Microsoft Defender XDR Reviews

I've mainly used the EDR component within 365 Defender, which is Microsoft Defender for Endpoint. It does a good job of bringing the whole attack story together, so you can see email activity, endpoint activity, cloud app activity, and some sort of sign-in activity as well relating to Azure AD, but I've mainly dealt with it from the EDR aspect.

It definitely improved visibility when I dealt with this solution, but the main benefit is the advanced hunting because it allows you to uncover threats that you didn't realize were there, or they weren't alerted because you were looking for specific behavior. The custom detection and linking to that is something quite cool because if you know there's a behavior, you want to keep an eye out for it. For example, it might be linked to a recent threat, so you can set up that detection query, and as soon as it finds a result, it will flag an alert. That has definitely helped to be more proactive and a bit more ahead of the curve with attacks. So, it improves visibility and also helps with being proactive.

It helps to prioritize threats across the enterprise. It does assign severity to a threat, but it also gives you an overview at a glance. If you know that your organization is susceptible to certain major threats, those are the ones you probably want to pick up on. With the severity and alerts, it gives you an idea of which is the most pressing incident. If you've got one with just one alert, that's a medium, but if you've got one with five highs. You're probably going to focus on the high one. That helps to prioritize.

It helps automate routine tasks and the finding of high-value alerts to a degree. You can have certain actions where if an event starts on the endpoint, it automatically isolates that. If it occurs, for example, on the email, then you can automatically purge it. It helps with the routine tasks that people would have to manually do in the portal. With automation, it takes care of it automatically if an alert fires. It improves efficiency because, after hours, there might be no one there available to isolate a machine. This way, as soon as the alert fires, that machine is isolated, and the next morning or the next working day, an analyst can go in and see that this alert fired and the endpoint has been isolated. That definitely helps from a coverage perspective when people are unavailable because those actions occur without anyone being present.

It has absolutely helped eliminate having to look at multiple dashboards and have one XDR dashboard. I've got three years of experience. At the start, we had all the individual portals for cloud app security, endpoints, Office, etc. The whole point of 365 is to unify, and they've done a good job. The different components are broken out into sections on the left-hand side, and you can very easily click through them and navigate them. It eliminates the need for multiple tabs and dashboards. It has definitely helped with what they were aiming for, which is to have a single pane of glass view.

It has saved us time by not having multiple dashboards. We don't need to open multiple portals and sign in to them. It definitely saves time there and also in understanding the true story of an attack. It has definitely helped in terms of efficiency. It's hard to quantify the time savings because I'm not using it now, but from what I remember, it saved at least 20% to 25% time just because it does a good job of giving you the information. You can glance at the key information that you need, and then it gives some details, and then you go to other places externally to investigate further.

The threat analytics give you a report on what Microsoft has seen in the world. What I like about those is that they will show you if that's actively impacting your environment at the moment or likely to. For example, if there are vulnerabilities that are being exposed, it tells you whether you're vulnerable or not, so you can protect against them before they are here. One thing I do like is that they also give you advanced hunting queries, so you can look for the behavior associated with those threats and make sure that you've got your coverage in place. I wouldn't necessarily call it threat intelligence. It's more of threat analytics and reporting that they provide.

I'm not aware of whether it saved any money in any of my previous roles, but a lot of organizations have the E5 security license, and they don't realize it. They have third-party vendors doing their email security, endpoint security, and so on, but holistically, Microsoft's E5 license gives you all of those capabilities, and it would also be cheaper than paying multiple vendors.

It decreases your time to detect and time to respond. It does a good job. It has the auto investigation ability so it can automatically detect threats. When you build custom detections, you can have automated response actions. Those two together help you with the mean time to remediate and the mean time to resolve. The information at a glance easily lets you see if it's a false positive or something that you know in your environment, and it's gonna be non-malicious. You can glance over and dismiss those alerts, and you could potentially be setting up suppression so that you don't get notified about them in the future. All in all, it helps you to improve your remediation. The time reduction depends on the scenario. Sometimes, you can instantly see false positives that would decrease your time by 85%. On the whole, there is about 35% to 40% time savings because of the way it correlates with the signals and gives you quick ways to remediate them.

For me, the advanced hunting capabilities have been really great. It allowed querying the dataset with their own language, which is KQL or Kusto Query Language. That has allowed me to get much more insight into the events that have occurred. The whole power of 365 Defender is that you can get the whole story. It allows you to query an email-based activity and then correlate it with an endpoint-based activity. The advanced hunting capabilities have definitely been one of my favorite features.

The way the incidents are put together is also good. It can intelligently correlate activities from email to endpoint, and then you can visually see it in the timeline view or graph view. It does a good job of presenting that incident to you, and it's easy to navigate between it and then pivot to some actions as well.

For some scenarios, it provides good visibility into threats, and for some scenarios, it doesn't. For example, sometimes the URLs within the emails have destinations, and you do get a screenshot and all further details, but it's not always the case. It would be good if they did a better job of enabling that for all the emails that they identified as malicious. When you get an email threat, you can go into the email and see more details, but the URL destination feature doesn't always show you a screenshot of the URL in that email. It also doesn't always give you the characteristics relating to that URL. It would be quite good if the information is complete where it says that we identified this URL, and this is what it looks like. There should be some threat intel about it. It should give you more details.

One other limitation is with cloud-based events. Sometimes, you don't get enough details in the alert. You have to go to other portals to then complete the story or do your own research, ask the user, etc. 

The other one is that with Defender for Endpoint, the attack story is quite good in terms of queries and things like that, but sometimes, multiple events for the same thing are captured, and it's not summarized in a good way. You have to open each entry to see what that partial syntax is. It'll be good if it said that this specific partial syntax was seen fifteen times, and maybe it's something to pay attention to. They could also do some sort of pattern matching. There could be some sort of pattern matching where it says that this is the attack trying to do some enumeration or reconnaissance activities. 

I've been using it for over three years.

There are some times when it does have downtime or service outages. They do a good job of updating the service status page to let you know about that, but there have also been misclassifications, for example, for Chrome updates, generating malicious alerts and things like that. On the whole, it's quite stable.

There are sometimes when it can freeze up or not present the data that you want. It gives you data unavailable or other errors, but, usually, these are quite quickly resolved. Sometimes, it's just to do with a particular instance, but sometimes, there can be wider outages. You just have to pay attention to the service status page or raise a support case and then be notified when that's resolved. On the whole, it's fairly stable.

Because it's built on the cloud and for the cloud, it does scale quite well. However, one area where it can be a challenge is when you use the Kusto Query Language for event hunting. Sometimes, if you do quite a generic search across, for example, thirty days of data, it gives you processing errors and limitations. I guess Microsoft does that for two reasons. One, to keep the cost down on their side, and two, from a performance standpoint. That is a bit of a limitation of scaling because if you want to do generic sessions across thirty days, you're not able to, but the idea is that you should be able to filter and granularly restrict conditions to get exactly the events you want. However, it would be nice if you were able to search more widely and if the solution could scale to support that, whereas, currently, it doesn't seem to, but that's not the use case they might have had in mind.

It depends. With some clients, we've had the fast-track option, whereas, with some clients, we just had to raise support cases. Usually, when you raise support cases, you're not going through an SME, so there is a bit of basic troubleshooting and things like that. With the fast-track option, you directly get through to someone who understands security, and you can explain the issue. They understand the issue, and you can get a much quicker response. So, the fast-track option is the one where I've had better success. The normal support can sometimes be a bit drawn. There could be a lot of back and forth about not relevant things just because they're not security trained, so they're trying to understand and then help you. 

It has been a mixed experience. Overall, I would rate them a seven out of ten because there have been some gaps, and there have been some successes, especially through the fast-track program.

Neutral

We didn't have anything that was overarching and correlated all the different signals. We had different products. We had a different product for email security or a different product for the endpoint. I might be wrong here, but I don't think there's another tool that brings those aspects together as well as 365 Defender does.

From what I went through in various roles, it was mostly in the cloud. Defender for Endpoint is a cloud-based solution. In fact, most Defender solutions are now based on the cloud. The only exception is if you've got Defender for Identity. For one of our engagements, I did deal with that, so it was a mixture. Apart from Defender for Identity, all the other solutions have been on the cloud.

In one of my roles prior to my current one, I was doing onboarding for a client with Defender for Endpoint. I was getting them onto it and migrating from McAfee. I was involved in the setup, coordinating the groups and the roles, and things like that. In all the other roles, the tool was already in place. It was just about maturing it and getting hands-on.

The setup was quite complex. Microsoft Docs guide you, but there were a few gaps that I had to fill in. One example is onboarding with group policy. Microsoft does lay all the steps on the docs page, but it doesn't give you screenshots. It doesn't give you things to look out for. It doesn't give you logs that would correlate to those events and things like that. I had to put things together using external sources, such as YouTube or just Google search. On the whole, it was very okay to follow, but it just didn't have that depth. What I produced for that client was a step-by-step coding guide with screenshots that they could give to the infrastructure team to get them on board. We had a good success rate that way, whereas if I had just sent them the Microsoft Docs link, I'm sure they would have had a few more questions.

That was the only use case I had experienced initial-setup-wise. The onboarding for group policy took maybe a month or two just because we had quite a big setup. We had different groups to roll it out to. We rolled it out to pilot devices, then 10 or 20 devices, then 100, and so on. It took about a month or two.

In terms of maintenance, from the service side, you rely on Microsoft to make sure it's available, secure, and things like that. Sometimes, you get downtime, and sometimes, you get bugs. For example, last year, a Chrome update was misclassified as malicious, which caused all the alerts. You then have to raise support cases to find out what happened. Eventually, Microsoft releases a fix, so in terms of maintenance, it's more on them. The only thing from your side is making sure, for example, the roles are still relevant. If someone who has access leaves, you need to make sure that their role is revoked. You need to make sure that you've got your role set up for the least privilege and things like that on an ongoing basis because there may be certain new features in the portal that have a corresponding role assignment. If you don't have that enabled or configured, then you're not going to get that benefit. That's the only thing needed from the maintenance perspective. You just need to make sure your roles are regularly reviewed and optimized when needed.

All I can say again is the E5 gives you all the capabilities that it offers. It also gives Office 365 and one terabyte of storage. All in all, the E5 license model makes sense. There are some people who say it's quite costly, but rather than paying different vendors, it makes sense to go all in with Microsoft if you've got that licensing. From that perspective, it's cost-effective, but I can't comment much on that.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that I'm slightly biased because I'm such a fan of the Microsoft suite. Some people do say that you shouldn't put eggs into one basket, and you're giving a lot of control to Microsoft and things like that. I would advise evaluating based on your needs. For example, for your endpoints, you might see much better value in CrowdStrike, Tanium, or something like that as compared to Defender for Endpoint.

You can do PoCs. Microsoft makes it quite easy. You can have the trials and things like that. You can play around and see which one supports your environment. I wouldn't say Microsoft is necessarily the option for all organizations, but I do think it's a very compelling offer. They're constantly evolving the product. They pay a lot of attention to consumer feedback. They've enterprise feedback as well to improve the product. I wouldn't completely rule out either option. If you've got one that's tried and tested for your enterprise, and that's a third party, you can see what Microsoft can offer. If it just doesn't match up, then stick to what you have even if it costs more because all in all, you may have tried and tested processes. You may have an investment in that product, and it may just have capabilities that the Microsoft one doesn't have. I would also encourage you to add a feature request for the Microsoft one, and then they'll be more on the equal side.

I would advise doing a PoC. If you are using Carbon Black, CrowdStrike, or Titanium, evaluate it. Have a sample host or spin up some VMs or onboard them to Defender. Do some simulations and do some attacks that you think are likely going to be. See how the logs look, see the investigation processes, and do a gap analysis with your current solution. If it brings you any value, then potentially look to deploy it further. Don't just go all in without understanding what it does. If you don't have any security solution right now, and you are a small business or a local business, it's worth doing the trial and seeing what value you get from the trial because, in that situation, you don't have anything to compare to. You are an easy customer to onboard from Microsoft's perspective because you wouldn't be that complex. So, do a trial and then go from there.

I would rate it an eight out of ten overall. I do really like the product. I do like the fact that it combines all the alerts into one. I remember when I was a security analyst back in 2019, I had to open multiple tabs and close alerts in one portal and then the other portal. They've done a good job of bi-directional syncing of alerts. If you're closing in 365 Defender, it'll close in the MCAS portal or cloud apps. Overall, the biggest thing for me was just advanced hunting capability because previously, it wasn't possible to get those cloud app events or Defender for Office events to do hunting. Endpoint was the first one to have that hunting capability, and I'm glad that they've extended that to the other stacks. So, overall, I would give it an eight, and I'm really impressed.

We use it for endpoint protection, monitoring network traffic, and enabling automation of issues, we utilize Microsoft Defender XDR. If we are specifically referring to Defender for Endpoint, it is a perfect solution to monitor user behavior and activities across all of our web portals. This provides an easy way to analyze and generate reports about user online activities.

Microsoft Defender XDR's security extends beyond Microsoft technologies and that is crucial for us.

Defender 365 stops the lateral movement of advanced attacks. An attack disruption would cause a lack of availability of our systems and corruption of data if there is a breach.

Microsoft Defender's ability to stop attacks includes an ability to adapt to evolving threats which is extremely important.

Microsoft Defender has enabled us to discontinue the use of a few different products. We consolidated our antivirus, web filtering, and EDR, and we had an endpoint monitoring tool that we now use Defender for.

Reducing the number of solutions we use has significantly impacted how our security team operates. This is because everything is now managed under one control and one tenant. This unified approach facilitates a natural integration with the various Microsoft products we rely on for collaboration, data storage, email communication, and other critical resources essential to our company's operations.

The discontinuation of many of our security products has reduced manual correlation.

Microsoft Defender has saved our security teams 20 percent of their time by providing a single console to manage everything. 

It helps prioritize threats across our company. It is a product that I use every day. I go into the portal all the time. It is very crucial to my security strategy.

We use additional Microsoft solutions. Most of them are available with E3 or E5 packages, including governance and DLP tools. We have integrated most of the ones we are using. Doing so was not that easy but not that complicated. It requires a lot of knowledge. They work natively together for coordinated detection and response, which is a critical component of my endpoint strategy for security and control. Without that, I would have a huge gap and I would have to find a different product.

One of the aspects I use it most for is as a basic antivirus installed on endpoints.

One of the biggest downsides of Microsoft products, in general, is that the menus are often difficult to find, as they tend to move from place to place between versions. It's unclear who makes these decisions, but simplicity would be a highly welcome change. A great way to achieve this simplicity would be to have built-in wizards within the products to help users accomplish tasks. This would eliminate the need to guess where to find the necessary options to enable or disable features.

The features I would like to see added to Defender are improved web filtering capabilities and a WAF service. However, I may be mistaken, and Microsoft may already offer a similar solution. I understand that our finance department rejected most of the Defender for Azure services due to their cost, but I lack the information to judge their expense myself. I believe that, as with the Azure environment itself, which was initially considered expensive but became increasingly popular over time, the Defender for Azure solution will also gain traction if its price becomes slightly more competitive.

When it comes to visibility into threats, 365 Defender is slightly complicated, and much more complicated than competitors like CloudStrike. That's just the "Microsoft way" where everything is usually slightly more complicated. The interface is not clear.

Also, it is not clear when the system is offering a recommendation or just a way to validate something. It is not clear what will be automatically done and what you will have to do yourself.

I have been using Microsoft Defender XDR for almost five years.

Microsoft Defender XDR is stable.

Scaling it is not easy and not complex. It's in between. With Microsoft, sometimes it feels like they hide the menus and you need to search for them with a magnifying glass.

The quality of technical support I receive varies depending on the country from which it originates. Sometimes, I feel I possess greater technical knowledge than the support representative and find it more productive to research solutions online, such as through Google. Conversely, I find that teams based in Europe or the United States typically provide more professional and informative responses.

Neutral

Previously, we used ESET, Cisco Umbrella, and JumpCloud for endpoint security, along with Cisco web filtering. I found Defender convenient due to its integration within our existing Office 365 environment. Since Office 365 is built on the Azure platform and integrates seamlessly with other Microsoft services like email, SharePoint, and others, it was more natural to use everything under the Office 365 umbrella rather than navigate to third-party solutions.

Implementing Microsoft solutions has proven more complex than initially anticipated. Due to ongoing changes, the project remains in progress. Migrating from our previous third-party solutions and establishing full functionality required several weeks, potentially extending to three months.

We hired One Pass, an American consulting firm, for our project. However, I am dissatisfied with the work they delivered. One Pass is a large company with too many people communicating with us simultaneously. We had difficulty speaking to the appropriate person because individuals either transferred us to other employees or were unavailable due to vacation.

My advice is to read up on best practices so that you know what the best way to deploy it is. Otherwise, it will be a mess.

It is very effective as long as you don't need real-time information. For me, that's okay. When there is a need for real data, on the spot, which is not available from Defender, it is available CrowdStrike. But for the way I run my business, it is okay.

In terms of a best-of-breed strategy rather than a single vendor’s security suite, I would go with a single suite.

I would rate Microsoft Defender XDR an eight out of ten.

Microsoft Defender XDR is deployed across our organization, encompassing multiple locations, departments, and continents. With approximately 200 international users, we rely on a team of four in-house administrators for security management. Additionally, we utilize the services of external companies for first-line support, who also handle specific tasks within our Microsoft 365 environment.

Public Cloud

Microsoft Azure

We are a security consulting company that assists clients with their Microsoft 365 and Azure security and workloads. We can help optimize the use of their purchased feature sets and licensing, ensuring they get the most out of their investment for security and other workloads and features within the 365 and Azure environments. As information flows between their 365 and Azure environments, we offer expertise to ensure clients are utilizing all available resources effectively.

The majority of our deployments follow a hybrid model, which is currently the norm. Although there have been instances where organizations have fully migrated to the cloud, many larger enterprise solutions in the industry are still in the process of transitioning from on-premise to cloud-based infrastructure. Consequently, most of these solutions are currently in a hybrid state.

The visibility provided by Azure is multi-dimensional, and one aspect that I appreciate is the Microsoft 365 Defender portal. It not only offers Azure security but also a single-pane-of-glass experience where we can view our SaaS applications, email hygiene, and threats and alerts, all on the same page. The monitoring is exceptional, and the quality and depth of the telemetry are impressive. Clients appreciate the fact that we can access incident or alert details, including the affected entities and the timeline of events. For instance, we can identify where an email was opened, a link was clicked, and how malware or viruses spread across the network, causing damage. Additionally, the portal's ability to provide automated responses is second to none, and we can see how Microsoft's AI technology can isolate or stop these instances from further propagation. In summary, Microsoft 365 Defender is a powerful tool.

Microsoft 365 Defender assists in prioritizing threats within our enterprise by utilizing CVE security, a standard security prioritization method. This means that the product has incorporated industry standards into the Microsoft tenant, providing prioritized threats and best practice remediation. With the help of Defender, we gain insights on how to remediate and prevent future threats from similar malware or incidents.

We utilize several security products to ensure the protection of our data and identity. Our product offerings include Defender for Identity, Defender for Cloud, built-in tools for data governance and data protection, as well as compliance and monitoring through the compliance portal. Typically, clients with E5 or A5 licenses can benefit from these products, which cover a wide range of features for protecting data, and identity, and detecting risky behavior such as risky sign-ins and user behavior analytics. The behavior analytics feature, which is a part of our Defender product, has been particularly crucial for federal governments and other organizations with highly sensitive data. While all of our products are valuable and important, we believe that identity is the most crucial foundation to start with since it feeds into everything else.

The integration of Microsoft products is almost seamless, as long as we have the licensing piece. To enable sharing or maintaining telemetry across different solutions, we turn on Connect and switches for products like SharePoint, OneDrive, Teams, and Exchange. Setting up connectors for SharePoint on-premise or Exchange online may be necessary, but Microsoft provides setup wizards and good documentation on their website, making it easy to implement solutions. Any difficulties usually arise from user error or trying to integrate insecure legacy third-party software. However, most modern authentication and protocol software integrate seamlessly within the Microsoft environment. The Microsoft documentation site is excellent, with built-in training and links to assist with implementation.

The security solutions work together seamlessly to provide coordinated detection and response across our environment. One of the things I appreciate about these products is that the Defender products share telemetry across the board. For instance, if we set up Defender for Identity on our domain controllers, we need to grant permissions for that telemetry to be accessible from Microsoft 365 Defender in the cloud. This means we may have to give permissions to our on-premise domain controllers. While the integration is simple, it is essential to follow the documentation to ensure a seamless and easy-to-maintain setup, monitoring, and management of our Microsoft 365 and Azure ecosystems.

Microsoft covers all current threats that have been identified by various security organizations and standards. These threats are typically integrated into the Microsoft ecosystem, including zero-day detections. Microsoft is plugged into world-class cybersecurity organizations, ensuring that all vulnerabilities and updates are current and available in the Microsoft portals. The comprehensiveness of Microsoft's security coverage is top-notch, with seamless integration with other clouds and on-premise products. While there are other products competing in this space, Microsoft 365 users and organizations should not rely on third parties when Microsoft already has integrated solutions available.

Microsoft Defender for Cloud's bi-directional sync capability is crucial as it enables the transmission of telemetry data regarding SaaS application usage from client systems, on-premise devices, and any other systems that access the Microsoft 365 cloud. This feature ensures that real-time data is accessible for managed systems, providing immediate access to any detection of sanctioned or unsanctioned applications. The bi-directional sync capability offers immediate data feedback, which is essential for prompt action.

Microsoft Sentinel enables us to gather data from our entire ecosystem. However, it is important to note that using Sentinel requires a Microsoft subscription and a storage account. Therefore, it is necessary to consider the cost of data ingestion and aggregation. It is crucial to only ingest data that is relevant and beneficial for our security monitoring and data log aggregation. Simply collecting data without a specific purpose is not advisable. I advise our clients to focus on maintaining a lean monitoring and data log aggregation approach that yields security benefits. We can detect and query threats using the crystal query language that is integrated with Sentinel, making it a key component of our Microsoft security journey with our clients. Sentinel connects with everything and has native connectors and third-party options available. Additionally, Sentinel can be set up as a provider of security operations center capability by connecting it to another cloud.

Microsoft Sentinel allows us to investigate threats and respond to them in a comprehensive manner, all from one platform. What I find particularly impressive about Sentinel is its ability to provide both reporting and analysis through workbooks, and actionable response strategies through playbooks. In addition, Sentinel includes UEBA and threat intelligence capabilities. This raises the question of how we can evaluate the effectiveness of Sentinel's security protection. One advantage of Sentinel is that it not only detects threats but also responds to them using advanced DAI and intelligence technology. This allows us to take proactive measures and set up playbooks and other capabilities that integrate seamlessly with Sentinel. By taking telemetry from different products and environments, Sentinel provides a three-dimensional perspective that other products may lack. This helps us take the right steps toward risk mitigation or remediation by giving us current, broad coverage. With telemetry, we can take a holistic approach to secure entities affected by any type of alert or environmental compromise. Sentinel's ability to bring together reporting, analysis, and actionable response strategies makes it a superior product in terms of security protection.

The cost of Sentinel depends on the amount of data being processed. This is likely true for other similar products as well. Typically, the cost of using these products is associated with ingesting and aggregating data logs. However, I believe Sentinel's cost is competitive and provides an advantage, as it offers more than just a SIEM or SOAR solution. Sentinel includes response capabilities, which is where it excels. Therefore, I believe the cost is reasonable considering the benefits it provides.

After implementing Microsoft 365 Defender, our organization has observed a significant improvement in our security measures. We have noticed a substantial decrease in compromised accounts, access issues, and entry problems resulting from phishing attempts, emails, and other security threats. This improvement can be attributed to the robust exchange of online protection capabilities. The impact has been remarkable and has made a noticeable difference in our overall security. Additionally, addressing insecure applications operating within our environment and managing data governance has been a challenge. Data governance, in particular, can be time-consuming since data is ubiquitous and it takes time to establish the appropriate tools, labels, and policies to protect it. It requires a marathon-like approach rather than a sprint and Microsoft 365 Defender has helped reduce the time.

Our Microsoft security solutions automate routine tasks and aid in detecting high-value alerts. The ranking of these alerts is customizable, allowing us to adjust their priority based on our industry or organization's specific needs. While the default settings are effective, we appreciate the ability to modify them to better suit our purposes. This customization feature is particularly valuable as it allows us to tailor the alerts and detections to our particular use case.

The solution has helped our clients by eliminating the need for multiple dashboards and providing one comprehensive XDR dashboard. This has been the most significant feedback from our clients who prefer to have all information in one place instead of having to navigate through multiple portals. With the integration of Microsoft tools like Power BI, our telemetry can be displayed in different views and graphics, making it easily understandable for all stakeholders and users. Power BI can also import Sentinel queries, allowing for customized dashboards with a unique look and feel. I appreciate the flexibility and versatility of Power BI in creating informative and visually appealing dashboards.

The solution's threat intelligence helps us prepare for potential threats before they strike, allowing us to take proactive measures. I have witnessed some excellent updates that are posted on the Microsoft Defender portal. These updates have enabled us to stay ahead of any potential threats. When there is an attack, Microsoft is quick to disable affected services, such as service principals or services, across many servers and other devices, taking affirmative action ahead of time. I have observed many proactive notifications, including day-one or zero-day notifications, that are promptly released on the Defender side. This approach allows us to get ahead of the potential issues and prevent any significant impact.

The amount of time saved by using automation tools is significant and exceeds our expectations. While we sleep, these tools perform tasks such as deleting phishing and malicious emails and conducting automated investigations. This has resulted in a substantial reduction in the number of man-hours needed for Microsoft security and Defender product tasks, which has more than justified their cost.

Microsoft 365 Defender has saved our organization money.

Microsoft 365 Defender has significantly reduced our detection and response times. The proactive nature of the software alerts us to suspicious activity, such as a user logging in from an unknown location, allowing us to trigger conditional access responses accordingly.

In Microsoft 365 vendor products, monitoring and connectivity across all Microsoft and third-party connectors enable viewing of all activity within those environments. This is a key advantage for maintaining and monitoring usage, implementing security guardrails, and protecting data integrity and privacy from oversharing. Many clients face challenges in managing guest account access, SharePoint links, and access control. Thus, we recommend starting with access and entry as a foundational principle of security, using tools such as the identity secure score to assess the security journey progress. 

Microsoft 365 security portals cover four pillars: identity, applications, devices, and data, with Defender products geared towards identity protection being the most useful. These products help set up conditional access controls, privilege identity management, and risk mitigation strategies for legacy authentication and protocols. Defender products also provide visibility across third-party services such as AWS cloud, Box, Workforce, and other enterprise tools. Microsoft Sentinel, another useful product, provides a great solution for infrastructure visibility across Azure and on-premise infrastructure, albeit with associated costs for storage and subscriptions.

At times, there may be delays in the execution of certain actions and their effects. These delays are often related to Microsoft tasks that run in the background. For instance, when we perform an improvement action such as improving the secure score, it may take a few days before we see any changes. This delay can be frustrating, but it is still beneficial. We have also encountered issues with the secure score feedback when we set it up to work with third-party tools. We have reported these issues to Microsoft. To improve the situation, we need to fix this aspect of the solution so that we can receive secure score feedback closer to real-time or more promptly. This would be a significant improvement.

I have been using the solution for five years.

Stability has been good overall, but there was a recent incident where some of the most searched URLs were incorrectly tagged. This included URLs for services like Zoom, which caused concern among many of our clients. However, Microsoft has since corrected the issue.

Our licensing for Microsoft 365 Defender enables automatic scaling based on our needs. This means that the software's capacity will increase or decrease depending on our licensed usage.

The technical support we receive is of high quality. They effectively address specific incidents that arise, and their overall response time is satisfactory. We usually receive a response on the same day. In the rare event that an issue requires advanced technical escalation, they are able to provide us with a specialist within a day or two.

Positive

We have previously used CrowdStrike, McAfee, and Norton products but Microsoft 365 Defender is already included in the license we have with Microsoft so there is no need to pay for additional licenses.

The initial setup is usually straightforward, but it can become more complicated when we are dealing with scenarios such as bringing your own device or managed devices. In these cases, deploying can be a bit more challenging. However, I still believe that the process is generally straightforward.

Before deploying we typically do a pilot with the IT organization and once that goes well, we continue with the rest of the organization and their devices. We usually require between 10 and 20 staff for deployment.

The implementation was completed in-house.

The return on investment is significant. We have observed Microsoft 365 Defender's value in terms of saving man-hours that would have been spent sifting through logs and connecting information during investigations. The Microsoft tool provides us with an advantage by performing this task automatically, allowing us to take action on the information it has already gathered during the investigation. 

The cost of the solution appears to be appropriate, and we get what we pay for. Although I am aware that Microsoft has recently introduced licensing adjustments with plan one and plan two options, I have observed that they offer a higher level of benefits and value compared to our current solution. Nevertheless, we are taking steps to make our solution more accessible to various organizations, including educational institutions, by utilizing the licenses we have and pursuing certification for federal cloud services, despite the additional obstacles. Overall, I believe that the pricing of the licensing is fair.

I give the solution a nine out of ten.

We have a cloud environment, and for Microsoft 365 cloud services, our remote workforce is currently working from various locations. However, some resources and applications are still located on-premise and need to be accessed. To accommodate these hybrid environments, we usually use Azure AD sync to synchronize on-premise AD. This process can add some complexity.

Microsoft 365 Defender needs to be fine-tuned for optimal performance. In order to achieve this, adjustments need to be made based on the specific needs of the user. For instance, when tuning for phishing email security, there are different levels of aggressiveness available for the products. Fortunately, maintenance is quite minimal as Microsoft handles virus signatures, updates, and other related tasks. However, tuning is necessary for individual use cases, such as adding specific emails to an exception or whitelist.

Determining the best-of-breed in a given space can be subjective due to varying perceptions. While a best-of-breed strategy is effective in certain cases, it has limitations when compared to integration. For instance, when trying to identify the best tool for different security areas, having disparate solutions that don't communicate with each other can be problematic. Therefore, integration becomes a critical component in this context. Although having the best-of-breed approach is a great strategy, we also need to consider the benefits of integration and having a single pane of glass that provides an overview of all security aspects. This will help us avoid having to navigate multiple best-of-breed solutions in a sporadic manner.

My suggestion is for people to carefully review the documentation provided by Microsoft to gain an understanding of how the product works and how it fits with their particular use case and solution scenario. Negative feedback is often the result of a lack of knowledge or understanding. By taking the time to conduct a proper POC, engaging with the appropriate Microsoft representatives or consulting organizations, and being inquisitive, we can evaluate our current tenant and solution, and conduct a security assessment. This will enable us to make an informed decision about Microsoft products.

Hybrid Cloud

Microsoft Azure

We use Microsoft 365 Defender to provide cybersecurity to our clients. Microsoft 365 Defender provides real-time alerts which I review and analyze for our clients.

We implemented Microsoft 365 Defender to mitigate the cybersecurity threats our clients were facing. 

Microsoft 365 Defender is a valuable tool for our daily security operations. It provides us with a clear picture of security threats through its alert system, which identifies the origin of the attacks and correlates them with the MITRE ATT&CK framework.

It is user-friendly, loaded with features, and priced cheaper than the competitors.

Microsoft 365 Defender thwarts advanced attacks from spreading within our client's networks by utilizing the MITRE ATT&CK framework to recognize and categorize threats, then automatically taking steps to neutralize them.

Microsoft 365 Defender earns a rating of eight out of ten for its effectiveness in stopping attacks, which has demonstrably improved our security operations.

While Microsoft 365 Defender effectively stops attacks and adapts to new threats, human intervention is necessary for entirely new attack patterns. This is because the system relies on machine learning to identify threats based on past data, and completely new attack patterns wouldn't be recognized yet.

Microsoft 365 Defender enabled us to discontinue the use of other security products and helped save our security team time.

The most valuable features are machine learning, AI, and auto-remediation of non-malicious alerts. The onboarding and offboarding of devices are also seamless and the Windows Autopilot is helpful for our users.

Troubleshooting in Microsoft 365 Defender can be inefficient. Onboarding new devices with communication issues, for instance, requires using Veeam for log investigation and contacting Microsoft support, making the process time-consuming.

The current number of indicators of compromise provided by Microsoft is 15,000, but increasing this number would be beneficial for improving detection capabilities.

I have been using Microsoft 365 Defender for one year.

I would rate the stability of Microsoft 365 Defender ten out of ten.

I would rate the scalability of Microsoft 365 Defender ten out of ten.

Microsoft 365 Defender's technical support team is responsive, offering timely solutions to help our clients resolve their security issues.

Positive

In the past, we relied on both McAfee for antivirus protection and Cybereason Endpoint Detection & Response for advanced threat hunting, but we have since streamlined our security posture by consolidating these functions under Microsoft 365 Defender.

Microsoft 365 Defender is more user-friendly and flexible than Cybereason Endpoint Detection & Response.

Deploying Microsoft 365 Defender is a manageable process for our team of three, who handle our roughly eight thousand servers on an ongoing basis.

Microsoft 365 Defender offers competitive pricing. While purchasing an Azure subscription includes it in a bundled model, the standalone subscription cost for cloud storage and Defender itself remains reasonable, making it an affordable option compared to other security services.

I would rate Microsoft 365 Defender nine out of ten.

It takes some time to see the benefits because it is a large tool with many features that keep changing.

Our clients are enterprise-level.

Maintenance is required.

I recommend Microsoft 365 Defender to others.

Public Cloud

Microsoft Azure

We use Microsoft 365 Defender to protect our privacy.

Microsoft 365 Defender's XDR platform provides identity and access management which is important for our organization.

Microsoft 365 Defender's security extends beyond Microsoft technologies, which is important to our organization.

The multi-tenant management capabilities are easy and the support is 24/7.

It has helped save us approximately USD 1,000 per month.

Microsoft 365 Defender has helped save our security team time.

The most valuable feature is the network security.

Since all of our databases are updated and located in the cloud, I would like additional support for this.

I have been using Microsoft 365 Defender for almost four years.

Microsoft 365 Defender is stable. The only downtimes are scheduled by Microsoft and we are provided with advanced notification to prepare.

Microsoft 365 Defender is scalable.

Technical support is one of the reasons we chose Microsoft 365 Defender.

Positive

The initial deployment is easy. Microsoft 365 Defender is plug-and-play. The deployment takes a maximum of one day.

We also evaluated Kaspersky and Trellix XDR but found that Microsoft 365 Defender had additional features that met our needs and their support was better.

I would rate Microsoft 365 Defender nine out of ten.

Public Cloud

Microsoft Azure

Microsoft Defender XDR is our primary solution for security. We have a number of use cases across different environments, allowing us to secure all our use cases comprehensively.

One of the most valuable features of Microsoft Defender XDR is its ability to provide preemptive reports regarding excessive privileged access. This allows us to secure our systems in advance and proactively improve security, rather than waiting for incidents to occur. Additionally, it ensures that we are fully compliant before any audits are conducted, which has potentially saved our reputation. Furthermore, its integration across different environments allows central visibility for different workloads.

There is nothing I can think of at the moment that needs improvement. I am a contractor and finishing up soon, so I haven't encountered any issues requiring enhancements.

I have been working with Microsoft Defender XDR for a few years now, about one and a half to two years.

I was involved in the deployment, and it was very easy to set up and configure. I did not encounter any problem—it took half a day to a full day at most.

There are no complaints regarding the stability of the solution. It seems to do the job well.

The customer service is good, and they supported us well. Although it took some time, we got the required support in the end.

Neutral

The initial setup was straightforward, and I did not have any issues with it.

We used Teams for the deployment, but I could be wrong on that.

Overall, I would rate Microsoft Defender XDR a seven out of ten. It is a useful tool and not necessarily the best solution I've seen, but it is good and I wouldn't object to using it.

Other

It addresses various use cases, including monitoring and securing file storage like OneDrive and SharePoint. It has recently incorporated Teams integration to safeguard against malware. Additionally, it serves as a replacement for on-premises Advanced Threat Protection, offering enhanced capabilities. It has proven valuable in highlighting critical scenarios related to credential use and legacy Active Directory, providing substantial assistance in these areas.

When transitioning to Microsoft Defender for Endpoint from our previous use of ATP, we observed significant improvements. Legacy ATP involved numerous signals and a substantial learning curve, but Microsoft Defender for Endpoint establishes a more effective baseline. In comparison to Cylance, which generated a considerable amount of background noise, Microsoft Defender for Endpoint enables us to concentrate on the more critical alerts that demand our attention. Our team is actively phasing out disparate security tools in favor of a streamlined approach. The efficiency gained from having a single pane of glass is a powerful asset for our team.

One of the most valuable aspects is the comprehensive insights it provides into on-premises identities, particularly within Legacy Active Directory. This allows for the examination of use cases related to identities, ensuring there is no misuse of accounts or computers. A crucial aspect for our team is the inclusion of identity and access management tools from the vendor. Despite being a sizable global company, our team is relatively small, considering our global reach. Therefore, minimizing overhead is a top priority for us, and integrating these tools from the vendor becomes crucial in achieving that goal.

My suggestion would be for Microsoft to continue aligning all components within this ecosystem. This consolidation is beneficial as we strive for a more unified and comprehensive view, essentially a single pane of glass, which is highly valued. In the future, I hope for increased third-party integration. While Microsoft plays a role, it's equally important for third-party providers to step up. In our organization, the information security team has endorsed a specific set of products. Integrating the telemetry from these approved products into our systems would be immensely beneficial, providing a more comprehensive view and enhancing our overall security posture. Extending security coverage is of paramount importance. Integrating telemetry could bridge these gaps, fostering greater cooperation among individual teams within the organization. Having teams collectively examine the same information might contribute to advancing collaboration and overall security efforts. The capability to not only thwart attacks but also to adapt to evolving threats is crucial.

I have been using it for the last three years.

It is exceptionally stable, without encountering any notable issues or complaints. Microsoft seems proactive in communication through the message center, keeping users informed about any ongoing issues, and we appreciate the clarity provided through multiple channels.

It has the capability to scale seamlessly, especially with Microsoft's expertise in the cloud. We have over six thousand end users globally distributed across various facilities, with some on-premises deployments due to specific requirements. However, our overarching strategy is cloud-first, and the majority of our infrastructure operates in Azure. In terms of endpoints, the number is substantial, likely exceeding seven thousand when considering both servers and clients.

We haven't had the need to contact them so far. In general, our experience with Microsoft support has been variable—it can be both beneficial and challenging. While they offer a wealth of resources, there are instances where the response may not align with our expectations. I would rate it eight out of ten.

Positive

I made the switch from Bitdefender to Defender primarily due to cost considerations. In my professional assessment, Bitdefender appears adequate from a client perspective, but when it comes to enterprise deployment, I don't view it as fully enterprise-ready. We encountered numerous challenges, particularly with installing Bitdefender's agent on Server 2022, which proved to be a significant hurdle for my team, consuming valuable time and resources. The advantage of Defender lies in its ability to seamlessly bring together threat telemetry from servers across various cloud providers, including Azure, and extend this protection to our Windows endpoints, offering a robust and integrated security solution.

The initial setup was straightforward.

Our implementation strategy was relatively gradual and soft. We enabled the features, allowed it to ingest the data, and then began assessing the generated alerts. Taking a somewhat silent approach, we deferred more to the expertise of our information security team, considering their role as the cornerstone in this aspect. As we moved forward, we aimed to identify areas for improvement and address the specific queries and needs that our team raised during the process. Our ongoing maintenance primarily involves fine-tuning our alerts to align with our specific use cases.

In terms of return on investment, the potential for cost reduction is a key consideration and Defender does provide it. The time saved is substantial, especially if we can navigate through our internal processes efficiently. Specifically for my infrastructure team, using Defender for Endpoint has significantly reduced the time spent delving into emerging issues. As a rough estimate, I would say it saves us approximately six hours a week that would otherwise be spent navigating through the complexities of individual components within Microsoft 365.

I find the pricing to be quite competitive, especially considering its inclusion in our E5 subscription, which provides a comprehensive set of functionalities. Initially, when I evaluated the pricing for add-ons with our E3 subscription, it seemed reasonable. However, we opted for the E5 subscription, absorbing the additional features seamlessly.

I'd recommend exploring Microsoft's Learn documentation, a resource that is sometimes overlooked but provides valuable insights into the capabilities of Defender. It's a good starting point to understand its features. For large enterprises with tools like Visual Studio subscriptions (formerly MSDN), Microsoft offers the option to set up an E5 tenant for testing. This can be deployed freely for up to twenty-five licenses, excluding the Windows license. I suggest diving into hands-on experimentation in a lab environment, combining practical experience with informational reading for a comprehensive understanding. Overall, I would rate it nine out of ten.

Hybrid Cloud

Microsoft Azure

Microsoft 365 Defender works together with Exchange Online is my area of specialty.

Microsoft 365 Defender incorporates a capability to identify potentially malicious emails or emails originating from suspicious senders.

Previously, we encountered a significant number of spam emails and suspicious emails, and users were inadvertently interacting with them. However, we have made progress in addressing this issue. We have conducted attack awareness training to educate users on identifying suspicious emails, and Microsoft Defender has played an important role in preventing such emails from reaching our inboxes. As a result, we have noticed a reduction in the volume of spam emails and an increase in the delivery of trustworthy emails. Considering these improvements, I can confidently state that we are in a better position now in terms of email security compared to the past before the implementation of Microsoft 365 Defender.

Within Microsoft 365 Defender, specifically using Advanced Threat Protection, you have the ability to define rules and actions for high-value alerts. 

By using Advanced Threat Protection, you have the capability to conduct thorough investigations and delve deeper into the search for specific threats that you suspect may be present within your organization. 

Within the Microsoft 365 Defender suite, you have access to numerous features that enable you to effectively track and investigate potential threats within your organization.

Automation significantly impacts our security operations in a highly beneficial way. It revolutionizes our approach by providing a centralized IT vendor admin center where we can execute all our search queries and obtain the desired information from a single interface. This unified platform streamlines the entire process by consolidating various components and their respective search processes into one, eliminating the need to navigate through multiple individual interfaces. With Microsoft 365 Defender, we have the convenience of accessing and investigating different areas of interest from a single standpoint. This not only saves us substantial time but also reduces effort and enhances overall efficiency in our security operations.

The consolidation of security operations has had a significant impact on our effectiveness and efficiency. It has resulted in improved response times, enabling us to swiftly pinpoint the potential sources of threats. We have observed a reduction in incident response time, allowing us to address security incidents more promptly. Additionally, the consolidation has enhanced the efficiency of our deployment processes, streamlining our overall security operations. These notable impacts have greatly contributed to our organization's ability to proactively identify and mitigate threats, ultimately bolstering our security posture.

Threat intelligence is an essential component in proactively preparing for potential threats and implementing proactive measures. While I have not personally engaged with this particular feature, it is widely acknowledged that staying informed about current threat intelligence is essential.

Although preventive measures are in place to minimize maintenance issues, there can be instances where threats successfully circumvent those safeguards. However, the capability to detect and identify threats before they cause harm to the system remains a valuable advantage. Anticipating the effects of this specific feature in Microsoft Defender is something I am eager to experience, as it appears to be a fascinating addition to the security measures.

Another noteworthy feature that I find appealing in Microsoft Defender is the credit-backed simulation. This feature enables organizations to train their users on effectively responding to phishing emails through a simulated training environment. 

Indeed, the credit-backed simulation feature in Microsoft Defender operates by sending simulated phishing emails to users within the organization based on the configured settings. When a user interacts with the email by clicking on a link or taking any action, they receive a notification informing them that it was a simulated phishing attempt. This simulation serves as a valuable training tool, helping users learn how to detect and respond to phishing emails effectively. By experiencing these simulations, users can enhance their awareness and develop the skills necessary to prevent falling victim to real phishing scenarios in the future. This feature is highly valuable in improving the overall security awareness and resilience of the organization's users.

In terms of visibility, Microsoft 365 Defender offers a comprehensive and detailed overview of threats and potential traces identified within your organization. 

Within Microsoft 365 Defender, you have the ability to configure specific criteria and assign high-risk values to certain indicators. This allows you to align with compliance regulations and establish your organization's threat determination framework. By leveraging Microsoft 365 Defender, you can implement and enforce these criteria to analyze and assess potential threats in your environment. 

I believe that Microsoft has the potential to greatly enhance the efficiency of the application by incorporating advanced capabilities into this feature. By providing users with the ability to customize and tailor threat detection according to their specific needs, Microsoft could significantly improve the overall effectiveness of the application. The addition of advanced capabilities would be a valuable enhancement, complementing the existing features and further strengthening the overall functionality of Microsoft 365 Defender. This would undoubtedly be a welcome and highly beneficial addition to the platform.

Microsoft 365 Defender demonstrates a commendable level of comprehensiveness in its threat protection capabilities. However, it is important to acknowledge that false positives and false negatives can be potential challenges in any security solution.

I primarily focus on using two key features within Microsoft Defender: the attack training simulation and the threat policies integrated with Azure Guard Protection.

The dashboard is one of the features of this application.

Implementing this solution has proven to be time-saving as it enables us to effectively track down suspicious and malicious attachments that may accompany emails. Even if users tend to click on attachments without much thought, we have successfully prevented and significantly reduced security breaches that were prevalent in our past security architecture. The ability to identify and mitigate potential threats has greatly improved our overall security posture, providing us with enhanced protection against breaches and unauthorized access to our systems. By leveraging this solution, we have experienced tangible benefits in terms of minimizing security incidents and safeguarding our organization's sensitive data and resources.

There was a specific incident where an email was received containing an executable file, and unfortunately, like many other users, this particular user was unaware of the potential risks and clicked on it without hesitation. Consequently, the consequences of this action became evident. 

Microsoft 365 Defender has provided us with the capability to pinpoint the specific machine where the application is currently present, as well as track the actions and steps that the application has already taken on that machine. This is just one example of the numerous areas where Microsoft 365 Defender has proven invaluable in our security operations. 

While providing an exact numerical comparison may be challenging, I can confidently say that the improvement in our response capabilities with Microsoft 365 Defender compared to our previous security architecture is indeed significant.

It is fair to acknowledge that Microsoft 365 Defender, like any software product, is not without its imperfections. There are instances where it may incorrectly flag legitimate emails from trusted senders as spam or exhibit inadequate performance in accurately classifying certain emails.

Aside from that, it's a pretty good solution, and that is for the emails.

However, the main point I want to convey is that for someone who is new to it, using Microsoft 365 Defender will demand a significant amount of effort and a willingness to learn about the product in order to maximize its benefits. It deals with technical aspects and encompasses a broad range of features beyond just the mentioned warranty, such as online exchanges. To effectively utilize Microsoft 365 Defender, it is important to have a thorough understanding of its functionalities.

It may be too complex for beginners to grasp.

In the future, it would be beneficial for Microsoft to consider making the product more user-friendly or simplified for those who are interested in using it. Currently, it requires a high level of technical expertise, making it challenging for beginners or less experienced individuals. 

Breaking it down into smaller components or enhancing its comprehensibility for end users would serve as a valuable advantage. In fact, it would not only impress others but also motivate them to understand the significance of utilizing I Defender in their specific situations.

At the moment, I have limited knowledge about TripAdvisor and its offerings, so I'm unable to provide comprehensive information. However, based on my current understanding, I believe it would greatly benefit from being more user-friendly and simplifying its features. This would enable users to easily navigate the platform and maximize their experience with it.

I have been working with Microsoft 365 Defender for a year.

To the best of my knowledge, I have never encountered a situation where Microsoft 365 Defender experienced significant crashes or unresponsiveness, aside from occasional instances of false positives and false negatives. I have found the platform to be reliable and self-service oriented, with prompt responses from the provider whenever assistance was needed.

We currently have around a hundred users with Office 365 licenses; however, not everyone has the same plan that includes Microsoft 365 Defender. I was hoping to access the admin dashboard to have a closer look at the settings and configurations, but it seems that access is limited to approximately fifty users.

This is managed by Microsoft you don't have to do anything.  All you have to do is understand how to use it to make it work for you.

Similar to other cloud applications, I believe Microsoft 365 Defender demonstrates excellent scalability by seamlessly accommodating an increasing number of users. It effortlessly scales across these users, eliminating the need for extensive efforts to extend security measures to them. The scalability of Microsoft 365 Defender is highly commendable.

In situations where an email that appears to have properties indicative of spam gets delivered instead of being flagged, it is advisable to contact the technical support team directly. 

Engaging with customer support allows you to understand why such potentially harmful content was allowed into your organization. While Microsoft 365 Defender is an advanced solution, there is always room for improvement, and feedback can help drive future enhancements to make it more effective.

By reaching out to customer support, you can address specific concerns and gain insights into how to optimize the system's performance for better security outcomes in the future.

I would rate the technical support an eight out of ten.

I use Exchange Online Protection in conjunction with exchange mailboxes.

They collaborate closely. Collaborating with one is nearly identical to collaborating with the other due to the overlapping features between Microsoft 365 Defender and Exchange Online. Essentially, I consider them to be synonymous since their primary objective is ensuring security.

They lack native integration and instead exhibit interdependence. I believe their collaboration is essential in order to fully utilize their capabilities and optimize the user experience. It is crucial for them to function together in order to achieve maximum benefits and enhance overall performance.

The main differentiating factor is the expanded scope of Microsoft 365 Defender, which is evident as the primary distinction. Our utilization includes Microsoft 365 for cloud applications and Microsoft 365 for Office Microsoft 365 applications. However, when it comes to Exchange Online Protection, its functionality is exclusively focused on email boxes.

Microsoft 365 Defender provides a broader and more extensive coverage compared to Exchange Online Protection, offering a wider reach in terms of wireless accessibility.

In the past, we used Mimecast for email filtering, and before that, we employed Trendmicro as our spam filtering and email filtering solutions.

I was not involved in the deployment process.

Previously, organizations had to invest in separate third-party filtering solutions to effectively address potential threats and breaches. However, the situation has now improved significantly as Microsoft 365 Defender consolidates all these necessary security measures into the comprehensive Microsoft 365 license. This consolidation brings numerous benefits, making it a win-win scenario for organizations. They no longer need to make additional purchases or manage multiple security solutions, as everything is conveniently available with the Microsoft 365 license.

With an eligible and dependable license like Microsoft 365, there is no need to concern yourself with the purchase of an additional third-party solution, which often comes at a higher cost. 

All these functionalities have been consolidated into a single license, eliminating the need to incur additional costs for third-party solutions such as Google Security for email features and similar functionalities.

The time it takes for us to respond has been significantly reduced. Additionally, the time it takes to detect potential threats has also seen significant improvements.

In situations where Microsoft 365 Defender did not successfully mitigate a potential threat or error, it highlights the need to initiate a new process to address the specific scenario. However, with the current setup, we are now able to detect and prevent such incidents in a timely manner. This proactive approach has saved us from potential future issues and the associated costs that may have arisen. Without Microsoft 365 Defender, it would have been challenging to identify and contain these threats, which could have caused widespread problems throughout the environment. The implementation of Microsoft 365 has effectively stopped such incidents from occurring, mitigating the need for extensive investments to resolve the issues. This positive outcome demonstrates a favorable return on investment, provided we fully understand and leverage the capabilities of the product to its maximum potential.

I believe the pricing is fair and acceptable. I consider it to be reasonable and satisfactory.

If you prioritize security, considering the cost should not be a determining factor. If you truly understand the level of protection offered, you wouldn't be concerned about the price. Instead, you would focus on the value provided. From our perspective, the pricing is reasonable considering the significant benefits and value we currently receive.

We recently transitioned away from those solutions and successfully migrated everyone to Microsoft 365 Defender. Since then, we have been exclusively using Microsoft 365 Defender without any changes up to the present time.

We have no motivation or desire to switch to or explore other products, as we are already satisfied with the quality and value we receive from our current investment.

Optimally managing a combination of various security solutions can be time-consuming and overwhelming. Instead, having a single dashboard where you can consolidate and run all your queries proves to be more efficient. While the intention might be to extract the maximum benefits from multiple solutions, dividing your attention among them hinders the ability to fully leverage each one. Therefore, it is advisable to identify a comprehensive solution that meets your requirements and focus on understanding how to maximize its potential and utilization.

Furthermore, using multiple solutions in an environment can lead to compatibility issues and conflicts. When you have multiple applications performing similar functions, it can complicate matters and potentially cause problems in the future. To avoid such complications and maintain a streamlined setup, it is advisable to stick with a single solution and focus on understanding and optimizing its usage. By doing so, you can ensure better control and avoid potential disruptions that may arise from using multiple conflicting applications.

To truly grasp the value of a service like Defender, it may be challenging for someone who hasn't experienced the need for its intervention firsthand. It is essential to engage individuals who have encountered scenarios where Defender played an important role in saving the day. When evaluating the effectiveness of the solution, it is important to involve those with hands-on experience, who have witnessed the capabilities of the product and understand how to maximize its utilization. The hands-on experience becomes paramount when screening and assessing the proficiency of individuals in dealing with this specific solution.

I would give Microsoft 365 Defender a rating of nine out of ten. The only reason I'm not giving it a perfect score of ten is that it can be quite technical for someone who is just starting out. Additionally, there may be occasional false positives and negatives, which is not unique to Defender but is a common occurrence in various software and security applications. However, apart from these minor aspects, I consider Microsoft 365 Defender to be an excellent solution overall.

Private Cloud

Microsoft Azure