Microsoft Defender XDR Reviews

Microsoft Defender XDR is our primary solution for security. We have a number of use cases across different environments, allowing us to secure all our use cases comprehensively.

One of the most valuable features of Microsoft Defender XDR is its ability to provide preemptive reports regarding excessive privileged access. This allows us to secure our systems in advance and proactively improve security, rather than waiting for incidents to occur. Additionally, it ensures that we are fully compliant before any audits are conducted, which has potentially saved our reputation. Furthermore, its integration across different environments allows central visibility for different workloads.

There is nothing I can think of at the moment that needs improvement. I am a contractor and finishing up soon, so I haven't encountered any issues requiring enhancements.

I have been working with Microsoft Defender XDR for a few years now, about one and a half to two years.

I was involved in the deployment, and it was very easy to set up and configure. I did not encounter any problem—it took half a day to a full day at most.

There are no complaints regarding the stability of the solution. It seems to do the job well.

The customer service is good, and they supported us well. Although it took some time, we got the required support in the end.

Neutral

The initial setup was straightforward, and I did not have any issues with it.

We used Teams for the deployment, but I could be wrong on that.

Overall, I would rate Microsoft Defender XDR a seven out of ten. It is a useful tool and not necessarily the best solution I've seen, but it is good and I wouldn't object to using it.

Other

It addresses various use cases, including monitoring and securing file storage like OneDrive and SharePoint. It has recently incorporated Teams integration to safeguard against malware. Additionally, it serves as a replacement for on-premises Advanced Threat Protection, offering enhanced capabilities. It has proven valuable in highlighting critical scenarios related to credential use and legacy Active Directory, providing substantial assistance in these areas.

When transitioning to Microsoft Defender for Endpoint from our previous use of ATP, we observed significant improvements. Legacy ATP involved numerous signals and a substantial learning curve, but Microsoft Defender for Endpoint establishes a more effective baseline. In comparison to Cylance, which generated a considerable amount of background noise, Microsoft Defender for Endpoint enables us to concentrate on the more critical alerts that demand our attention. Our team is actively phasing out disparate security tools in favor of a streamlined approach. The efficiency gained from having a single pane of glass is a powerful asset for our team.

One of the most valuable aspects is the comprehensive insights it provides into on-premises identities, particularly within Legacy Active Directory. This allows for the examination of use cases related to identities, ensuring there is no misuse of accounts or computers. A crucial aspect for our team is the inclusion of identity and access management tools from the vendor. Despite being a sizable global company, our team is relatively small, considering our global reach. Therefore, minimizing overhead is a top priority for us, and integrating these tools from the vendor becomes crucial in achieving that goal.

My suggestion would be for Microsoft to continue aligning all components within this ecosystem. This consolidation is beneficial as we strive for a more unified and comprehensive view, essentially a single pane of glass, which is highly valued. In the future, I hope for increased third-party integration. While Microsoft plays a role, it's equally important for third-party providers to step up. In our organization, the information security team has endorsed a specific set of products. Integrating the telemetry from these approved products into our systems would be immensely beneficial, providing a more comprehensive view and enhancing our overall security posture. Extending security coverage is of paramount importance. Integrating telemetry could bridge these gaps, fostering greater cooperation among individual teams within the organization. Having teams collectively examine the same information might contribute to advancing collaboration and overall security efforts. The capability to not only thwart attacks but also to adapt to evolving threats is crucial.

I have been using it for the last three years.

It is exceptionally stable, without encountering any notable issues or complaints. Microsoft seems proactive in communication through the message center, keeping users informed about any ongoing issues, and we appreciate the clarity provided through multiple channels.

It has the capability to scale seamlessly, especially with Microsoft's expertise in the cloud. We have over six thousand end users globally distributed across various facilities, with some on-premises deployments due to specific requirements. However, our overarching strategy is cloud-first, and the majority of our infrastructure operates in Azure. In terms of endpoints, the number is substantial, likely exceeding seven thousand when considering both servers and clients.

We haven't had the need to contact them so far. In general, our experience with Microsoft support has been variable—it can be both beneficial and challenging. While they offer a wealth of resources, there are instances where the response may not align with our expectations. I would rate it eight out of ten.

Positive

I made the switch from Bitdefender to Defender primarily due to cost considerations. In my professional assessment, Bitdefender appears adequate from a client perspective, but when it comes to enterprise deployment, I don't view it as fully enterprise-ready. We encountered numerous challenges, particularly with installing Bitdefender's agent on Server 2022, which proved to be a significant hurdle for my team, consuming valuable time and resources. The advantage of Defender lies in its ability to seamlessly bring together threat telemetry from servers across various cloud providers, including Azure, and extend this protection to our Windows endpoints, offering a robust and integrated security solution.

The initial setup was straightforward.

Our implementation strategy was relatively gradual and soft. We enabled the features, allowed it to ingest the data, and then began assessing the generated alerts. Taking a somewhat silent approach, we deferred more to the expertise of our information security team, considering their role as the cornerstone in this aspect. As we moved forward, we aimed to identify areas for improvement and address the specific queries and needs that our team raised during the process. Our ongoing maintenance primarily involves fine-tuning our alerts to align with our specific use cases.

In terms of return on investment, the potential for cost reduction is a key consideration and Defender does provide it. The time saved is substantial, especially if we can navigate through our internal processes efficiently. Specifically for my infrastructure team, using Defender for Endpoint has significantly reduced the time spent delving into emerging issues. As a rough estimate, I would say it saves us approximately six hours a week that would otherwise be spent navigating through the complexities of individual components within Microsoft 365.

I find the pricing to be quite competitive, especially considering its inclusion in our E5 subscription, which provides a comprehensive set of functionalities. Initially, when I evaluated the pricing for add-ons with our E3 subscription, it seemed reasonable. However, we opted for the E5 subscription, absorbing the additional features seamlessly.

I'd recommend exploring Microsoft's Learn documentation, a resource that is sometimes overlooked but provides valuable insights into the capabilities of Defender. It's a good starting point to understand its features. For large enterprises with tools like Visual Studio subscriptions (formerly MSDN), Microsoft offers the option to set up an E5 tenant for testing. This can be deployed freely for up to twenty-five licenses, excluding the Windows license. I suggest diving into hands-on experimentation in a lab environment, combining practical experience with informational reading for a comprehensive understanding. Overall, I would rate it nine out of ten.

Hybrid Cloud

Microsoft Azure

My company mostly uses Microsoft Office products, so we use 365 Defender for our security. 365 Defender is deployed globally, and it works the same whether you are in Europe, China, or India. It currently covers around 4,000 people worldwide. 

Defender reduced our attack surface with built-in rules for USB-based threats. Sometimes employees plug in a USB containing threats. Defender will immediately stop malicious executables from running. 

We have our own method for defining incident priorities. For example, most identity-related incidents are on the higher side. However, if we see a large number of low-level alerts affecting a single user in a short period, then those need to be checked. Automation can help in these cases. It's good to have, but I don't think Microsoft is currently very capable of machine learning. 

Defender has a security dashboard, but there is a different console for vulnerability management. We can create multiple reports where alerts are categorized and labeled, and Defender provides a single console where we can fetch all those reports. 

There isn't a foolproof method for preventing all cyber attacks, but best practices can reduce risks and limit the impact of threats. If you identify threats, you can build block lists and create regular employee training to tell people what to avoid. 

Preventing threats requires a strong firewall and antivirus solution. Defender is a good one. You can also implement threat prevention and detection technology in your remote environment. Nothing can completely prevent attacks from happening, but you can create policies using threat intelligence to ensure they are stopped. 

365 Defender helps us save time by simplifying threat response. For example, one of my customers uses USB to transfer data from one place to another. Some USB drives contain malicious programs, so I configured a rule to stop the executable. If a user copies documents from the USB with a harmful executable, Defender will lock it down. They can only copy the documents, but the executable will not run. 

It saves us lots of time. It reduces the time we spend on these tasks by about 50 to 60 percent. I switch it to audit mode and collect logs. After a month, I have received hundreds of alerts. With my rule in place to block USB executables, we no longer get alerts for that particular threat. Implementing that single rule reduced our alerts by around 30 percent. 

Defender reduces the detection time. We have a SOC team to review all those logs and alerts, and it helps them work quickly. There is little delay between detection and remediation. 

Microsoft Defender's most critical component is its CASB solution. It has many built-in policies that can improve your organization's cloud security posture. It's effective regardless of where your users are, which is critical because most users are working from home. It's cloud-based, so nothing is on-premise.

When dealing with remote users, you need the coverage of firewalls, antivirus, and all those essential security measures. There are multiple policies available that can help the organization secure its environment to prevent something malicious from entering. You need to flag users logging in from a different IP and guard against brute force attacks by detecting multiple failed login attempts.

There is also an option for identity. Most organizations aren't entirely on the Cloud. They still rely on on-prem data centers, so you need Defender for Identity. Another advantage of a cloud-based solution is that you don't need to constantly upgrade it monthly, quarterly, or weekly. All of your infrastructure is online. 

You need multiple solutions for outside threats. I can see if someone is logging in from a malicious IP before they can access the environment. You cannot completely block cybersecurity threats, but you can proactively resolve them and create a wall around your environment. 

365 Defender's attack surface reduction rules could be more customizable. Microsoft has its own pre-defined rules that can be adapted to every organization, but Defender should support the ability to create custom rules from scratch.

Defender also lacks automated detection and response. You need to resolve issues manually. You can manage multiple Microsoft security products from a single portal, and all your security recommendations are in one place. It's easy to understand and manage. However, I wouldn't say Defender is a single pane of glass. You still need to switch between all of the available Microsoft tools. You can see all the alerts in one panel, but you can't automate remediation. 

Automated remediation can be improved. I'm currently creating a remediation structure there and pushing it to my vendor, but the vendor should have their own way of resolving things. It only alerts you that something is happening. The security administrator needs to take action because Defender's automated capabilities aren't up to par. 

I have been using 365 Defender for more than a year. 

365 Defender is stable. I haven't seen an outage in the past year. We've had 100 availability. Occasionally, the servers go down for maintenance, and the sensors stop working. It doesn't happen frequently. 

365 Defender is highly scalable. 

Microsoft's support is excellent. Most issues resolve on their own, but when we need support, they typically resolve the issue quickly. 

Positive

At my previous company, we used other antivirus and identity solutions, but they weren't a complete package like 365 Defender. For example, CrowdStrike was our EDR solution, which had extended capabilities, or XDR. We had various solutions that collectively did the same thing as Defender. 

365 Defender is cloud-based, so the deployment is straightforward and only takes 10 to 15 minutes. You need to change a few configurations on your devices using Intune. One person is sufficient to do the job. It's a simple installer. 

After the deployment, you don't need to do any maintenance because it's on the cloud. The only thing deployed on-premise is the ATP sensor, which automatically upgrades. 

365 Defender is bundled with our Microsoft Enterprise license. Additional costs for support, etc. depend on the license level. If you have a premium account, you will receive priority support, but it costs more. 

I rate Microsoft 365 Defender a nine out of ten. I personally wouldn't recommend only using a single solution or vendor. If you don't try other products, then you won't be aware of what is happening in the market. There should be multiple products involved, so you can compare the solutions and go with the best one. 

The solution is primarily used for security response. We work with many government ministries that use Microsoft, Microsoft 365, or security tools like Azure XDR. This solution integrates with other products, helps with detection, and offers quick response times.

The threat-hunting and incident investigation capabilities are very strong. It can investigate and block phishing attacks and monitor them effectively. We can even do endpoint behavior analysis. 

The solution's XDR platform provides unified identity and access management for customers. If the customer is using a Microsoft Enterprise XDR solution, it does. We do have Microsoft Defender for Identity. It's part of the suite itself. Customers can have Defender for Endpoints, Defender for Identity, and Defender for Cloud. All these things combined form the XDR. The main use cases are around identity - to understand whether there is identity hacking, privilege escalation, or some malicious user in the environment. It helps us respond to those events very quickly.

From a coverage point of view, it's good. We are quite happy with it. If we have users with multiple devices, the solution provides comprehensive coverage.

While the solution does cover technology beyond Microsoft, it's strongest when monitoring the Microsoft Suite. We do have servers, and it can monitor them. They don't necessarily have to be Windows servers.

Defender XDR can stop advanced attacks, like ransomware or business email compromise. It depends on how the solution is configured. It does a lot of monitoring and helps the SOC team or the analysis team find issues. 

The solution has the ability to stop attacks and can adapt to evolving threats. It can ingest a lot of threat intel data, which actually gives us the latest information about how the threats are happening. It does a quick analysis of that. 

Some customers use Defender XDR's multi-tenant management capabilities. That said, most of the time, they might not need a multi-tenancy. In one or two cases, customers may have done it, but not very frequently. The multi-tenant management capabilities for investigating and responding to threats across tenants are pretty decent. It provides a very unified view. That's one of the core capabilities of Microsoft XDR - the unification of the view. In a security situation, I might have solutions in multiple places. However, our tenant will be protected, and we will receive alerts. It helps a lot with individual client monitoring. It will help me hunt other tenants as well. It makes it so we have a very cohesive environment. 

Defender XDR has enabled some of our customers to discontinue the use of other security products. However, it's not always based on capabilities. In Qatar, for example, it's a government mandate to use Microsoft as much as possible, so we move a lot of customers over exclusively to Microsoft in those cases. That doesn't mean the other product wasn't performing. It just means there is a heavy preference towards being solely on Microsoft. 

The Microsoft XDR solution has helped some customers to reduce costs. One of the major cost reductions is on the resources side (not on the technology side). As a service provider, we can move to a much leaner team with the XDR setup than with a non-XDR setup. When you have different environments to monitor and different alerts coming in from different devices, then you need more people to do the monitoring and analysis. However, when you have a unified view of the environment, then you can reduce the team to a certain extent. We can do a 25% reduction on a team, which is a considerable reduction since resources are expensive. How much a company can save depends on the environment. If it's small, the reduction in cost may not be significant. It can be as low as 10% or as high as 25%, depending on the size of the environment. 

It's helped us save time. It's difficult to specify how much; however, it's likely up to 25% thanks to the reduction in the analysis needed. 

From a performance standpoint, improvements could be made. 

I've used the solution for one and a half years. 

I'd rate the stability eight or nine out of ten. If it's just a Microsoft environment, the reliability is very good. If it's a mixed environment, I'd rate the stability seven out of ten. 

The solution is highly scalable. 

Technical support is good. We have enterprise support and they are responsive.

Positive

I do not handle the initial setup process. The customer may deploy it across multiple locations. The size of the environment can vary from 100 users to 1,000.

There isn't really any heavy maintenance. You just have to renew the licenses. If it's a small environment, one person can handle that. If it's bigger, there may be two or three people. 

My understanding is that Microsoft is trying to change the pricing. However, right now, it's bundled together. If it could be decoupled a bit, it would help customers be able to afford the solution. 

We are service providers, and we resell Microsoft solutions. 

XDR is basically used for unification. It's more of a dashboard. When you have an XDR, you can monitor the entire environment. You can also see and take actions across the entire environment, which is actually a very big advantage when it comes to a particular software analyst's day-to-day job. They can be monitoring one screen. Typically, if an issue is found, a ticket needs to be made, and that's passed onto an engineer, but with XDR, a lot can be automated. It can help reduce costs related to manpower and make the process more efficient. 

I'd rate the solution nine out of ten and recommend it to others. Smaller companies may not need it; however, if a company is growing fast or is already sizable, it's a good option—especially if it is a mostly homogeneous Microsoft environment.

Public Cloud

Microsoft Azure

We mainly use it to defend endpoints.

We have seen fewer threats with the solution. The attacks that we experienced in prior years have reduced drastically since we implemented Defender.

We also use Microsoft Defender for Identity. Their integration is very good. If you are a Microsoft 365 SaaS solution user, it is perfect. It works very well with all the services provided by Microsoft. These services work natively together to deliver coordinated detection and response across our environment. We are pretty much a Microsoft shop, so the integration of these different services is very important for us to secure our offices.

Microsoft 365 Defender's threat protection is very comprehensive. The service that is available now is much more comprehensive than what was available a few years back. The only area that I see lacking is the dashboard. I can create my own dashboard, but the preset security dashboards should be much more functional.

Its threat intelligence helps prepare us for potential threats and take proactive steps before the threats hit. The vulnerability scanning feature is great, and the Secure Score feature that scans the endpoints for vulnerabilities and keeps them up to date reduces a lot of the attacks that can possibly happen.

Microsoft 365 Defender has saved us time. It has saved at least 30% to 40% of our time.

Microsoft 365 Defender has saved us costs. Previously, we had to pay for third-party protection services separately, but because it is now integrated with our E5 licenses, it saves us a lot of money.

Microsoft 365 Defender has decreased our time to detect and respond. We now have visibility and this led to about a 20% to 30% reduction. 

The EDR and the way it automatically responds to ransomware and other attacks are valuable features.

The visibility into threats is not as good as other products in the market such as CrowdStrike, but if you know where to look, you can gain access to what is going on. The way the dashboard is designed is not as great as other products.

It helps to prioritize threats across the enterprise, but a lot of administrative overload is involved in determining which threats to prioritize. As compared to other products, it is a bit lacking.

Similarly, it helps to automate routine tasks and finds high-value alerts, but a little bit more automation would be appreciated.

Automated playbooks and automated dashboards would be preferable to the way the data is currently being presented. That is because a lot of organizations that I have worked with over the past years do not have full-on SOC or threat detection services. They should put in more automated response capabilities and dashboards for smaller organizations.

I have been using this solution for almost three years.

It is a very stable product. Our attack metrics have come down drastically since we integrated with Defender. In my opinion, it is a very stable product.

It is very scalable. I do not know about third-party clouds or third-party solutions, but when you are a Microsoft shop or have Azure or a hybrid setup, it is very scalable.

We have multiple departments and multiple locations. We have client-facing computers, and we have in-house and on-prem computers. We also have Azure VMs. 

Their support can be better. Their response time is good, but their knowledge and documentation are a bit lacking. Technology is moving faster than the documentation and the knowledge that is being provided to the support team. Their support team pretty much looks at the same documentation that we are looking at, but the technology is moving a lot faster than they can catch up. I would rate their support a seven out of ten.

Neutral

We used CrowdStrike and Trend Micro. We switched to Microsoft 365 Defender because we wanted to integrate services.

The solution is deployed on the cloud, but the endpoints are connected on-prem. In our organization, we have quite a few endpoints, so it took about three or four weeks.

The setup will be straightforward for big organizations if they have a complete IT department, but for a small organization, implementing the same service becomes trickier because they do not have full-fledged IT departments. That is where the problem lies. 

More automation would be better. However, automation is present with Autopilot and other services where you can integrate everything.

In terms of maintenance, you have to fine-tune the services on a regular basis and tweak the deployment as per your requirements.

We have about eight admins who worked on the implementation of the solution.

We have probably seen 30% to 40% ROI.

It is fairly priced because we get complete integrated services with the E5 license.

To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single-vendor strategy worked for us because it brought down our investment in terms of licensing and cost. The deployment across the organization has been a lot easier than integrating third-party solutions in different areas of the organization. For example, Defender integrates very well with both the endpoints and the cloud. Whereas with a third-party solution, we have to get different applications that need to connect back to the service to get the solutions that we require. Native integration is very useful for us when it comes to Microsoft. That is what I would recommend.

If you are a Microsoft shop, I would highly recommend it, but you have to do a PoC.

I would rate Microsoft 365 Defender a nine out of ten.

Microsoft 365 Defender works together with Exchange Online is my area of specialty.

Microsoft 365 Defender incorporates a capability to identify potentially malicious emails or emails originating from suspicious senders.

Previously, we encountered a significant number of spam emails and suspicious emails, and users were inadvertently interacting with them. However, we have made progress in addressing this issue. We have conducted attack awareness training to educate users on identifying suspicious emails, and Microsoft Defender has played an important role in preventing such emails from reaching our inboxes. As a result, we have noticed a reduction in the volume of spam emails and an increase in the delivery of trustworthy emails. Considering these improvements, I can confidently state that we are in a better position now in terms of email security compared to the past before the implementation of Microsoft 365 Defender.

Within Microsoft 365 Defender, specifically using Advanced Threat Protection, you have the ability to define rules and actions for high-value alerts. 

By using Advanced Threat Protection, you have the capability to conduct thorough investigations and delve deeper into the search for specific threats that you suspect may be present within your organization. 

Within the Microsoft 365 Defender suite, you have access to numerous features that enable you to effectively track and investigate potential threats within your organization.

Automation significantly impacts our security operations in a highly beneficial way. It revolutionizes our approach by providing a centralized IT vendor admin center where we can execute all our search queries and obtain the desired information from a single interface. This unified platform streamlines the entire process by consolidating various components and their respective search processes into one, eliminating the need to navigate through multiple individual interfaces. With Microsoft 365 Defender, we have the convenience of accessing and investigating different areas of interest from a single standpoint. This not only saves us substantial time but also reduces effort and enhances overall efficiency in our security operations.

The consolidation of security operations has had a significant impact on our effectiveness and efficiency. It has resulted in improved response times, enabling us to swiftly pinpoint the potential sources of threats. We have observed a reduction in incident response time, allowing us to address security incidents more promptly. Additionally, the consolidation has enhanced the efficiency of our deployment processes, streamlining our overall security operations. These notable impacts have greatly contributed to our organization's ability to proactively identify and mitigate threats, ultimately bolstering our security posture.

Threat intelligence is an essential component in proactively preparing for potential threats and implementing proactive measures. While I have not personally engaged with this particular feature, it is widely acknowledged that staying informed about current threat intelligence is essential.

Although preventive measures are in place to minimize maintenance issues, there can be instances where threats successfully circumvent those safeguards. However, the capability to detect and identify threats before they cause harm to the system remains a valuable advantage. Anticipating the effects of this specific feature in Microsoft Defender is something I am eager to experience, as it appears to be a fascinating addition to the security measures.

Another noteworthy feature that I find appealing in Microsoft Defender is the credit-backed simulation. This feature enables organizations to train their users on effectively responding to phishing emails through a simulated training environment. 

Indeed, the credit-backed simulation feature in Microsoft Defender operates by sending simulated phishing emails to users within the organization based on the configured settings. When a user interacts with the email by clicking on a link or taking any action, they receive a notification informing them that it was a simulated phishing attempt. This simulation serves as a valuable training tool, helping users learn how to detect and respond to phishing emails effectively. By experiencing these simulations, users can enhance their awareness and develop the skills necessary to prevent falling victim to real phishing scenarios in the future. This feature is highly valuable in improving the overall security awareness and resilience of the organization's users.

In terms of visibility, Microsoft 365 Defender offers a comprehensive and detailed overview of threats and potential traces identified within your organization. 

Within Microsoft 365 Defender, you have the ability to configure specific criteria and assign high-risk values to certain indicators. This allows you to align with compliance regulations and establish your organization's threat determination framework. By leveraging Microsoft 365 Defender, you can implement and enforce these criteria to analyze and assess potential threats in your environment. 

I believe that Microsoft has the potential to greatly enhance the efficiency of the application by incorporating advanced capabilities into this feature. By providing users with the ability to customize and tailor threat detection according to their specific needs, Microsoft could significantly improve the overall effectiveness of the application. The addition of advanced capabilities would be a valuable enhancement, complementing the existing features and further strengthening the overall functionality of Microsoft 365 Defender. This would undoubtedly be a welcome and highly beneficial addition to the platform.

Microsoft 365 Defender demonstrates a commendable level of comprehensiveness in its threat protection capabilities. However, it is important to acknowledge that false positives and false negatives can be potential challenges in any security solution.

I primarily focus on using two key features within Microsoft Defender: the attack training simulation and the threat policies integrated with Azure Guard Protection.

The dashboard is one of the features of this application.

Implementing this solution has proven to be time-saving as it enables us to effectively track down suspicious and malicious attachments that may accompany emails. Even if users tend to click on attachments without much thought, we have successfully prevented and significantly reduced security breaches that were prevalent in our past security architecture. The ability to identify and mitigate potential threats has greatly improved our overall security posture, providing us with enhanced protection against breaches and unauthorized access to our systems. By leveraging this solution, we have experienced tangible benefits in terms of minimizing security incidents and safeguarding our organization's sensitive data and resources.

There was a specific incident where an email was received containing an executable file, and unfortunately, like many other users, this particular user was unaware of the potential risks and clicked on it without hesitation. Consequently, the consequences of this action became evident. 

Microsoft 365 Defender has provided us with the capability to pinpoint the specific machine where the application is currently present, as well as track the actions and steps that the application has already taken on that machine. This is just one example of the numerous areas where Microsoft 365 Defender has proven invaluable in our security operations. 

While providing an exact numerical comparison may be challenging, I can confidently say that the improvement in our response capabilities with Microsoft 365 Defender compared to our previous security architecture is indeed significant.

It is fair to acknowledge that Microsoft 365 Defender, like any software product, is not without its imperfections. There are instances where it may incorrectly flag legitimate emails from trusted senders as spam or exhibit inadequate performance in accurately classifying certain emails.

Aside from that, it's a pretty good solution, and that is for the emails.

However, the main point I want to convey is that for someone who is new to it, using Microsoft 365 Defender will demand a significant amount of effort and a willingness to learn about the product in order to maximize its benefits. It deals with technical aspects and encompasses a broad range of features beyond just the mentioned warranty, such as online exchanges. To effectively utilize Microsoft 365 Defender, it is important to have a thorough understanding of its functionalities.

It may be too complex for beginners to grasp.

In the future, it would be beneficial for Microsoft to consider making the product more user-friendly or simplified for those who are interested in using it. Currently, it requires a high level of technical expertise, making it challenging for beginners or less experienced individuals. 

Breaking it down into smaller components or enhancing its comprehensibility for end users would serve as a valuable advantage. In fact, it would not only impress others but also motivate them to understand the significance of utilizing I Defender in their specific situations.

At the moment, I have limited knowledge about TripAdvisor and its offerings, so I'm unable to provide comprehensive information. However, based on my current understanding, I believe it would greatly benefit from being more user-friendly and simplifying its features. This would enable users to easily navigate the platform and maximize their experience with it.

I have been working with Microsoft 365 Defender for a year.

To the best of my knowledge, I have never encountered a situation where Microsoft 365 Defender experienced significant crashes or unresponsiveness, aside from occasional instances of false positives and false negatives. I have found the platform to be reliable and self-service oriented, with prompt responses from the provider whenever assistance was needed.

We currently have around a hundred users with Office 365 licenses; however, not everyone has the same plan that includes Microsoft 365 Defender. I was hoping to access the admin dashboard to have a closer look at the settings and configurations, but it seems that access is limited to approximately fifty users.

This is managed by Microsoft you don't have to do anything.  All you have to do is understand how to use it to make it work for you.

Similar to other cloud applications, I believe Microsoft 365 Defender demonstrates excellent scalability by seamlessly accommodating an increasing number of users. It effortlessly scales across these users, eliminating the need for extensive efforts to extend security measures to them. The scalability of Microsoft 365 Defender is highly commendable.

In situations where an email that appears to have properties indicative of spam gets delivered instead of being flagged, it is advisable to contact the technical support team directly. 

Engaging with customer support allows you to understand why such potentially harmful content was allowed into your organization. While Microsoft 365 Defender is an advanced solution, there is always room for improvement, and feedback can help drive future enhancements to make it more effective.

By reaching out to customer support, you can address specific concerns and gain insights into how to optimize the system's performance for better security outcomes in the future.

I would rate the technical support an eight out of ten.

I use Exchange Online Protection in conjunction with exchange mailboxes.

They collaborate closely. Collaborating with one is nearly identical to collaborating with the other due to the overlapping features between Microsoft 365 Defender and Exchange Online. Essentially, I consider them to be synonymous since their primary objective is ensuring security.

They lack native integration and instead exhibit interdependence. I believe their collaboration is essential in order to fully utilize their capabilities and optimize the user experience. It is crucial for them to function together in order to achieve maximum benefits and enhance overall performance.

The main differentiating factor is the expanded scope of Microsoft 365 Defender, which is evident as the primary distinction. Our utilization includes Microsoft 365 for cloud applications and Microsoft 365 for Office Microsoft 365 applications. However, when it comes to Exchange Online Protection, its functionality is exclusively focused on email boxes.

Microsoft 365 Defender provides a broader and more extensive coverage compared to Exchange Online Protection, offering a wider reach in terms of wireless accessibility.

In the past, we used Mimecast for email filtering, and before that, we employed Trendmicro as our spam filtering and email filtering solutions.

I was not involved in the deployment process.

Previously, organizations had to invest in separate third-party filtering solutions to effectively address potential threats and breaches. However, the situation has now improved significantly as Microsoft 365 Defender consolidates all these necessary security measures into the comprehensive Microsoft 365 license. This consolidation brings numerous benefits, making it a win-win scenario for organizations. They no longer need to make additional purchases or manage multiple security solutions, as everything is conveniently available with the Microsoft 365 license.

With an eligible and dependable license like Microsoft 365, there is no need to concern yourself with the purchase of an additional third-party solution, which often comes at a higher cost. 

All these functionalities have been consolidated into a single license, eliminating the need to incur additional costs for third-party solutions such as Google Security for email features and similar functionalities.

The time it takes for us to respond has been significantly reduced. Additionally, the time it takes to detect potential threats has also seen significant improvements.

In situations where Microsoft 365 Defender did not successfully mitigate a potential threat or error, it highlights the need to initiate a new process to address the specific scenario. However, with the current setup, we are now able to detect and prevent such incidents in a timely manner. This proactive approach has saved us from potential future issues and the associated costs that may have arisen. Without Microsoft 365 Defender, it would have been challenging to identify and contain these threats, which could have caused widespread problems throughout the environment. The implementation of Microsoft 365 has effectively stopped such incidents from occurring, mitigating the need for extensive investments to resolve the issues. This positive outcome demonstrates a favorable return on investment, provided we fully understand and leverage the capabilities of the product to its maximum potential.

I believe the pricing is fair and acceptable. I consider it to be reasonable and satisfactory.

If you prioritize security, considering the cost should not be a determining factor. If you truly understand the level of protection offered, you wouldn't be concerned about the price. Instead, you would focus on the value provided. From our perspective, the pricing is reasonable considering the significant benefits and value we currently receive.

We recently transitioned away from those solutions and successfully migrated everyone to Microsoft 365 Defender. Since then, we have been exclusively using Microsoft 365 Defender without any changes up to the present time.

We have no motivation or desire to switch to or explore other products, as we are already satisfied with the quality and value we receive from our current investment.

Optimally managing a combination of various security solutions can be time-consuming and overwhelming. Instead, having a single dashboard where you can consolidate and run all your queries proves to be more efficient. While the intention might be to extract the maximum benefits from multiple solutions, dividing your attention among them hinders the ability to fully leverage each one. Therefore, it is advisable to identify a comprehensive solution that meets your requirements and focus on understanding how to maximize its potential and utilization.

Furthermore, using multiple solutions in an environment can lead to compatibility issues and conflicts. When you have multiple applications performing similar functions, it can complicate matters and potentially cause problems in the future. To avoid such complications and maintain a streamlined setup, it is advisable to stick with a single solution and focus on understanding and optimizing its usage. By doing so, you can ensure better control and avoid potential disruptions that may arise from using multiple conflicting applications.

To truly grasp the value of a service like Defender, it may be challenging for someone who hasn't experienced the need for its intervention firsthand. It is essential to engage individuals who have encountered scenarios where Defender played an important role in saving the day. When evaluating the effectiveness of the solution, it is important to involve those with hands-on experience, who have witnessed the capabilities of the product and understand how to maximize its utilization. The hands-on experience becomes paramount when screening and assessing the proficiency of individuals in dealing with this specific solution.

I would give Microsoft 365 Defender a rating of nine out of ten. The only reason I'm not giving it a perfect score of ten is that it can be quite technical for someone who is just starting out. Additionally, there may be occasional false positives and negatives, which is not unique to Defender but is a common occurrence in various software and security applications. However, apart from these minor aspects, I consider Microsoft 365 Defender to be an excellent solution overall.

Private Cloud

Microsoft Azure

I am a purple teamer in my current job, so I also work with detection response in my organization. My job is to configure alerts and monitor incidents, and to do that, my company uses Microsoft Defender XDR. My company has endpoint detection tools for all the endpoints in the organization, and through Microsoft Defender XDR, we are able to get a top-down view of all the incidents on a daily basis and then actually be able to even customize what kind of alerts we want to look for and what kind of attacks are happening. One of the things that I personally love about the tool is the attack story that it provides. Every time there is a specific incident, it creates a graph and maps it to Mitre Att&ck Framework, so it could be initial access, or you may have malicious activity within the network. The tool can track all of the aforementioned areas, and it gives a confidence level. For example, if it is a high-confidence, high-risk alert, then the tool would probably quarantine that particular endpoint on its own, and then an investigator goes on there and actually verifies it. In my experience in the last six months, the false positive rates have been close to zero. Every time there is a case of high confidence alert, there has never been a case where it was not a malicious activity, and it is something I love about the product.

In terms of the most valuable feature of the product, I think it stems from the way it classifies incidents, as it is the most important area in my field of work. Another valuable feature of the tool is threat hunting. For example, there could be a chain of phishing emails that are being sent to our organization, and it may come up as an alert. Then, I know that I can use the artifacts, after which it gives a list of artifacts, which could be email addresses or IP addresses, to identify the threat actors. I can then go ahead and hunt for them across all endpoints within the network, making it essentially something similar to an SQL query that I can run based on what I am looking for. I get more leads in terms of which other mailboxes this particular phishing attack might have gone to where the user may not have interacted with it. The tool allows us to be more proactive in terms of getting close to the initial compromise. I think the threat-hunting feature is coupled with the alerts that my company has configured, and it allows us to proactively stop attacks, which is probably the most important thing for us.

I think that the tool can do a lot of things in a pretty effective way. A lot of times, one of the things I look at is how the false positive rates are, and so far, I see that they have been close to zero. Honestly, I don't think there is a lot in the area of false positives where the tool could improve. I do think that maybe having a feature within my organization where there are three different domains within which we have to operate would be helpful, as there is currently no unified view within the domains. Within a specific Active Directory, you can have Microsoft Defender XDR running, and so everything, including all the endpoints in that domain, are areas you are able to look at from one particular user interface, but there is no feature in which you can merge two different domains. For example, if there are xyz.com and abc.com, all of the endpoints within each of the domains, our company will have a separate UI from Microsoft Defender XDR, and because of it, we have to monitor three different UIs at each point in time. There is also a lot of automation that I have put in place, so every time there is a high-risk alert, our company gets an email in our InfoSec mailbox essentially. I think having a feature where you can merge everything onto a single dashboard would be something from which my company would definitely benefit because it's just a lot of sifting through different user interfaces and then collating data from it. In our company, we should just make sure that we are able to respond immediately, especially whenever there is a security issue within the organization.

I have been using Microsoft Defender XDR for six months. My company is a customer of the product.

I have been in the company for six months, and I think there has only been one time where I remember there was a bit of a slowdown which was associated with the antivirus server and it was not related to Microsoft Defender XDR. Considering the aforementioned issue, my company had to raise a ticket for support, but it has only happened once.

So far, the scalability offered by the product has been fine because it serves as an internal tool managing essentially all of the endpoints within the network, which essentially includes all of the employees, servers, access points, and all of that. In the last six months, my company has not really scaled up the use of the tool that much, and so the numbers have been constant, more or less. If my company ever plans to double up in size in a short period of time, it will probably be the time when the tool's scalability will be tested. I don't think I have the data points right now to answer questions related to the tool's scalability feature.

I have contacted the product's support team. I feel that Microsoft offers a very good support team, as they are usually well-equipped, and the support team members are currently the ones who set up the tool from scratch. The support team has complete visibility of the environment. Every time there is an issue, it gets resolved within 30 to 45 minutes, sometimes more if it is a bit complicated. For example, if the server is slowing down for some reason, the support team is able to sort it out pretty quickly. I think my experience with the tool's support team has been pretty good. I rate the technical support a nine out of ten.

Positive

Before Microsoft Defender XDR, I used some other solutions of the past. In one of my previous organizations, we used to use an SIEM solution like Splunk. The company had a lot of open-source tools, so we used Microsoft Defender XDR and ELK stack to generate alerts from a network monitoring point of view. The company also had Snort rules running on the same endpoint, which was like a blue team device for monitoring the network, and we also had a Splunk Universal Forwarder on the endpoint that was connected to Splunk's server, which was useful for visualization. Splunk was not an XDR tool; it was more about monitoring alerts that we had configured within the organization, customizing them, and making sure that we were able to catch threats based on signatures. There was less automation in the sense of how you can react to an incident. For example, in Microsoft Defender XDR, the moment there is a high-risk and high-confidence alert, it quarantines the endpoint or that particular mailbox and sends an alert to our company, and in such a manner, it stops the attacks, and also lets the investigators know that it is not a false positive, which is something I was missing in a SIEM solution that I used in the past. Alerts were being generated from Snort, and the company where I used to work had an ELK stack running, so we configured the alerts on it. The company also had a Splunk Universal Forwarder that would forward the alerts to a Splunk interface, and it is where we used to visualize all the alerts. In general, it was a combination of different tools that allowed my previous company to have the aforementioned process in place.

The solution is deployed on the cloud model, and our company has opted for the cloud services offered by Azure. In our company, we have Microsoft Access Control Service in place, so everything is controlled through Azure. If there are new members in the team, we give them read-only access to XDR through Azure, so it helps manage the identity and access, and then you can access Microsoft Defender XDR's portal. Our organization also creates specific IDs for every investigator to access Microsoft Defender XDR.

I don't think I can speak much about the pricing model of the product because it is not something I work with, and so I don't know the amount of money being burned by the company for the solution, making it an area beyond my visibility. With the little idea I have about the costs, I can say that XDR tools tend to be a bit expensive. If you are using Microsoft Defender XDR, then you need to go for a subscription-based pricing model. In my organization, which is a relatively large company with close to 3,000 employees, the solution works out well for us. For example, if I had a startup, it probably wouldn't be cost-effective to have an XDR solution in place, and that is where I would probably look at more open-source tools to work with and maybe have a SIEM solution which was a startup, a reason why we had to rely on open source tools. My previous organization also had opted for a subscription to use Splunk, which was expensive, but it was better than getting an XDR tool.

Speaking of whether I started to see the benefits of the product immediately after its deployment or if I had to wait for some time, I would say that Microsoft Defender XDR has been in place from the time I joined my current organization. I immediately saw the benefits of using the product. I wasn't present in the organization at a time when they had moved initially to Microsoft Defender XDR, so I can't speak about the time point during which others in the company saw the benefits or effects of the use of the solution. I think the tool has been very efficient because I have worked in other organizations where they were not using Microsoft Defender XDR, as they preferred SIEM solutions. I have seen that in scenarios where SIEM-based tools were used, it was more of the investigator who had to figure out what was happening because you just had a ton of data coming in from the bottom up. In my previous companies, we had a Splunk interface through which we could indulge in monitoring. I see a stark contrast between the previous products and Microsoft Defender XDR, and it is because the latter-mentioned tool not only allows you to get that bottom-up view where whatever is happening on an endpoint level, I am able to monitor while also being able to push things from the top to down. For example, if I wanted to quarantine a particular file on a subset of endpoints, I can do that from Microsoft Defender XDR, where I can put it on a block list and mark it to a particular Active Directory group, after which I am able to then block that out. The tool is quite effective from a detection and response point of view.

If I consider whether it is better to have just one solution instead of a combination of tools, I would say that it is always better to have a combination of products. The SIEM solution I had used previously was quite efficient in collecting data and in being able to process large amounts of data from where we had a lot of endpoints within a particular network, which I think was fast in many ways. Microsoft Defender XDR internally does the same thing as an SIEM solution. If you ask me, it is always best to have an SIEM solution integrated with an XDR tool because most SIEM products are very good at handling large amounts of alerts, and if you have configured it properly, then you can have a very precise view of what is happening at any given point in time within the network, and once you have it, you can have that database forwarded to XDR that can push down. The XDR tools are very good at classifying events. If you have actions in place as to what needs to be done, then, for example, if an email is marked under the phishing category, you would want to get rid of it from the inbox first. Ideally, it shouldn't even land in the inbox, but if it does, then you want to quarantine it. Pushing a certain action down to the affected devices, I think XDR tools do it brilliantly. I think it is always good to have a match between a SIEM tool and an XDR product or a customization between different tools to help achieve your goals.

The product does require maintenance. With the cloud instances that host the server, our company continuously monitors the health, as we have health checks in place that generate alerts in case something goes wrong, a major reason why we use Microsoft Defender XDR. My company also has Kaspersky's antivirus server, which is essentially hosted on a different server. Sometimes, because of the number of endpoints we have in our company's network, the server does slow down due to resource constraints. It is not my job to maintain the servers in my company, but we have a different team that deals with it. In our company, we do have a couple of instances where the servers are internally managed.

I think Microsoft Defender XDR is one of the best detection and response tools I have worked with as it is quite effective in flagging serious threats for the organization. In our company,we have faced multiple attacks over the last few months, but none of them have been successful, and I think Microsoft Defender XDR has played a major role in it.

Firstly, potential users of the solution should consider that the tool comes with a lot of already customized alerts for any Active Directory environment, but it is always good to understand, especially if you are a new user of the tool. Even if someone is new in the security team, I think it is that person's job to analyze the business, the kind of attacks you could expect coming in, and the kind of visibility that the organization provides on the internet. Once a person gets a good idea about the aforementioned areas, you need to customize alerts and create custom alerts for your organization because that is an area that is going to be unique and different for each and every company, so it won't ever be the same. Microsoft Defender XDR certainly helps with mapping the seven steps of the cyber kill chain, and if the product sticks to it and looks at every single step, lists down the kind of threats, and then customizes the alerts according to that, I believe the users will have a successful time in being able to detect threats before they happen or even while they are happening.

I rate the overall tool a ten out of ten.

I am a consultant responsible for deploying and providing customer support for Microsoft products. We use Defender XDR for endpoint protection. It helps them secure endpoints with an advanced XDR solution that conducts behavior analysis and things like that.

Defender XDR provides more visibility into all the connected services, including the security stack and all the productivity software. They're all integrated. It's much less maintenance and has fewer headaches during integration and setup. Implementing the solution and getting the customer fully protected takes very little time. According to Gartner, it's one of the best solutions on the market,  and it requires a limited amount of time and resources to get it fully operational.

By adopting Defender XDR, our customers have discontinued other security products. The solution can replace products like Kaspersky, McAfee, Trend Micro, and even CrowdStrike. 

It has affected customers' security operations by simplifying permissions and reducing the total cost ownership if we discontinue all the security products that the customers used before. Customers usually save around 20 percent, but it's more than simply replacing one component with another. It replaces several security solutions like email and cloud application protection. If you compare the total cost of ownership of on-prem solutions versus Microsoft, it is better to go with Microsoft. You also get lifetime upgrades for the systems and features that you implement.

Microsoft XDR's system of analysis and investigation is super convenient for our customers. It integrates with other Microsoft solutions like Defender for 365 to protect email traffic from malicious external web links and phishing. Customers like that the platform provides a single pane of glass for all the security services. Many of them do not have the capacity to support complex systems, so it's better for them to have most of the tools integrated into one platform. 

You can integrate XDR with Microsoft's identity solution Entra ID if you have a premium license. Those tools are fully integrated, but you need to purchase a separate solution called Defender for Identity to get tools to protect identities and connect the Enterprise Data Center with Defender.

Defender XDR's coverage isn't limited to Microsoft products. You can use almost any solution and achieve the same single point of control. For example, you can integrate Microsoft Defender for Cloud Applications, which covers all the cloud service providers. It isn't limited to only Microsoft infrastructure.

Customers say they want absolutely seamless integration between other Microsoft solutions and Defender XDR, including the ability to change device settings within the Defender portal. They need to contact the IT team responsible for the device management tools to change some settings. They would prefer that those changes be initiated directly from the Defender portal or applied from Intune without involving the IT operations team.

I have used Microsoft Defender XDR for five years. 

Defender XDR is almost 100 percent stable.

Defender XDR is infinitely scalable. 

I rate Microsoft standard support six out of 10 and premium support eight out of 10. The response times for basic Microsoft support leave much to be desired. It can take up to two weeks to resolve issues if you don't have a support contract. 

Neutral

Deploying Defender XDR is relatively straightforward, but it depends on whether the customer has already integrated its on-premise infrastructure with the Microsoft cloud.

Deployment requires one or two engineers on our side. We determine the scope of the work and the deployment before rolling out the clients to the endpoints. The biggest question is whether the customer already has the network infrastructure prepared for that service based on the Microsoft documentation. For example, we must determine if the endpoints connect directly to the Microsoft cloud or through a proxy server, firewalls, etc.

Defender includes four or five products different products. The most useful is Defender for Endpoint, which typically takes up to two weeks to deploy, while Defender for Office and Defender for Identity take one week to deploy. Defender for Cloud Applications can be deployed in a few days. It also depends on how the customer will use it. If it's being used for compliance, the customer's requirements may be totally different. 

The number of maintenance and administrative personnel depends on the organization's size and the number of solutions deployed. It's hard to calculate how people would be necessary for that particular part of the security ecosystem. However, Defender XDR takes up to three people to manage. 

Defender XDR is expensive, but the cost is justified. Defender is included in an E3 or E5 license. If you don't have a premium Microsoft license and you purchase Defender separately, the whole model will be different. You can also pay extra for premium support. 

I rate Microsoft Defender XDR nine out of 10. I recommend starting it as soon as possible, but you must also plan for any future on-premise solutions that you might bring into the system. Consider any prerequisites you need if you decide to go with the product. The biggest issue is that your network infrastructure needs to be set up according to the Microsoft documentation.

Public Cloud