations have fully migrated to the cloud, many larger enterprise solutions in the industry are still in the process of transitioning from on-premise to cloud-based infrastructure. Consequently, most of these solutions are currently in a hybrid state.

The visibility provided by Azure is multi-dimensional, and one aspect that I appreciate is the Microsoft 365 Defender portal. It not only offers Azure security but also a single-pane-of-glass experience where we can view our SaaS applications, email hygiene, and threats and alerts, all on the same page. The monitoring is exceptional, and the quality and depth of the telemetry are impressive. Clients appreciate the fact that we can access incident or alert details, including the affected entities and the timeline of events. For instance, we can identify where an email was opened, a link was clicked, and how malware or viruses spread across the network, causing damage. Additionally, the portal's ability to provide automated responses is second to none, and we can see how Microsoft's AI technology can isolate or stop these instances from further propagation. In summary, Microsoft 365 Defender is a powerful tool.

Microsoft 365 Defender assists in prioritizing threats within our enterprise by utilizing CVE security, a standard security prioritization method. This means that the product has incorporated industry standards into the Microsoft tenant, providing prioritized threats and best practice remediation. With the help of Defender, we gain insights on how to remediate and prevent future threats from similar malware or incidents.

We utilize several security products to ensure the protection of our data and identity. Our product offerings include Defender for Identity, Defender for Cloud, built-in tools for data governance and data protection, as well as compliance and monitoring through the compliance portal. Typically, clients with E5 or A5 licenses can benefit from these products, which cover a wide range of features for protecting data, and identity, and detecting risky behavior such as risky sign-ins and user behavior analytics. The behavior analytics feature, which is a part of our Defender product, has been particularly crucial for federal governments and other organizations with highly sensitive data. While all of our products are valuable and important, we believe that identity is the most crucial foundation to start with since it feeds into everything else.

The integration of Microsoft products is almost seamless, as long as we have the licensing piece. To enable sharing or maintaining telemetry across different solutions, we turn on Connect and switches for products like SharePoint, OneDrive, Teams, and Exchange. Setting up connectors for SharePoint on-premise or Exchange online may be necessary, but Microsoft provides setup wizards and good documentation on their website, making it easy to implement solutions. Any difficulties usually arise from user error or trying to integrate insecure legacy third-party software. However, most modern authentication and protocol software integrate seamlessly within the Microsoft environment. The Microsoft documentation site is excellent, with built-in training and links to assist with implementation.

The security solutions work together seamlessly to provide coordinated detection and response across our environment. One of the things I appreciate about these products is that the Defender products share telemetry across the board. For instance, if we set up Defender for Identity on our domain controllers, we need to grant permissions for that telemetry to be accessible from Microsoft 365 Defender in the cloud. This means we may have to give permissions to our on-premise domain controllers. While the integration is simple, it is essential to follow the documentation to ensure a seamless and easy-to-maintain setup, monitoring, and management of our Microsoft 365 and Azure ecosystems.

Microsoft covers all current threats that have been identified by various security organizations and standards. These threats are typically integrated into the Microsoft ecosystem, including zero-day detections. Microsoft is plugged into world-class cybersecurity organizations, ensuring that all vulnerabilities and updates are current and available in the Microsoft portals. The comprehensiveness of Microsoft's security coverage is top-notch, with seamless integration with other clouds and on-premise products. While there are other products competing in this space, Microsoft 365 users and organizations should not rely on third parties when Microsoft already has integrated solutions available.

Microsoft Defender for Cloud's bi-directional sync capability is crucial as it enables the transmission of telemetry data regarding SaaS application usage from client systems, on-premise devices, and any other systems that access the Microsoft 365 cloud. This feature ensures that real-time data is accessible for managed systems, providing immediate access to any detection of sanctioned or unsanctioned applications. The bi-directional sync capability offers immediate data feedback, which is essential for prompt action.

Microsoft Sentinel enables us to gather data from our entire ecosystem. However, it is important to note that using Sentinel requires a Microsoft subscription and a storage account. Therefore, it is necessary to consider the cost of data ingestion and aggregation. It is crucial to only ingest data that is relevant and beneficial for our security monitoring and data log aggregation. Simply collecting data without a specific purpose is not advisable. I advise our clients to focus on maintaining a lean monitoring and data log aggregation approach that yields security benefits. We can detect and query threats using the crystal query language that is integrated with Sentinel, making it a key component of our Microsoft security journey with our clients. Sentinel connects with everything and has native connectors and third-party options available. Additionally, Sentinel can be set up as a provider of security operations center capability by connecting it to another cloud.

Microsoft Sentinel allows us to investigate threats and respond to them in a comprehensive manner, all from one platform. What I find particularly impressive about Sentinel is its ability to provide both reporting and analysis through workbooks, and actionable response strategies through playbooks. In addition, Sentinel includes UEBA and threat intelligence capabilities. This raises the question of how we can evaluate the effectiveness of Sentinel's security protection. One advantage of Sentinel is that it not only detects threats but also responds to them using advanced DAI and intelligence technology. This allows us to take proactive measures and set up playbooks and other capabilities that integrate seamlessly with Sentinel. By taking telemetry from different products and environments, Sentinel provides a three-dimensional perspective that other products may lack. This helps us take the right steps toward risk mitigation or remediation by giving us current, broad coverage. With telemetry, we can take a holistic approach to secure entities affected by any type of alert or environmental compromise. Sentinel's ability to bring together reporting, analysis, and actionable response strategies makes it a superior product in terms of security protection.

The cost of Sentinel depends on the amount of data being processed. This is likely true for other similar products as well. Typically, the cost of using these products is associated with ingesting and aggregating data logs. However, I believe Sentinel's cost is competitive and provides an advantage, as it offers more than just a SIEM or SOAR solution. Sentinel includes response capabilities, which is where it excels. Therefore, I believe the cost is reasonable considering the benefits it provides.

After implementing Microsoft 365 Defender, our organization has observed a significant improvement in our security measures. We have noticed a substantial decrease in compromised accounts, access issues, and entry problems resulting from phishing attempts, emails, and other security threats. This improvement can be attributed to the robust exchange of online protection capabilities. The impact has been remarkable and has made a noticeable difference in our overall security. Additionally, addressing insecure applications operating within our environment and managing data governance has been a challenge. Data governance, in particular, can be time-consuming since data is ubiquitous and it takes time to establish the appropriate tools, labels, and policies to protect it. It requires a marathon-like approach rather than a sprint and Microsoft 365 Defender has helped reduce the time.

Our Microsoft security solutions automate routine tasks and aid in detecting high-value alerts. The ranking of these alerts is customizable, allowing us to adjust their priority based on our industry or organization's specific needs. While the default settings are effective, we appreciate the ability to modify them to better suit our purposes. This customization feature is particularly valuable as it allows us to tailor the alerts and detections to our particular use case.

The solution has helped our clients by eliminating the need for multiple dashboards and providing one comprehensive XDR dashboard. This has been the most significant feedback from our clients who prefer to have all information in one place instead of having to navigate through multiple portals. With the integration of Microsoft tools like Power BI, our telemetry can be displayed in different views and graphics, making it easily understandable for all stakeholders and users. Power BI can also import Sentinel queries, allowing for customized dashboards with a unique look and feel. I appreciate the flexibility and versatility of Power BI in creating informative and visually appealing dashboards.

The solution's threat intelligence helps us prepare for potential threats before they strike, allowing us to take proactive measures. I have witnessed some excellent updates that are posted on the Microsoft Defender portal. These updates have enabled us to stay ahead of any potential threats. When there is an attack, Microsoft is quick to disable affected services, such as service principals or services, across many servers and other devices, taking affirmative action ahead of time. I have observed many proactive notifications, including day-one or zero-day notifications, that are promptly released on the Defender side. This approach allows us to get ahead of the potential issues and prevent any significant impact.

The amount of time saved by using automation tools is significant and exceeds our expectations. While we sleep, these tools perform tasks such as deleting phishing and malicious emails and conducting automated investigations. This has resulted in a substantial reduction in the number of man-hours needed for Microsoft security and Defender product tasks, which has more than justified their cost.

Microsoft 365 Defender has saved our organization money.

Microsoft 365 Defender has significantly reduced our detection and response times. The proactive nature of the software alerts us to suspicious activity, such as a user logging in from an unknown location, allowing us to trigger conditional access responses accordingly.

In Microsoft 365 vendor products, monitoring and connectivity across all Microsoft and third-party connectors enable viewing of all activity within those environments. This is a key advantage for maintaining and monitoring usage, implementing security guardrails, and protecting data integrity and privacy from oversharing. Many clients face challenges in managing guest account access, SharePoint links, and access control. Thus, we recommend starting with access and entry as a foundational principle of security, using tools such as the identity secure score to assess the security journey progress. 

Microsoft 365 security portals cover four pillars: identity, applications, devices, and data, with Defender products geared towards identity protection being the most useful. These products help set up conditional access controls, privilege identity management, and risk mitigation strategies for legacy authentication and protocols. Defender products also provide visibility across third-party services such as AWS cloud, Box, Workforce, and other enterprise tools. Microsoft Sentinel, another useful product, provides a great solution for infrastructure visibility across Azure and on-premise infrastructure, albeit with associated costs for storage and subscriptions.

At times, there may be delays in the execution of certain actions and their effects. These delays are often related to Microsoft tasks that run in the background. For instance, when we perform an improvement action such as improving the secure score, it may take a few days before we see any changes. This delay can be frustrating, but it is still beneficial. We have also encountered issues with the secure score feedback when we set it up to work with third-party tools. We have reported these issues to Microsoft. To improve the situation, we need to fix this aspect of the solution so that we can receive secure score feedback closer to real-time or more promptly. This would be a significant improvement.

I have been using the solution for five years.

Stability has been good overall, but there was a recent incident where some of the most searched URLs were incorrectly tagged. This included URLs for services like Zoom, which caused concern among many of our clients. However, Microsoft has since corrected the issue.

Our licensing for Microsoft 365 Defender enables automatic scaling based on our needs. This means that the software's capacity will increase or decrease depending on our licensed usage.

The technical support we receive is of high quality. They effectively address specific incidents that arise, and their overall response time is satisfactory. We usually receive a response on the same day. In the rare event that an issue requires advanced technical escalation, they are able to provide us with a specialist within a day or two.

Positive

We have previously used CrowdStrike, McAfee, and Norton products but Microsoft 365 Defender is already included in the license we have with Microsoft so there is no need to pay for additional licenses.

The initial setup is usually straightforward, but it can become more complicated when we are dealing with scenarios such as bringing your own device or managed devices. In these cases, deploying can be a bit more challenging. However, I still believe that the process is generally straightforward.

Before deploying we typically do a pilot with the IT organization and once that goes well, we continue with the rest of the organization and their devices. We usually require between 10 and 20 staff for deployment.

The implementation was completed in-house.

The return on investment is significant. We have observed Microsoft 365 Defender's value in terms of saving man-hours that would have been spent sifting through logs and connecting information during investigations. The Microsoft tool provides us with an advantage by performing this task automatically, allowing us to take action on the information it has already gathered during the investigation. 

The cost of the solution appears to be appropriate, and we get what we pay for. Although I am aware that Microsoft has recently introduced licensing adjustments with plan one and plan two options, I have observed that they offer a higher level of benefits and value compared to our current solution. Nevertheless, we are taking steps to make our solution more accessible to various organizations, including educational institutions, by utilizing the licenses we have and pursuing certification for federal cloud services, despite the additional obstacles. Overall, I believe that the pricing of the licensing is fair.

I give the solution a nine out of ten.

We have a cloud environment, and for Microsoft 365 cloud services, our remote workforce is currently working from various locations. However, some resources and applications are still located on-premise and need to be accessed. To accommodate these hybrid environments, we usually use Azure AD sync to synchronize on-premise AD. This process can add some complexity.

Microsoft 365 Defender needs to be fine-tuned for optimal performance. In order to achieve this, adjustments need to be made based on the specific needs of the user. For instance, when tuning for phishing email security, there are different levels of aggressiveness available for the products. Fortunately, maintenance is quite minimal as Microsoft handles virus signatures, updates, and other related tasks. However, tuning is necessary for individual use cases, such as adding specific emails to an exception or whitelist.

Determining the best-of-breed in a given space can be subjective due to varying perceptions. While a best-of-breed strategy is effective in certain cases, it has limitations when compared to integration. For instance, when trying to identify the best tool for different security areas, having disparate solutions that don't communicate with each other can be problematic. Therefore, integration becomes a critical component in this context. Although having the best-of-breed approach is a great strategy, we also need to consider the benefits of integration and having a single pane of glass that provides an overview of all security aspects. This will help us avoid having to navigate multiple best-of-breed solutions in a sporadic manner.

My suggestion is for people to carefully review the documentation provided by Microsoft to gain an understanding of how the product works and how it fits with their particular use case and solution scenario. Negative feedback is often the result of a lack of knowledge or understanding. By taking the time to conduct a proper POC, engaging with the appropriate Microsoft representatives or consulting organizations, and being inquisitive, we can evaluate our current tenant and solution, and conduct a security assessment. This will enable us to make an informed decision about Microsoft products.

Hybrid Cloud

Microsoft Azure

We use Microsoft 365 Defender to provide cybersecurity to our clients. Microsoft 365 Defender provides real-time alerts which I review and analyze for our clients.

We implemented Microsoft 365 Defender to mitigate the cybersecurity threats our clients were facing. 

Microsoft 365 Defender is a valuable tool for our daily security operations. It provides us with a clear picture of security threats through its alert system, which identifies the origin of the attacks and correlates them with the MITRE ATT&CK framework.

It is user-friendly, loaded with features, and priced cheaper than the competitors.

Microsoft 365 Defender thwarts advanced attacks from spreading within our client's networks by utilizing the MITRE ATT&CK framework to recognize and categorize threats, then automatically taking steps to neutralize them.

Microsoft 365 Defender earns a rating of eight out of ten for its effectiveness in stopping attacks, which has demonstrably improved our security operations.

While Microsoft 365 Defender effectively stops attacks and adapts to new threats, human intervention is necessary for entirely new attack patterns. This is because the system relies on machine learning to identify threats based on past data, and completely new attack patterns wouldn't be recognized yet.

Microsoft 365 Defender enabled us to discontinue the use of other security products and helped save our security team time.

The most valuable features are machine learning, AI, and auto-remediation of non-malicious alerts. The onboarding and offboarding of devices are also seamless and the Windows Autopilot is helpful for our users.

Troubleshooting in Microsoft 365 Defender can be inefficient. Onboarding new devices with communication issues, for instance, requires using Veeam for log investigation and contacting Microsoft support, making the process time-consuming.

The current number of indicators of compromise provided by Microsoft is 15,000, but increasing this number would be beneficial for improving detection capabilities.

I have been using Microsoft 365 Defender for one year.

I would rate the stability of Microsoft 365 Defender ten out of ten.

I would rate the scalability of Microsoft 365 Defender ten out of ten.

Microsoft 365 Defender's technical support team is responsive, offering timely solutions to help our clients resolve their security issues.

Positive

In the past, we relied on both McAfee for antivirus protection and Cybereason Endpoint Detection & Response for advanced threat hunting, but we have since streamlined our security posture by consolidating these functions under Microsoft 365 Defender.

Microsoft 365 Defender is more user-friendly and flexible than Cybereason Endpoint Detection & Response.

Deploying Microsoft 365 Defender is a manageable process for our team of three, who handle our roughly eight thousand servers on an ongoing basis.

Microsoft 365 Defender offers competitive pricing. While purchasing an Azure subscription includes it in a bundled model, the standalone subscription cost for cloud storage and Defender itself remains reasonable, making it an affordable option compared to other security services.

I would rate Microsoft 365 Defender nine out of ten.

It takes some time to see the benefits because it is a large tool with many features that keep changing.

Our clients are enterprise-level.

Maintenance is required.

I recommend Microsoft 365 Defender to others.

Public Cloud

Microsoft Azure

We use Microsoft 365 Defender to protect our privacy.

Microsoft 365 Defender's XDR platform provides identity and access management which is important for our organization.

Microsoft 365 Defender's security extends beyond Microsoft technologies, which is important to our organization.

The multi-tenant management capabilities are easy and the support is 24/7.

It has helped save us approximately USD 1,000 per month.

Microsoft 365 Defender has helped save our security team time.

The most valuable feature is the network security.

Since all of our databases are updated and located in the cloud, I would like additional support for this.

I have been using Microsoft 365 Defender for almost four years.

Microsoft 365 Defender is stable. The only downtimes are scheduled by Microsoft and we are provided with advanced notification to prepare.

Microsoft 365 Defender is scalable.

Technical support is one of the reasons we chose Microsoft 365 Defender.

Positive

The initial deployment is easy. Microsoft 365 Defender is plug-and-play. The deployment takes a maximum of one day.

We also evaluated Kaspersky and Trellix XDR but found that Microsoft 365 Defender had additional features that met our needs and their support was better.

I would rate Microsoft 365 Defender nine out of ten.

Public Cloud

Microsoft Azure

Microsoft Defender XDR is our primary solution for security. We have a number of use cases across different environments, allowing us to secure all our use cases comprehensively.

One of the most valuable features of Microsoft Defender XDR is its ability to provide preemptive reports regarding excessive privileged access. This allows us to secure our systems in advance and proactively improve security, rather than waiting for incidents to occur. Additionally, it ensures that we are fully compliant before any audits are conducted, which has potentially saved our reputation. Furthermore, its integration across different environments allows central visibility for different workloads.

There is nothing I can think of at the moment that needs improvement. I am a contractor and finishing up soon, so I haven't encountered any issues requiring enhancements.

I have been working with Microsoft Defender XDR for a few years now, about one and a half to two years.

I was involved in the deployment, and it was very easy to set up and configure. I did not encounter any problem—it took half a day to a full day at most.

There are no complaints regarding the stability of the solution. It seems to do the job well.

The customer service is good, and they supported us well. Although it took some time, we got the required support in the end.

Neutral

The initial setup was straightforward, and I did not have any issues with it.

We used Teams for the deployment, but I could be wrong on that.

Overall, I would rate Microsoft Defender XDR a seven out of ten. It is a useful tool and not necessarily the best solution I've seen, but it is good and I wouldn't object to using it.

Other

It addresses various use cases, including monitoring and securing file storage like OneDrive and SharePoint. It has recently incorporated Teams integration to safeguard against malware. Additionally, it serves as a replacement for on-premises Advanced Threat Protection, offering enhanced capabilities. It has proven valuable in highlighting critical scenarios related to credential use and legacy Active Directory, providing substantial assistance in these areas.

When transitioning to Microsoft Defender for Endpoint from our previous use of ATP, we observed significant improvements. Legacy ATP involved numerous signals and a substantial learning curve, but Microsoft Defender for Endpoint establishes a more effective baseline. In comparison to Cylance, which generated a considerable amount of background noise, Microsoft Defender for Endpoint enables us to concentrate on the more critical alerts that demand our attention. Our team is actively phasing out disparate security tools in favor of a streamlined approach. The efficiency gained from having a single pane of glass is a powerful asset for our team.

One of the most valuable aspects is the comprehensive insights it provides into on-premises identities, particularly within Legacy Active Directory. This allows for the examination of use cases related to identities, ensuring there is no misuse of accounts or computers. A crucial aspect for our team is the inclusion of identity and access management tools from the vendor. Despite being a sizable global company, our team is relatively small, considering our global reach. Therefore, minimizing overhead is a top priority for us, and integrating these tools from the vendor becomes crucial in achieving that goal.

My suggestion would be for Microsoft to continue aligning all components within this ecosystem. This consolidation is beneficial as we strive for a more unified and comprehensive view, essentially a single pane of glass, which is highly valued. In the future, I hope for increased third-party integration. While Microsoft plays a role, it's equally important for third-party providers to step up. In our organization, the information security team has endorsed a specific set of products. Integrating the telemetry from these approved products into our systems would be immensely beneficial, providing a more comprehensive view and enhancing our overall security posture. Extending security coverage is of paramount importance. Integrating telemetry could bridge these gaps, fostering greater cooperation among individual teams within the organization. Having teams collectively examine the same information might contribute to advancing collaboration and overall security efforts. The capability to not only thwart attacks but also to adapt to evolving threats is crucial.

I have been using it for the last three years.

It is exceptionally stable, without encountering any notable issues or complaints. Microsoft seems proactive in communication through the message center, keeping users informed about any ongoing issues, and we appreciate the clarity provided through multiple channels.

It has the capability to scale seamlessly, especially with Microsoft's expertise in the cloud. We have over six thousand end users globally distributed across various facilities, with some on-premises deployments due to specific requirements. However, our overarching strategy is cloud-first, and the majority of our infrastructure operates in Azure. In terms of endpoints, the number is substantial, likely exceeding seven thousand when considering both servers and clients.

We haven't had the need to contact them so far. In general, our experience with Microsoft support has been variable—it can be both beneficial and challenging. While they offer a wealth of resources, there are instances where the response may not align with our expectations. I would rate it eight out of ten.

Positive

I made the switch from Bitdefender to Defender primarily due to cost considerations. In my professional assessment, Bitdefender appears adequate from a client perspective, but when it comes to enterprise deployment, I don't view it as fully enterprise-ready. We encountered numerous challenges, particularly with installing Bitdefender's agent on Server 2022, which proved to be a significant hurdle for my team, consuming valuable time and resources. The advantage of Defender lies in its ability to seamlessly bring together threat telemetry from servers across various cloud providers, including Azure, and extend this protection to our Windows endpoints, offering a robust and integrated security solution.

The initial setup was straightforward.

Our implementation strategy was relatively gradual and soft. We enabled the features, allowed it to ingest the data, and then began assessing the generated alerts. Taking a somewhat silent approach, we deferred more to the expertise of our information security team, considering their role as the cornerstone in this aspect. As we moved forward, we aimed to identify areas for improvement and address the specific queries and needs that our team raised during the process. Our ongoing maintenance primarily involves fine-tuning our alerts to align with our specific use cases.

In terms of return on investment, the potential for cost reduction is a key consideration and Defender does provide it. The time saved is substantial, especially if we can navigate through our internal processes efficiently. Specifically for my infrastructure team, using Defender for Endpoint has significantly reduced the time spent delving into emerging issues. As a rough estimate, I would say it saves us approximately six hours a week that would otherwise be spent navigating through the complexities of individual components within Microsoft 365.

I find the pricing to be quite competitive, especially considering its inclusion in our E5 subscription, which provides a comprehensive set of functionalities. Initially, when I evaluated the pricing for add-ons with our E3 subscription, it seemed reasonable. However, we opted for the E5 subscription, absorbing the additional features seamlessly.

I'd recommend exploring Microsoft's Learn documentation, a resource that is sometimes overlooked but provides valuable insights into the capabilities of Defender. It's a good starting point to understand its features. For large enterprises with tools like Visual Studio subscriptions (formerly MSDN), Microsoft offers the option to set up an E5 tenant for testing. This can be deployed freely for up to twenty-five licenses, excluding the Windows license. I suggest diving into hands-on experimentation in a lab environment, combining practical experience with informational reading for a comprehensive understanding. Overall, I would rate it nine out of ten.

Hybrid Cloud

Microsoft Azure

Microsoft 365 Defender works together with Exchange Online is my area of specialty.

Microsoft 365 Defender incorporates a capability to identify potentially malicious emails or emails originating from suspicious senders.

Previously, we encountered a significant number of spam emails and suspicious emails, and users were inadvertently interacting with them. However, we have made progress in addressing this issue. We have conducted attack awareness training to educate users on identifying suspicious emails, and Microsoft Defender has played an important role in preventing such emails from reaching our inboxes. As a result, we have noticed a reduction in the volume of spam emails and an increase in the delivery of trustworthy emails. Considering these improvements, I can confidently state that we are in a better position now in terms of email security compared to the past before the implementation of Microsoft 365 Defender.

Within Microsoft 365 Defender, specifically using Advanced Threat Protection, you have the ability to define rules and actions for high-value alerts. 

By using Advanced Threat Protection, you have the capability to conduct thorough investigations and delve deeper into the search for specific threats that you suspect may be present within your organization. 

Within the Microsoft 365 Defender suite, you have access to numerous features that enable you to effectively track and investigate potential threats within your organization.

Automation significantly impacts our security operations in a highly beneficial way. It revolutionizes our approach by providing a centralized IT vendor admin center where we can execute all our search queries and obtain the desired information from a single interface. This unified platform streamlines the entire process by consolidating various components and their respective search processes into one, eliminating the need to navigate through multiple individual interfaces. With Microsoft 365 Defender, we have the convenience of accessing and investigating different areas of interest from a single standpoint. This not only saves us substantial time but also reduces effort and enhances overall efficiency in our security operations.

The consolidation of security operations has had a significant impact on our effectiveness and efficiency. It has resulted in improved response times, enabling us to swiftly pinpoint the potential sources of threats. We have observed a reduction in incident response time, allowing us to address security incidents more promptly. Additionally, the consolidation has enhanced the efficiency of our deployment processes, streamlining our overall security operations. These notable impacts have greatly contributed to our organization's ability to proactively identify and mitigate threats, ultimately bolstering our security posture.

Threat intelligence is an essential component in proactively preparing for potential threats and implementing proactive measures. While I have not personally engaged with this particular feature, it is widely acknowledged that staying informed about current threat intelligence is essential.

Although preventive measures are in place to minimize maintenance issues, there can be instances where threats successfully circumvent those safeguards. However, the capability to detect and identify threats before they cause harm to the system remains a valuable advantage. Anticipating the effects of this specific feature in Microsoft Defender is something I am eager to experience, as it appears to be a fascinating addition to the security measures.

Another noteworthy feature that I find appealing in Microsoft Defender is the credit-backed simulation. This feature enables organizations to train their users on effectively responding to phishing emails through a simulated training environment. 

Indeed, the credit-backed simulation feature in Microsoft Defender operates by sending simulated phishing emails to users within the organization based on the configured settings. When a user interacts with the email by clicking on a link or taking any action, they receive a notification informing them that it was a simulated phishing attempt. This simulation serves as a valuable training tool, helping users learn how to detect and respond to phishing emails effectively. By experiencing these simulations, users can enhance their awareness and develop the skills necessary to prevent falling victim to real phishing scenarios in the future. This feature is highly valuable in improving the overall security awareness and resilience of the organization's users.

In terms of visibility, Microsoft 365 Defender offers a comprehensive and detailed overview of threats and potential traces identified within your organization. 

Within Microsoft 365 Defender, you have the ability to configure specific criteria and assign high-risk values to certain indicators. This allows you to align with compliance regulations and establish your organization's threat determination framework. By leveraging Microsoft 365 Defender, you can implement and enforce these criteria to analyze and assess potential threats in your environment. 

I believe that Microsoft has the potential to greatly enhance the efficiency of the application by incorporating advanced capabilities into this feature. By providing users with the ability to customize and tailor threat detection according to their specific needs, Microsoft could significantly improve the overall effectiveness of the application. The addition of advanced capabilities would be a valuable enhancement, complementing the existing features and further strengthening the overall functionality of Microsoft 365 Defender. This would undoubtedly be a welcome and highly beneficial addition to the platform.

Microsoft 365 Defender demonstrates a commendable level of comprehensiveness in its threat protection capabilities. However, it is important to acknowledge that false positives and false negatives can be potential challenges in any security solution.

I primarily focus on using two key features within Microsoft Defender: the attack training simulation and the threat policies integrated with Azure Guard Protection.

The dashboard is one of the features of this application.

Implementing this solution has proven to be time-saving as it enables us to effectively track down suspicious and malicious attachments that may accompany emails. Even if users tend to click on attachments without much thought, we have successfully prevented and significantly reduced security breaches that were prevalent in our past security architecture. The ability to identify and mitigate potential threats has greatly improved our overall security posture, providing us with enhanced protection against breaches and unauthorized access to our systems. By leveraging this solution, we have experienced tangible benefits in terms of minimizing security incidents and safeguarding our organization's sensitive data and resources.

There was a specific incident where an email was received containing an executable file, and unfortunately, like many other users, this particular user was unaware of the potential risks and clicked on it without hesitation. Consequently, the consequences of this action became evident. 

Microsoft 365 Defender has provided us with the capability to pinpoint the specific machine where the application is currently present, as well as track the actions and steps that the application has already taken on that machine. This is just one example of the numerous areas where Microsoft 365 Defender has proven invaluable in our security operations. 

While providing an exact numerical comparison may be challenging, I can confidently say that the improvement in our response capabilities with Microsoft 365 Defender compared to our previous security architecture is indeed significant.

It is fair to acknowledge that Microsoft 365 Defender, like any software product, is not without its imperfections. There are instances where it may incorrectly flag legitimate emails from trusted senders as spam or exhibit inadequate performance in accurately classifying certain emails.

Aside from that, it's a pretty good solution, and that is for the emails.

However, the main point I want to convey is that for someone who is new to it, using Microsoft 365 Defender will demand a significant amount of effort and a willingness to learn about the product in order to maximize its benefits. It deals with technical aspects and encompasses a broad range of features beyond just the mentioned warranty, such as online exchanges. To effectively utilize Microsoft 365 Defender, it is important to have a thorough understanding of its functionalities.

It may be too complex for beginners to grasp.

In the future, it would be beneficial for Microsoft to consider making the product more user-friendly or simplified for those who are interested in using it. Currently, it requires a high level of technical expertise, making it challenging for beginners or less experienced individuals. 

Breaking it down into smaller components or enhancing its comprehensibility for end users would serve as a valuable advantage. In fact, it would not only impress others but also motivate them to understand the significance of utilizing I Defender in their specific situations.

At the moment, I have limited knowledge about TripAdvisor and its offerings, so I'm unable to provide comprehensive information. However, based on my current understanding, I believe it would greatly benefit from being more user-friendly and simplifying its features. This would enable users to easily navigate the platform and maximize their experience with it.

I have been working with Microsoft 365 Defender for a year.

To the best of my knowledge, I have never encountered a situation where Microsoft 365 Defender experienced significant crashes or unresponsiveness, aside from occasional instances of false positives and false negatives. I have found the platform to be reliable and self-service oriented, with prompt responses from the provider whenever assistance was needed.

We currently have around a hundred users with Office 365 licenses; however, not everyone has the same plan that includes Microsoft 365 Defender. I was hoping to access the admin dashboard to have a closer look at the settings and configurations, but it seems that access is limited to approximately fifty users.

This is managed by Microsoft you don't have to do anything.  All you have to do is understand how to use it to make it work for you.

Similar to other cloud applications, I believe Microsoft 365 Defender demonstrates excellent scalability by seamlessly accommodating an increasing number of users. It effortlessly scales across these users, eliminating the need for extensive efforts to extend security measures to them. The scalability of Microsoft 365 Defender is highly commendable.

In situations where an email that appears to have properties indicative of spam gets delivered instead of being flagged, it is advisable to contact the technical support team directly. 

Engaging with customer support allows you to understand why such potentially harmful content was allowed into your organization. While Microsoft 365 Defender is an advanced solution, there is always room for improvement, and feedback can help drive future enhancements to make it more effective.

By reaching out to customer support, you can address specific concerns and gain insights into how to optimize the system's performance for better security outcomes in the future.

I would rate the technical support an eight out of ten.

I use Exchange Online Protection in conjunction with exchange mailboxes.

They collaborate closely. Collaborating with one is nearly identical to collaborating with the other due to the overlapping features between Microsoft 365 Defender and Exchange Online. Essentially, I consider them to be synonymous since their primary objective is ensuring security.

They lack native integration and instead exhibit interdependence. I believe their collaboration is essential in order to fully utilize their capabilities and optimize the user experience. It is crucial for them to function together in order to achieve maximum benefits and enhance overall performance.

The main differentiating factor is the expanded scope of Microsoft 365 Defender, which is evident as the primary distinction. Our utilization includes Microsoft 365 for cloud applications and Microsoft 365 for Office Microsoft 365 applications. However, when it comes to Exchange Online Protection, its functionality is exclusively focused on email boxes.

Microsoft 365 Defender provides a broader and more extensive coverage compared to Exchange Online Protection, offering a wider reach in terms of wireless accessibility.

In the past, we used Mimecast for email filtering, and before that, we employed Trendmicro as our spam filtering and email filtering solutions.

I was not involved in the deployment process.

Previously, organizations had to invest in separate third-party filtering solutions to effectively address potential threats and breaches. However, the situation has now improved significantly as Microsoft 365 Defender consolidates all these necessary security measures into the comprehensive Microsoft 365 license. This consolidation brings numerous benefits, making it a win-win scenario for organizations. They no longer need to make additional purchases or manage multiple security solutions, as everything is conveniently available with the Microsoft 365 license.

With an eligible and dependable license like Microsoft 365, there is no need to concern yourself with the purchase of an additional third-party solution, which often comes at a higher cost. 

All these functionalities have been consolidated into a single license, eliminating the need to incur additional costs for third-party solutions such as Google Security for email features and similar functionalities.

The time it takes for us to respond has been significantly reduced. Additionally, the time it takes to detect potential threats has also seen significant improvements.

In situations where Microsoft 365 Defender did not successfully mitigate a potential threat or error, it highlights the need to initiate a new process to address the specific scenario. However, with the current setup, we are now able to detect and prevent such incidents in a timely manner. This proactive approach has saved us from potential future issues and the associated costs that may have arisen. Without Microsoft 365 Defender, it would have been challenging to identify and contain these threats, which could have caused widespread problems throughout the environment. The implementation of Microsoft 365 has effectively stopped such incidents from occurring, mitigating the need for extensive investments to resolve the issues. This positive outcome demonstrates a favorable return on investment, provided we fully understand and leverage the capabilities of the product to its maximum potential.

I believe the pricing is fair and acceptable. I consider it to be reasonable and satisfactory.

If you prioritize security, considering the cost should not be a determining factor. If you truly understand the level of protection offered, you wouldn't be concerned about the price. Instead, you would focus on the value provided. From our perspective, the pricing is reasonable considering the significant benefits and value we currently receive.

We recently transitioned away from those solutions and successfully migrated everyone to Microsoft 365 Defender. Since then, we have been exclusively using Microsoft 365 Defender without any changes up to the present time.

We have no motivation or desire to switch to or explore other products, as we are already satisfied with the quality and value we receive from our current investment.

Optimally managing a combination of various security solutions can be time-consuming and overwhelming. Instead, having a single dashboard where you can consolidate and run all your queries proves to be more efficient. While the intention might be to extract the maximum benefits from multiple solutions, dividing your attention among them hinders the ability to fully leverage each one. Therefore, it is advisable to identify a comprehensive solution that meets your requirements and focus on understanding how to maximize its potential and utilization.

Furthermore, using multiple solutions in an environment can lead to compatibility issues and conflicts. When you have multiple applications performing similar functions, it can complicate matters and potentially cause problems in the future. To avoid such complications and maintain a streamlined setup, it is advisable to stick with a single solution and focus on understanding and optimizing its usage. By doing so, you can ensure better control and avoid potential disruptions that may arise from using multiple conflicting applications.

To truly grasp the value of a service like Defender, it may be challenging for someone who hasn't experienced the need for its intervention firsthand. It is essential to engage individuals who have encountered scenarios where Defender played an important role in saving the day. When evaluating the effectiveness of the solution, it is important to involve those with hands-on experience, who have witnessed the capabilities of the product and understand how to maximize its utilization. The hands-on experience becomes paramount when screening and assessing the proficiency of individuals in dealing with this specific solution.

I would give Microsoft 365 Defender a rating of nine out of ten. The only reason I'm not giving it a perfect score of ten is that it can be quite technical for someone who is just starting out. Additionally, there may be occasional false positives and negatives, which is not unique to Defender but is a common occurrence in various software and security applications. However, apart from these minor aspects, I consider Microsoft 365 Defender to be an excellent solution overall.

Private Cloud

Microsoft Azure

I am a purple teamer in my current job, so I also work with detection response in my organization. My job is to configure alerts and monitor incidents, and to do that, my company uses Microsoft Defender XDR. My company has endpoint detection tools for all the endpoints in the organization, and through Microsoft Defender XDR, we are able to get a top-down view of all the incidents on a daily basis and then actually be able to even customize what kind of alerts we want to look for and what kind of attacks are happening. One of the things that I personally love about the tool is the attack story that it provides. Every time there is a specific incident, it creates a graph and maps it to Mitre Att&ck Framework, so it could be initial access, or you may have malicious activity within the network. The tool can track all of the aforementioned areas, and it gives a confidence level. For example, if it is a high-confidence, high-risk alert, then the tool would probably quarantine that particular endpoint on its own, and then an investigator goes on there and actually verifies it. In my experience in the last six months, the false positive rates have been close to zero. Every time there is a case of high confidence alert, there has never been a case where it was not a malicious activity, and it is something I love about the product.

In terms of the most valuable feature of the product, I think it stems from the way it classifies incidents, as it is the most important area in my field of work. Another valuable feature of the tool is threat hunting. For example, there could be a chain of phishing emails that are being sent to our organization, and it may come up as an alert. Then, I know that I can use the artifacts, after which it gives a list of artifacts, which could be email addresses or IP addresses, to identify the threat actors. I can then go ahead and hunt for them across all endpoints within the network, making it essentially something similar to an SQL query that I can run based on what I am looking for. I get more leads in terms of which other mailboxes this particular phishing attack might have gone to where the user may not have interacted with it. The tool allows us to be more proactive in terms of getting close to the initial compromise. I think the threat-hunting feature is coupled with the alerts that my company has configured, and it allows us to proactively stop attacks, which is probably the most important thing for us.

I think that the tool can do a lot of things in a pretty effective way. A lot of times, one of the things I look at is how the false positive rates are, and so far, I see that they have been close to zero. Honestly, I don't think there is a lot in the area of false positives where the tool could improve. I do think that maybe having a feature within my organization where there are three different domains within which we have to operate would be helpful, as there is currently no unified view within the domains. Within a specific Active Directory, you can have Microsoft Defender XDR running, and so everything, including all the endpoints in that domain, are areas you are able to look at from one particular user interface, but there is no feature in which you can merge two different domains. For example, if there are xyz.com and abc.com, all of the endpoints within each of the domains, our company will have a separate UI from Microsoft Defender XDR, and because of it, we have to monitor three different UIs at each point in time. There is also a lot of automation that I have put in place, so every time there is a high-risk alert, our company gets an email in our InfoSec mailbox essentially. I think having a feature where you can merge everything onto a single dashboard would be something from which my company would definitely benefit because it's just a lot of sifting through different user interfaces and then collating data from it. In our company, we should just make sure that we are able to respond immediately, especially whenever there is a security issue within the organization.

I have been using Microsoft Defender XDR for six months. My company is a customer of the product.

I have been in the company for six months, and I think there has only been one time where I remember there was a bit of a slowdown which was associated with the antivirus server and it was not related to Microsoft Defender XDR. Considering the aforementioned issue, my company had to raise a ticket for support, but it has only happened once.

So far, the scalability offered by the product has been fine because it serves as an internal tool managing essentially all of the endpoints within the network, which essentially includes all of the employees, servers, access points, and all of that. In the last six months, my company has not really scaled up the use of the tool that much, and so the numbers have been constant, more or less. If my company ever plans to double up in size in a short period of time, it will probably be the time when the tool's scalability will be tested. I don't think I have the data points right now to answer questions related to the tool's scalability feature.

I have contacted the product's support team. I feel that Microsoft offers a very good support team, as they are usually well-equipped, and the support team members are currently the ones who set up the tool from scratch. The support team has complete visibility of the environment. Every time there is an issue, it gets resolved within 30 to 45 minutes, sometimes more if it is a bit complicated. For example, if the server is slowing down for some reason, the support team is able to sort it out pretty quickly. I think my experience with the tool's support team has been pretty good. I rate the technical support a nine out of ten.

Positive

Before Microsoft Defender XDR, I used some other solutions of the past. In one of my previous organizations, we used to use an SIEM solution like Splunk. The company had a lot of open-source tools, so we used Microsoft Defender XDR and ELK stack to generate alerts from a network monitoring point of view. The company also had Snort rules running on the same endpoint, which was like a blue team device for monitoring the network, and we also had a Splunk Universal Forwarder on the endpoint that was connected to Splunk's server, which was useful for visualization. Splunk was not an XDR tool; it was more about monitoring alerts that we had configured within the organization, customizing them, and making sure that we were able to catch threats based on signatures. There was less automation in the sense of how you can react to an incident. For example, in Microsoft Defender XDR, the moment there is a high-risk and high-confidence alert, it quarantines the endpoint or that particular mailbox and sends an alert to our company, and in such a manner, it stops the attacks, and also lets the investigators know that it is not a false positive, which is something I was missing in a SIEM solution that I used in the past. Alerts were being generated from Snort, and the company where I used to work had an ELK stack running, so we configured the alerts on it. The company also had a Splunk Universal Forwarder that would forward the alerts to a Splunk interface, and it is where we used to visualize all the alerts. In general, it was a combination of different tools that allowed my previous company to have the aforementioned process in place.

The solution is deployed on the cloud model, and our company has opted for the cloud services offered by Azure. In our company, we have Microsoft Access Control Service in place, so everything is controlled through Azure. If there are new members in the team, we give them read-only access to XDR through Azure, so it helps manage the identity and access, and then you can access Microsoft Defender XDR's portal. Our organization also creates specific IDs for every investigator to access Microsoft Defender XDR.

I don't think I can speak much about the pricing model of the product because it is not something I work with, and so I don't know the amount of money being burned by the company for the solution, making it an area beyond my visibility. With the little idea I have about the costs, I can say that XDR tools tend to be a bit expensive. If you are using Microsoft Defender XDR, then you need to go for a subscription-based pricing model. In my organization, which is a relatively large company with close to 3,000 employees, the solution works out well for us. For example, if I had a startup, it probably wouldn't be cost-effective to have an XDR solution in place, and that is where I would probably look at more open-source tools to work with and maybe have a SIEM solution which was a startup, a reason why we had to rely on open source tools. My previous organization also had opted for a subscription to use Splunk, which was expensive, but it was better than getting an XDR tool.

Speaking of whether I started to see the benefits of the product immediately after its deployment or if I had to wait for some time, I would say that Microsoft Defender XDR has been in place from the time I joined my current organization. I immediately saw the benefits of using the product. I wasn't present in the organization at a time when they had moved initially to Microsoft Defender XDR, so I can't speak about the time point during which others in the company saw the benefits or effects of the use of the solution. I think the tool has been very efficient because I have worked in other organizations where they were not using Microsoft Defender XDR, as they preferred SIEM solutions. I have seen that in scenarios where SIEM-based tools were used, it was more of the investigator who had to figure out what was happening because you just had a ton of data coming in from the bottom up. In my previous companies, we had a Splunk interface through which we could indulge in monitoring. I see a stark contrast between the previous products and Microsoft Defender XDR, and it is because the latter-mentioned tool not only allows you to get that bottom-up view where whatever is happening on an endpoint level, I am able to monitor while also being able to push things from the top to down. For example, if I wanted to quarantine a particular file on a subset of endpoints, I can do that from Microsoft Defender XDR, where I can put it on a block list and mark it to a particular Active Directory group, after which I am able to then block that out. The tool is quite effective from a detection and response point of view.

If I consider whether it is better to have just one solution instead of a combination of tools, I would say that it is always better to have a combination of products. The SIEM solution I had used previously was quite efficient in collecting data and in being able to process large amounts of data from where we had a lot of endpoints within a particular network, which I think was fast in many ways. Microsoft Defender XDR internally does the same thing as an SIEM solution. If you ask me, it is always best to have an SIEM solution integrated with an XDR tool because most SIEM products are very good at handling large amounts of alerts, and if you have configured it properly, then you can have a very precise view of what is happening at any given point in time within the network, and once you have it, you can have that database forwarded to XDR that can push down. The XDR tools are very good at classifying events. If you have actions in place as to what needs to be done, then, for example, if an email is marked under the phishing category, you would want to get rid of it from the inbox first. Ideally, it shouldn't even land in the inbox, but if it does, then you want to quarantine it. Pushing a certain action down to the affected devices, I think XDR tools do it brilliantly. I think it is always good to have a match between a SIEM tool and an XDR product or a customization between different tools to help achieve your goals.

The product does require maintenance. With the cloud instances that host the server, our company continuously monitors the health, as we have health checks in place that generate alerts in case something goes wrong, a major reason why we use Microsoft Defender XDR. My company also has Kaspersky's antivirus server, which is essentially hosted on a different server. Sometimes, because of the number of endpoints we have in our company's network, the server does slow down due to resource constraints. It is not my job to maintain the servers in my company, but we have a different team that deals with it. In our company, we do have a couple of instances where the servers are internally managed.

I think Microsoft Defender XDR is one of the best detection and response tools I have worked with as it is quite effective in flagging serious threats for the organization. In our company,we have faced multiple attacks over the last few months, but none of them have been successful, and I think Microsoft Defender XDR has played a major role in it.

Firstly, potential users of the solution should consider that the tool comes with a lot of already customized alerts for any Active Directory environment, but it is always good to understand, especially if you are a new user of the tool. Even if someone is new in the security team, I think it is that person's job to analyze the business, the kind of attacks you could expect coming in, and the kind of visibility that the organization provides on the internet. Once a person gets a good idea about the aforementioned areas, you need to customize alerts and create custom alerts for your organization because that is an area that is going to be unique and different for each and every company, so it won't ever be the same. Microsoft Defender XDR certainly helps with mapping the seven steps of the cyber kill chain, and if the product sticks to it and looks at every single step, lists down the kind of threats, and then customizes the alerts according to that, I believe the users will have a successful time in being able to detect threats before they happen or even while they are happening.

I rate the overall tool a ten out of ten.