Microsoft Defender XDR Reviews

I am a consultant responsible for deploying and providing customer support for Microsoft products. We use Defender XDR for endpoint protection. It helps them secure endpoints with an advanced XDR solution that conducts behavior analysis and things like that.

Defender XDR provides more visibility into all the connected services, including the security stack and all the productivity software. They're all integrated. It's much less maintenance and has fewer headaches during integration and setup. Implementing the solution and getting the customer fully protected takes very little time. According to Gartner, it's one of the best solutions on the market,  and it requires a limited amount of time and resources to get it fully operational.

By adopting Defender XDR, our customers have discontinued other security products. The solution can replace products like Kaspersky, McAfee, Trend Micro, and even CrowdStrike. 

It has affected customers' security operations by simplifying permissions and reducing the total cost ownership if we discontinue all the security products that the customers used before. Customers usually save around 20 percent, but it's more than simply replacing one component with another. It replaces several security solutions like email and cloud application protection. If you compare the total cost of ownership of on-prem solutions versus Microsoft, it is better to go with Microsoft. You also get lifetime upgrades for the systems and features that you implement.

Microsoft XDR's system of analysis and investigation is super convenient for our customers. It integrates with other Microsoft solutions like Defender for 365 to protect email traffic from malicious external web links and phishing. Customers like that the platform provides a single pane of glass for all the security services. Many of them do not have the capacity to support complex systems, so it's better for them to have most of the tools integrated into one platform. 

You can integrate XDR with Microsoft's identity solution Entra ID if you have a premium license. Those tools are fully integrated, but you need to purchase a separate solution called Defender for Identity to get tools to protect identities and connect the Enterprise Data Center with Defender.

Defender XDR's coverage isn't limited to Microsoft products. You can use almost any solution and achieve the same single point of control. For example, you can integrate Microsoft Defender for Cloud Applications, which covers all the cloud service providers. It isn't limited to only Microsoft infrastructure.

Customers say they want absolutely seamless integration between other Microsoft solutions and Defender XDR, including the ability to change device settings within the Defender portal. They need to contact the IT team responsible for the device management tools to change some settings. They would prefer that those changes be initiated directly from the Defender portal or applied from Intune without involving the IT operations team.

I have used Microsoft Defender XDR for five years. 

Defender XDR is almost 100 percent stable.

Defender XDR is infinitely scalable. 

I rate Microsoft standard support six out of 10 and premium support eight out of 10. The response times for basic Microsoft support leave much to be desired. It can take up to two weeks to resolve issues if you don't have a support contract. 

Neutral

Deploying Defender XDR is relatively straightforward, but it depends on whether the customer has already integrated its on-premise infrastructure with the Microsoft cloud.

Deployment requires one or two engineers on our side. We determine the scope of the work and the deployment before rolling out the clients to the endpoints. The biggest question is whether the customer already has the network infrastructure prepared for that service based on the Microsoft documentation. For example, we must determine if the endpoints connect directly to the Microsoft cloud or through a proxy server, firewalls, etc.

Defender includes four or five products different products. The most useful is Defender for Endpoint, which typically takes up to two weeks to deploy, while Defender for Office and Defender for Identity take one week to deploy. Defender for Cloud Applications can be deployed in a few days. It also depends on how the customer will use it. If it's being used for compliance, the customer's requirements may be totally different. 

The number of maintenance and administrative personnel depends on the organization's size and the number of solutions deployed. It's hard to calculate how people would be necessary for that particular part of the security ecosystem. However, Defender XDR takes up to three people to manage. 

Defender XDR is expensive, but the cost is justified. Defender is included in an E3 or E5 license. If you don't have a premium Microsoft license and you purchase Defender separately, the whole model will be different. You can also pay extra for premium support. 

I rate Microsoft Defender XDR nine out of 10. I recommend starting it as soon as possible, but you must also plan for any future on-premise solutions that you might bring into the system. Consider any prerequisites you need if you decide to go with the product. The biggest issue is that your network infrastructure needs to be set up according to the Microsoft documentation.

We're using it for our email filtering to check incoming emails and URLs. We're also using it for vulnerability management to see the status of our assets that are registered on the system. We also check it to see what kinds of threats and campaigns are currently being launched via emails.

It provides us with better insight into what's going on across our platform. It has also given us a very easy way to respond when threats or alerts come through. And when looking for someone in particular, it helps with that. It hugely improved our insight into what's going on inside the company's premises and environments.

365 Defender also helps find high-value alerts, but we haven't used it for complete automation. It has some automation features where it can try to block or quarantine things, but beyond the default automation configuration, we haven't explored deeper into using automation. The default settings work well.

And while we've always used one or two dashboards, this system has made it easier to have a quick overview on a single platform.

In addition, the threat intelligence helps prepare you for potential threats, to a certain limit, because it gives you insights into where your shortcomings are, your vulnerabilities. It also gives you some security recommendations to make improvements.

And the solution has decreased our time to respond because on high alerts you can get a quick response. The system will notify you very quickly if it detects something at a certain thread level or a custom threat level that you set.

Microsoft 365 Defender has a very great interface to help protect registered devices when it comes to web protection, which is very handy.

We also use the alert systems often. It's a great threat intelligence source for us, providing alerts for things it detects on the network and on the machines. We've used it often when there is a potential incident to see what was done on a computer. That works quite nicely because you can see everything that the user has done, including websites accessed, et cetera. And if something was on the machine, we can see what it was trying to do.

I use the alert system on a daily basis. It gives you a very good analysis of where something was found, which employee or which device. And it often gives you a good history on that. The alerts help me to monitor and check what is going on. That's a very valuable system to have.

We've also tried the attack simulation, which sends out phishing emails internally as a test to see how the users respond. We get feedback and use the training simulation as a result. We've only done that once, and it's something we want to work on a little more.

In addition, we're using the assets on the system as well as the inventory functionality. It checks all the machines to see what software is installed on them.

We've used a lot of the features on the cloud, although not everything to its full potential, but we've used 70 to 80 percent of all the features on the cloud.

In the beginning, it's difficult to navigate the system because it is quite large. Just trying to find your way and understand how the system works can be hard. After spending quite a lot of time searching it's a lot easier, but I wish it were a bit more user-friendly when you're trying to find things.

The information it provides is great, but for a newcomer, it is quite tedious and takes a long time to load. Here in South Africa, when you click, oftentimes you have to wait quite some time before you get to the next page. It's not necessarily internet-related. I think it's just that the service is a bit slow.

Also, while the solution does help to prioritize threats, unfortunately, it doesn't do so for the entire environment. The reason is that it only supports full integration from Windows 10 and up. It provides you certain information from your server environment, but when you start going with legacy services, it is a bit lacking.

Another issue that is sometimes a headache is that they constantly make changes. Things will be merged, they will get different names, or be moved around. Things will be added and other things go somewhere else. They do a lot of development to make the product better, but it's very frustrating having to search for stuff after they've moved it, because you don't always know that they have moved things. They might have little banners, but if you're just working and don't read them, you don't know where things have gone. 

I would also really like to see better integration with the server platforms for managing your server environment. That's something it currently doesn't do. For all the server environments, you either need to make use of group policies or SCCM to manage that independently. It can provide you information on the system, but it doesn't have control over your server line.

Also, I make use of 365 Defender on a business level and on a personal level. On the personal level, there is a lot less functionality. Something that would be very nice is that, for the level you are on, you would only see the product you are subscribed to. For instance, if you log on via the business, you have all your action areas, anything you can do and see, on the left. Because you're using it at a corporate level, you can see and do everything. On the personal level, or in a small business where you're only using some of the features, you still have all the same options, but when you click on them, it tells you that you need to upgrade or subscribe. They should only show you what you have access to, and not all the tabs and then say, "You need to subscribe to get access to this." It just clutters the whole area.

We have been using Microsoft 365 Defender for about two years.

Overall, it has 95 percent stability. We don't have any issues with it. It works well. Microsoft does provide frequent information when there are issues or delays. But the stability is very good.

We're still learning a lot about its capabilities. It's more capable than what we use it for. That is due to a restriction on our resources and availability to get to know the system even better.

We have contacted Microsoft tech support multiple times. They are quick to respond to the original request. Sometimes I have been quite surprised because they have replied within 15 minutes. Some of the questions we had were resolved quickly, on the order of 60 minutes. I had one that took almost two years to get resolved. But in general, they are quick to respond. Their support is very good and quick.

Positive

Before 365 Defender, we made use of Avast as our antivirus, which had its own web console. For malware protection, we used an on-prem Cisco IronPort system that was scanning all our emails. And most of our SIEM logging information was done manually. We had much less insight into what was going on in the company.

Because it was a new solution for us, we had a company that works with Microsoft assist us, to make sure that all the configurations were standard. But since then, we've maintained most of it ourselves. On our side there were no more than five people involved.

It's a very expensive product, but for any threat it has definitely stopped or protected us from, in that sense, it has saved money and time, by preventing things that could have happened. But is it affordable? No, it's expensive.

If you look at everything that the solution entails, and the big cost to companies, especially medium-sized companies, one would like to have a bit of a price decrease due to economic circumstances. The functionality is fantastic, but for medium and small-sized companies it's overpriced. It would be better if it were a little bit cheaper.

We did look at other solutions. In the end, we decided on 365 Defender because it was all integrated. It worked to our advantage because all the products that we needed were already on the machines. All the products that you get from the Defender area are part of the built-in Windows 10 features. It gave us a better way of controlling and managing things. Overall, it made more sense to have one central place to manage and control and be alerted.

My advice is don't be frightened when you start getting into the solution. If you are not used to the environment, it is a mouthful, and it can really scare your socks off. There's just so much to it that you won't really know where to start.

The best thing I can recommend to anybody who is starting is to get somebody who knows the system to give you a walkthrough. Also, look at the tutorials to see what the functionalities are. It will be beneficial for any person to get a good overview of what's going on in 365 Defender, the capabilities and how it looks. But getting in contact with somebody who has some experience already in using it will help you to ask where to find things. "Where do I go from here? Show me how you're set up, so I can at least see some of the functionalities."

My very first impression of 365 Defender was that I was looking for something, but I didn't even know where to start. It was too overwhelming. As I spoke to other people who knew about the system, they gave me an overview and that made it easier for me to understand and to know where to go.

365 Defender is our main deployment, but we've got the endpoints also connected on Intune. They work together to deliver coordinated detection and response in our environment. Our complete suite is pretty much all Microsoft. Our environment is a 50/50 hybrid. We use Intune for certain policy changes and some of the deployments. But because our environment has a lot of legacy systems, we make use of the normal, on-prem deployment services as well.

Sentinel is linked to our on-premises Active Directory. It helps identify things that are happening on-prem. For example, when a user's account instance gets locked out, it will show you, on Defender, from which local machine it was locked out. Or if certain things are accessed, it will show that information on the on-prem Active Directory. It works well. For investigating and responding to threats, it definitely helps by dumping the information in a centralized location with the alerts to identify a bit more flow pattern. If something happens that's not on the cloud area, but it's on-prem, it helps track and identify movement. The information from Sentinel is an added bonus.

Overall, Defender 365 has saved us time, compared to the old ways of doing things, but at the same time, I wish the site was faster. Sometimes it can be very slow.

Best-of-breed solutions versus a single vendor's suite comes down to personal experience. With best-of-breed, at least you know that they have been tested in the industry and have a lot of history behind them. Also, the redundancy would be a lot better. Going with a single vendor sometimes makes it a little bit difficult, especially if they are only focusing on one area. It's a difficult question. It might come down to the way someone was "brought up" in the security industry or the way that they trust these companies.

I give Microsoft 365 Defender a nine out of 10. Once you get to know the system, it's really awesome. It provides a lot of insights.

We use the entire 365 security package. Defender XDR is primarily used for real-time malware scanning. Our company has about 1,500 endpoints. 

Before Defender, we used a different tool but were unhappy with its performance and frustrated with the deployment. Defender offers real-time scanning and alert notifications.

By adopting the Microsoft stack, we have eliminated other security solutions. Defender XDR reduces manual work. Our organization manages more than 1,500 systems, and manual intervention on all these systems would be a huge workload. Cloud solutions are easier to manage and monitor. 

We are a massive Microsoft shop. We see significant savings by getting all of our security from one vendor. There is a considerable drop compared to buying from other vendors. 

Defender XDR enables you to scan a system remotely and get a complete inventory of its assets. You can gather more information from the asset inventory and apply threat intelligence using Office 365 or something. It's a user-friendly, cost-effective, and feature-rich solution. The XDR features offer considerable value because you get more insights from your user systems.

Microsoft Defender XDR stops the movement of advanced attacks by working with the complete 365 package. For example, you can create rules for email filtering to block phishing emails. I can create rules for email filtering. If there are any suspicious links in an email or its attachments, we can quarantine that email. It notifies the admin or the user.  The user can ask the admin to remove the email from the quarantine. We can investigate the email before it reaches the endpoint. Defender also has web content filtering and all the other EDR file features.

Defender's ability to adapt to evolving threats is critical today. The number of attacks today is multiplying, and Defender's adaptability and awareness are amazing.

The initial time spent setting up and configuring Defender XDR is a bit longer than the other solutions. If everything were on one portal, the platforms for managing policies or alerts would be simpler. We must automate and manage policies on Intune rather than the same portal.

I have used Microsoft Defender XDR for nearly 14 months.

I am very satisfied with Defender's stability. It's a reliable solution that improves our confidence in our security.

I rate Microsoft support seven out of 10. I would like Microsoft's support to be a little more robust and technical.

Neutral

Deploying Defender XDR is pretty straightforward. We deployed it in phases with deadlines. It took a couple of months. We met all our deadlines, and it wasn't a very complex solution to implement. 

We prepared and configured the tenant. Next, we created XDR policies and groups and orchestrated our requirements. We tried pushing the policies to see if the endpoints received them and sent the required information back to the admin portal. There was a testing period before we went live. Deployment only required two people. 

Defender doesn't require much maintenance after deployment because it's a cloud-based solution. We only need to tweak and update the policies, then push them out. 

Defender XDR is reasonably priced based on the licenses we need and the solution's capabilities. At the same time, Defender is a little pricier than some of the other solutions. 

We also considered CrowdStrike and Trend Micro. Trend Micro came the closest to meeting our expectations. Ultimately, we decided to use Defender XDR because we already used most of the Microsoft products, so it was a little more cost-effective. 

I rate Microsoft Defender XDR nine out of 10. Before deploying Defender XDR, potential users should be informed about the pricing, support, and the labor required to manage, maintain, and deploy the solutions. 

We use Microsoft Defender XDR to protect our endpoints, computers, mobile devices, and emails.

In part, Microsoft Defender XDR provides unified identity and access management.

Microsoft Defender XDR can protect 98 percent of devices.

With Microsoft Defender XDR we can now manage all of our non-critical computers from one console. The management level and implementation level are easy. Microsoft Defender XDR is also cost-effective.

We have been using Microsoft solutions for over 25 years so it didn't take much convincing to start using Microsoft Defender XDR.

Microsoft Defender XDR has enabled us to discontinue the use of Kaspersky in our safe computers.

Being able to reduce the number of solutions used has been helpful to our security team's operations. The discontinued use of other security products has reduced manual correlation. Using Microsoft has a lot of advantages, especially in management. The reduction in manual correlation is important for our organization.

Microsoft Defender XDR saves our security team around three hours a day.

The most valuable features are spam filtering, attachment filtering, and antivirus protection.

Microsoft Defender XDR is not a full-fledged EDR or XDR. Any true XDR should be more powerful than what Microsoft is currently providing. For some public-facing companies, computers, and endpoint computers, we need additional security from CrowdStrike or other third-party XDR.

Microsoft Defender XDR does not stop 100 percent of the lateral movement or advanced attacks. Our machines use both Microsoft Defender XDR and Crowdstrike and we have had instances where attacks were missed by Microsoft Defender XDR but caught by Crowdstrike.

I have been using Microsoft Defender XDR for four years.

Microsoft Defender XDR is stable.

Microsoft Defender XDR is scalable.

We previously used Kaspersky, Norton, and CrowdStrike. We switched to Microsoft Defender XDR because of its streamlined management capabilities.

The initial deployment was straightforward. We pushed Microsoft Defender XDR remotely across our system consisting of 300 computers. We are a team of seven people and each of us was involved in the deployment process.

The implementation was done in-house.

Microsoft Defender XDR is expensive.

We did not evaluate other security solutions because I have extensive knowledge of most products, their strengths and weaknesses, and their overall capabilities. Additionally, considering all our products are on Microsoft 365, a cloud-based platform, and we already utilize its various components like mail, documents, and more, integrating Microsoft Defender for threat detection and management was a natural choice due to existing ecosystem compatibility and streamlined administration.

I would rate Microsoft Defender XDR an eight out of ten.

Microsoft Defender XDR is deployed across multiple locations and departments.

Minimal maintenance is required for patching.

My company operates as a service provider, so we use Microsoft Defender XDR in our office to provide our customers with security services.

I won't say that the product helped improve how my organization operates, but there is a need to build trust between the user and the product. Microsoft Defender XDR has been used in my organization since we purchased Windows 10 or 11, after which a user does not need to install any products from Microsoft separately. Some of my company's customers insist they want to install antivirus software separately in their environment due to trust issues.

The most valuable feature of the solution stems from the fact that Microsoft Defender XDR is easy to integrate with other Microsoft platforms or products. Some other vendors of security products provide great features or capabilities of detection, but the best feature of Microsoft is its integration capability.

One important point about the solution that is an area of concern where improvements are required is related to the control center it provides. Generally, antivirus products provide a central control to manage every device in terms of who is installing it or who is trying to disable it, but Microsoft doesn't have such a control center for the antivirus product it provides.

I have been using Microsoft Defender XDR for three years. My company has a partnership with Microsoft. My company is also a reseller of Microsoft products.

As a part of Microsoft's attempt to reduce costs, there has been a direct cut down of the local technical support team. Sometimes, you have to use the technical support offered by Microsoft from other countries, but at times, we speak different languages, just like how people speak in Chinese or Mandarin, but there are still some differences between them. The front-line support from Microsoft has only limited technical abilities or access to their internal system. Sometimes, my company cannot even escalate an issue to Microsoft's senior team members.

The support team of Microsoft is nice as they attempt to solve the problems together with you, but I believe that due to some cost-related issues, they don't have enough permissions. Sometimes, users might feel blocked when trying to connect with the support team.

I rate the technical support a seven out of ten.

Neutral

My company started with Microsoft Defender XDR when we partnered with Microsoft. Some of our company's customers prefer CrowdStrike, Fortinet, and FortiSIEM.

You don't need to indulge in troubleshooting, making the initial setup phase an easy process because you could just use a GPO on your server to deploy everything. When there comes a problem to onboard some specific devices, and you need to indulge in troubleshooting, sometimes Microsoft Defender XDR's team says it is a problem with the devices a user is trying to onboard, and it's really hard for our company as service providers since we cannot always ask customers to reinstall their server.

Microsoft purposely makes its license combinations complex and includes combinations like Microsoft 365 E3 and Microsoft 365 E5, Office 365 E3, Office 365 E5, and Office 365 E1, so you get confused. Microsoft tries to sell you a bundle of a lot of things together. The licensing model of the product should be made more understandable.

There are other good products in the market, and it is difficult to state which one is better since all of them have micro differences in terms of pricing. There may be components like the user interface or maybe some other elements to judge other products, but when it comes to Microsoft, the most important factor stems from the fact that most people use Windows, so it's all integrated.

The product provides unified identity and access management as long as I use all of the products offered by Microsoft.

It is important for me that identity and access management are included within Microsoft Defender XDR because everything is controlled by your identity in the digital world, making it look like a user's government ID in the digital world. My company has tried a lot to talk to and educate our customers since some try not to use a complex password or MFA, which is the most important thing to protect your identity.

Some integration functions in Azure portal allow users to integrate their third-party applications. With the solution, it is not easy to track third-party applications. For transactions recognized by your credentials, it is not easy to track as they would stop, after which we are informed there is a problem. In my organization, we only know how some third-party applications ask to check the credentials, but we don't know what Microsoft Defender XDR does with it, so the product's security doesn't extend beyond just Microsoft technologies.

The product does stop lateral movement and advanced attacks like ransomware or business email compromise. The product blocks a lot of ransomware, which is good. It is considered to be a strict product, so if some of our customers use some local mail service, they have been blocked because Microsoft considers it to be not secure. Microsoft puts a lot of effort into security.

Microsoft Defender XDR's ability to stop attacks covers the product's ability to adapt to evolving threats. It is better to use it as a cloud-based solution that keeps adapting to changes and providing new features.

The product must adapt and evolve to manage threats since there is a new zero-day vulnerability every day, and there is no way to get protection from it. You cannot rely on the users or the admin to upgrade the features daily, so it's better to adopt it automatically with a cloud-based solution like Microsoft Defender XDR.

There were some problems when my organization tried to discontinue other products during the implementation phase of Microsoft Defender XDR since Microsoft tried to integrate all the products in our organization's environment together. If you have used Microsoft Defender XDR, you have to use an antivirus from Microsoft along with Microsoft Identity Platform Endpoint to get the best results. Sometimes, some customers may try to install some third-party antivirus in their environment other than the one provided by Microsoft, which gets blocked. Sometimes, antivirus software from a vendor goes into passive mode. When an antivirus software is in passive mode, some of its advanced features are not usable, causing some problems the user needs to deal with when using it.

The product's ability to save costs depends on how a user looks at a problem while using the solution. I worked as a part of the security team, and we always used to talk to our company's customers. The solution is sometimes like insurance, especially if you want to avoid some bigger problems and you need to spend some money to protect your environment. In some other IT teams or from some other client's point of view, Microsoft Defender XDR costs a lot of money, and they don't see anything. In the security world, no news is good news. You don't want to have to see everything happen and get plenty of alerts trying to prove the product's worth. The product has to control the attack surface so that you won't be attacked that much, or if there are any attacks, it can reduce the impact.

The product definitely saves time for my organization and our company's client teams, especially considering that it is not possible to manually go through the logs every day. The product did help pop up the abnormal activities so that my organization could just review the important things or abnormal activities.

It is hard to say how much time the product saves since it depends on factors like whether you are using some other products or using Microsoft Defender XDR alone. I guess that the product can save over 60 percent of my organization's time. When you use Microsoft Defender XDR in your IT infrastructure, and it works for you, then you just put it in there, and you will come to know when there are some abnormal activities or when you are attacked. With Microsoft Defender XDR, you can get some signs if you are being attacked.

Microsoft Defender XDR is a nice solution and can be combined with other solutions from Microsoft, but they offer limited flexibility. I want the product to be a high surveillance solution for me and not just an information-oriented tool, but nowadays, Microsoft doesn't provide any options to help choose the users' preferences.

I rate the overall product a seven out of ten.

We use 365 Defender to manage organization-level devices and vendor security compliance. We are a retail-focused organization that offers cloud services through Azure, GCP, and AWS, but we manage all the security through 365 Defender. Some of our users are based in other countries, and everything is centralized. We operate in multiple regions. 

We can easily track any other malicious activities or additional applications that will prevent it. We can get it here. It will be a helpful tool once we create policies for DLP and third-party programs. 

365 Defender stops the lateral movement of advanced attacks. It prevents something that happens on the device level from affecting us on the organization level. The solution enables us to track all the details, like the IPs and the device types. 

365 Defender helps us deal with unknown threats by creating custom policies, which enable us to block access by specific unknown sources and unsafe links. 365 Defender has multi-tenant capabilities, and we have multiple tenants, but I'm only involved in the retail part, so I don't have authority over other tenants. 

We were able to discontinue some of our other security products when we implemented 365 Defender, but there are some exceptions. We can use non-Microsoft solutions when the customer requires it. Mostly, we use cloud solutions. We've saved some costs on the security side at the organizational level by reducing equipment costs. Using 365 Defender's automation capabilities, we can cut our vulnerability management time by about 40-50 percent. 

I like 365 Defender's advanced threat hunting. The dashboard is user-friendly with templates for site policies, etc. The most important use case is evaluating the risk links and applications. 

The cost can be high if you want to build custom license packages. Another area for improvement is the policies. In Azure, we need to implement policies in JSON format, but in 365 Defender 365, it would be helpful to use a different format so we can customize the platform.

I have used 365 Defender for more than two years. 

365 Defender can have some performance issues during enrollment. It can take a while at times, but sometimes it's duplicated immediately. That's an issue with some other cloud-based programs like Intune and Azure products. 

I rate Microsoft 365 Defender support nine out of 10. Their support representatives provide solutions based on priorities. They prefer to follow the proper SLA part. 

Positive

The deployment is quick, straightforward, and involves only two people. 

Sometimes 365 Defender is expensive, but it can be moderate, depending on the organization's size and the license type. We're satisfied with the cost because it gives us a product that protects our entire environment with DLP. To compromise some cost, of course, we are to complete the most secure environment. 

I rate 365 Defender nine out of 10. 

Microsoft 365 Defender is used for our threat policies, configuration, and security protection.

The current level of threat visibility is good.

Microsoft 365 Defender helps prioritize threats across our enterprise which is important for our organization.

The mail component within our organization is the most critical part and Microsoft 365 Defender plays a big part in protecting that component. 

We have integrated Microsoft 365 Defender with Defender for Cloud, and Sentinel. Integrating the solution with Defender for Cloud is easy. 

The integrated solutions work natively together to deliver a coordinated detection and response across our environment which is important for our organization.

The comprehensiveness of the threat-protection that Microsoft products provide is good.

The bidirectional sync capability of Defender for Cloud is important for our organization.

The bidirectional sync of Defender for Cloud helps us secure our network.

Microsoft Sentinel allows us to investigate data from our entire ecosystem.

The ingestion of data to our security operations is critical and Sentinel does a better job than the other solutions we tried.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place which is important for us.

The built-in UEBA and threat intelligence capabilities are good.

Microsoft 365 Defender helps our organization by detecting false positives.

Our Microsoft security solutions help automated to retain tasks and help automate the finding of high-value alerts.

The automation has helped us with our playbook.

The solution has helped eliminate multiple dashboards by providing one XDR dashboard.

Having one XDR dashboard allows us to react to threats faster.

Microsoft 365 Defender's threat intelligence helps us prepare proactively for potential threats before they hit.

Microsoft 365 Defender has saved us between one and three months of time.

Microsoft 365 Defender has saved us time to detect and respond.

We have saved a significant amount of money with the implementation of Microsoft 365 Defender. Prior to using this solution, we encountered costly incidents.

All of the security components are valuable including, antiphishing, antispam, and stage three antivirus.

Additional visibility into log analytics would be beneficial. For instance, if an attachment was affected by malware, it would be helpful if Microsoft 365 Defender could provide more specific details about the origin of that particular malware, such as where it originated from. Any additional information in this regard would be greatly appreciated.

The integration of Microsoft 365 Defender with Sentinel is a bit complex when integrating custom connectors.

The cost of using Microsoft Sentinel is dependent on the size of the data the solution will ingest. I would like Microsoft to provide proper guidance on the sizing so we know what we will be spending.

Technical support has a lot of room for improvement. The support team is not competent or responsive.

I have been using the solution for one year.

Microsoft 365 Defender is stable.

Microsoft 365 Defender is scalable.

The quality of technical support we receive is poor. We encounter difficulties while dealing with the support team, even for critical incidents. Moreover, we always receive a response from the same engineer. However, they are not cooperative in using Microsoft Teams or joining a call with our clients.

Negative

The initial setup is straightforward. The deployment was completed by two people and required seven to eight days.

The implementation was completed in-house.

The licensing fee for Microsoft 365 Defender is fair.

I give the solution a seven out of ten.

The solution is deployed across multiple locations.

We have 5,000 users.

We have three administrators for the solution.

When an organization is already using other Microsoft solutions it is best to use Microsoft 365 Defender because of the seamless integration.

Microsoft 365 Defender is not difficult to implement and can be utilized by anyone.

We use 365 Defender with Outlook, Teams, and SharePoint. Our organization extensively uses these products as do the clients we serve. Our goal is to secure those email, SharePoint, and Teams environments.

Our Microsoft security solution has helped eliminate having to look at multiple dashboards. For a wholesale view over the entire infrastructure, Sentinel is the place to go. But M365 Defender alone only covers 30 to 40 percent of the infrastructure.

We have saved a lot of time compared to having to do tasks with other tools. With Microsoft, it's easier for us to manage and handle them. It saves us about 40 percent of the time it would have taken us. That includes the automating of detection and response.

The most valuable feature is the DLP because that's where we can have an added data protection layer and extend it not just to emails but to the documents that users are working on. We can make sure that sensitive data is tagged and flagged if unauthorized parties are using it.

The information that the solution provides is pretty clear because I have an overall picture from the compliance dashboard, which is now called the Azure Purview Compliance dashboard or manager. It has all the information, including the DLP information, sensitive data being shared, threat protection, and attacks. All of that is on a single dashboard where I see what the state of security is.

We use the entire suite of Purview features, including Sentinel, Defender for Cloud Apps, Defender for Endpoint, and even new features like Microsoft Defender for DevOps. Sentinel is the out-of-the-box SIEM tool that should definitely be used for more visibility on the M365 side. Of course, we have the compliance dashboard, but Sentinel acts as the single point of contact for visibility into all devices. That way we can see, if there are any threats or vulnerabilities, what the dependent resources are. Sentinel helps give us that bigger picture. We also use Defender for Identity and Defender for Cloud, with different features for the different aspects within the cloud, such as various servers and DNS, et cetera.

With its different connectors, Sentinel enables us to collect data from our entire ecosystem. All the logs are injected into a workspace in Sentinel where Sentinel can analyze them. If we unlock the Microsoft threat intelligence program, which is part of Sentinel, we can investigate threats and respond holistically from one.

Integrating these products is pretty simple. Microsoft Sentinel integrates really fast. Obviously, it's from the same stack so it's easy for us to integrate with just the click of a button. The connectors then help us integrate these services.

If we have all these products in use, we can achieve a 90 to 95 percent security maturity model, without requiring any other vendors' solutions to protect resources.

There are two areas where I feel there is no Microsoft solution. One is vulnerability management, where Microsoft is partnered with Qualys. The other is a penetration testing tool on the preventive side. That would be more for an ad hoc request and not for everyday functions. Apart from these, all the other areas can be covered with Microsoft solutions.

There is definitely scope for improvement in the automation area. Because the solution is a SaaS platform, we don't have the overall ability to automate stuff. By integrating Microsoft 365 Defender with Sentinel, we can definitely automate things. We can leverage playbooks, and execute Terraform scripts. But directly automating tasks in the 365 Defender is something we have to do with PowerShell, which is then connected to Exchange Online. There is no direct way to go ahead because it's a SaaS platform. But if you integrate it with Sentinel, where all the alerts are created and action needs to be taken, it is pretty comfortable for automation.

Also, I would like to see it be a lot less policy driven. On the M365 side, there are a lot of policies that we need to enable to achieve a certain task. There is no direct solution; rather, there are a lot of workarounds.

I understand that Microsoft is dealing with a lot of tools at once and having a direct solution is not viable. But I would hope that Microsoft can improve that side of it.

I have been using Microsoft 365 Defender for more than five years.

It's a pretty stable solution and in terms of the SLAs it is pretty good. When it comes to applying policies and the standard documentation that Microsoft provides, everything works according to that. I would rate the stability a nine out of 10.

It surely is a scalable solution, being a service that Microsoft offers.

The technical support is not great. I have been working with these Microsoft products for quite some time, and I have raised issues and contacted them. Every support case I have raised has needed escalation. From my experience, the first-line support team doesn't have anything other than out-of-the-box solutions. Everything with that level of support is pretty standard, SOP-driven, and documentation driven. That is nice, but only to a certain point. When we are talking about the SOP that a level-one engineer does, that's when the support is very poor.

Negative

We previously had on-prem solutions. For Exchange and for endpoints, we used to have McAfee, but that was more than five years ago. Previously, Defender for M365 used to be ATP, Advanced Threat Protection, and that's when we started using it.

Previously, we had many things on-prem, such as Exchange Servers, SharePoint, and database servers. But as Microsoft drove toward cloud-native solutions and moved Exchange, SharePoint, and Dynamics 365 online, moving to M365 was a part of the move.

There is no straightforward solution with Microsoft. There are definitely a few restrictions and limitations. We should go ahead and call that out and there were definitely challenges.

The major challenge was moving the mailboxes from on-prem Exchange to Exchange Online. That was not straightforward because the goal was not to lose any emails, and that certain format-related issues be taken care of.

We followed a waterfall method with a proper plan of action. We performed a PoC first, to make sure that the test users were migrated successfully. Once that was done, we did a proper plan in terms of department hierarchy for migrating our departments and detailed a plan of action in case there were any failures. We then did a proper pilot where we chose about 25 mailboxes for migration, and then we went ahead and migrated everyone. 

One of the reasons it took six months was there were only five of us involved.

Because it is a SaaS service, Microsoft promises three nines of uptime. There is no maintenance on our side.

We are seeing a return on investment compared to the same types of solutions that we used to have five years ago. We would have spent more than what we are spending right now. It's not just about the licensing, it's also about the team that manages it and the operations side of it. But compared to how things were, the return on investment has been positive.

I doubt that we are saving money with this solution because all the features are only available with a Microsoft 365 E5 license, which is the highest. And that doesn't come cheap because it's on a per-user basis. If there are 1,000 users, you are investing a lot.

The pricing model of Sentinel is entirely different from any other standalone SIEM tool. Other tools work on a licensing model with a fixed price based on the different modules that are enabled. Sentinel is not a fixed price. It depends on how much data is injected into it. With Microsoft, if there are 100 GB per month, it's about $2.30 per GB, or around $2,000 on a monthly basis. Compared to a fixed licensing cost, where organizations know that there is a certain budget they need to put aside for the license, on the Microsoft side, we really can't anticipate the cost.

The pricing of Microsoft 365 Defender is definitely on the costly side, but with the features and services that Microsoft provides, such as the seamless integration of all the Defender tools, while the price is on the higher side, there is no alternative.

My advice would be to try out Microsoft and compare it with other vendors. If your vision for Microsoft includes needing customizations and a lot of use cases, I don't think Microsoft M365 would support that. Where Microsoft shines is the seamless integration and dealing with less configuration management. But at the same time, organizations are adopting other solutions, such as Linux, and they want customization and that is not possible on the Microsoft side.

Microsoft 365 Defender helps prioritize threats to the enterprise, but not alone. Rather, it is through combining it with other Defender products like Defender for Cloud Apps and Defender for Endpoint. All these, in combination, can provide really good security, visibility, and threat protection against any vulnerabilities or threats. But with just M365, our hands are tied with the scope, which is limited to emails, Teams, and SharePoint.

We can't 100 percent automate things, but we can automate about 80 percent of our tasks. It has made life easier. But, at the same time, if a scenario is not something that repeats, performing an activity automatically would reduce the time spent, but not by that much. We have automated a few areas for things that occur on a regular basis, but at the same time, we come across situations now and again that we think about automating, but we also think about the effort that we would have to put into doing so. Will it be a recurring solution or not?

There are also some advancements that Microsoft has launched to automate threat surface reduction, some features that we could try to help us analyze steps to be taken before an attack happens, but nothing that I have tried yet.

Hypothetically, when looking at whether a single vendor or a best-of-breed strategy is best, being an architect the last couple of years, what I've seen is that having a multi-vendor system is definitely a good approach rather than going with a single vendor solution. Even though Microsoft has all these tools, we can't achieve 100 percent security. There are the areas for improvement that I mentioned, where Microsoft doesn't have a single solution, like pen testing and vulnerability management. My suggestion is always to go with a multi-vendor solution. Microsoft might reach a level where, at a certain point, they will have 100 percent coverage, but my approach would still be multi-vendor.