Microsoft Defender XDR Reviews

My company mostly uses Microsoft Office products, so we use 365 Defender for our security. 365 Defender is deployed globally, and it works the same whether you are in Europe, China, or India. It currently covers around 4,000 people worldwide. 

Defender reduced our attack surface with built-in rules for USB-based threats. Sometimes employees plug in a USB containing threats. Defender will immediately stop malicious executables from running. 

We have our own method for defining incident priorities. For example, most identity-related incidents are on the higher side. However, if we see a large number of low-level alerts affecting a single user in a short period, then those need to be checked. Automation can help in these cases. It's good to have, but I don't think Microsoft is currently very capable of machine learning. 

Defender has a security dashboard, but there is a different console for vulnerability management. We can create multiple reports where alerts are categorized and labeled, and Defender provides a single console where we can fetch all those reports. 

There isn't a foolproof method for preventing all cyber attacks, but best practices can reduce risks and limit the impact of threats. If you identify threats, you can build block lists and create regular employee training to tell people what to avoid. 

Preventing threats requires a strong firewall and antivirus solution. Defender is a good one. You can also implement threat prevention and detection technology in your remote environment. Nothing can completely prevent attacks from happening, but you can create policies using threat intelligence to ensure they are stopped. 

365 Defender helps us save time by simplifying threat response. For example, one of my customers uses USB to transfer data from one place to another. Some USB drives contain malicious programs, so I configured a rule to stop the executable. If a user copies documents from the USB with a harmful executable, Defender will lock it down. They can only copy the documents, but the executable will not run. 

It saves us lots of time. It reduces the time we spend on these tasks by about 50 to 60 percent. I switch it to audit mode and collect logs. After a month, I have received hundreds of alerts. With my rule in place to block USB executables, we no longer get alerts for that particular threat. Implementing that single rule reduced our alerts by around 30 percent. 

Defender reduces the detection time. We have a SOC team to review all those logs and alerts, and it helps them work quickly. There is little delay between detection and remediation. 

Microsoft Defender's most critical component is its CASB solution. It has many built-in policies that can improve your organization's cloud security posture. It's effective regardless of where your users are, which is critical because most users are working from home. It's cloud-based, so nothing is on-premise.

When dealing with remote users, you need the coverage of firewalls, antivirus, and all those essential security measures. There are multiple policies available that can help the organization secure its environment to prevent something malicious from entering. You need to flag users logging in from a different IP and guard against brute force attacks by detecting multiple failed login attempts.

There is also an option for identity. Most organizations aren't entirely on the Cloud. They still rely on on-prem data centers, so you need Defender for Identity. Another advantage of a cloud-based solution is that you don't need to constantly upgrade it monthly, quarterly, or weekly. All of your infrastructure is online. 

You need multiple solutions for outside threats. I can see if someone is logging in from a malicious IP before they can access the environment. You cannot completely block cybersecurity threats, but you can proactively resolve them and create a wall around your environment. 

365 Defender's attack surface reduction rules could be more customizable. Microsoft has its own pre-defined rules that can be adapted to every organization, but Defender should support the ability to create custom rules from scratch.

Defender also lacks automated detection and response. You need to resolve issues manually. You can manage multiple Microsoft security products from a single portal, and all your security recommendations are in one place. It's easy to understand and manage. However, I wouldn't say Defender is a single pane of glass. You still need to switch between all of the available Microsoft tools. You can see all the alerts in one panel, but you can't automate remediation. 

Automated remediation can be improved. I'm currently creating a remediation structure there and pushing it to my vendor, but the vendor should have their own way of resolving things. It only alerts you that something is happening. The security administrator needs to take action because Defender's automated capabilities aren't up to par. 

I have been using 365 Defender for more than a year. 

365 Defender is stable. I haven't seen an outage in the past year. We've had 100 availability. Occasionally, the servers go down for maintenance, and the sensors stop working. It doesn't happen frequently. 

365 Defender is highly scalable. 

Microsoft's support is excellent. Most issues resolve on their own, but when we need support, they typically resolve the issue quickly. 

Positive

At my previous company, we used other antivirus and identity solutions, but they weren't a complete package like 365 Defender. For example, CrowdStrike was our EDR solution, which had extended capabilities, or XDR. We had various solutions that collectively did the same thing as Defender. 

365 Defender is cloud-based, so the deployment is straightforward and only takes 10 to 15 minutes. You need to change a few configurations on your devices using Intune. One person is sufficient to do the job. It's a simple installer. 

After the deployment, you don't need to do any maintenance because it's on the cloud. The only thing deployed on-premise is the ATP sensor, which automatically upgrades. 

365 Defender is bundled with our Microsoft Enterprise license. Additional costs for support, etc. depend on the license level. If you have a premium account, you will receive priority support, but it costs more. 

I rate Microsoft 365 Defender a nine out of ten. I personally wouldn't recommend only using a single solution or vendor. If you don't try other products, then you won't be aware of what is happening in the market. There should be multiple products involved, so you can compare the solutions and go with the best one. 

The solution is primarily used for security response. We work with many government ministries that use Microsoft, Microsoft 365, or security tools like Azure XDR. This solution integrates with other products, helps with detection, and offers quick response times.

The threat-hunting and incident investigation capabilities are very strong. It can investigate and block phishing attacks and monitor them effectively. We can even do endpoint behavior analysis. 

The solution's XDR platform provides unified identity and access management for customers. If the customer is using a Microsoft Enterprise XDR solution, it does. We do have Microsoft Defender for Identity. It's part of the suite itself. Customers can have Defender for Endpoints, Defender for Identity, and Defender for Cloud. All these things combined form the XDR. The main use cases are around identity - to understand whether there is identity hacking, privilege escalation, or some malicious user in the environment. It helps us respond to those events very quickly.

From a coverage point of view, it's good. We are quite happy with it. If we have users with multiple devices, the solution provides comprehensive coverage.

While the solution does cover technology beyond Microsoft, it's strongest when monitoring the Microsoft Suite. We do have servers, and it can monitor them. They don't necessarily have to be Windows servers.

Defender XDR can stop advanced attacks, like ransomware or business email compromise. It depends on how the solution is configured. It does a lot of monitoring and helps the SOC team or the analysis team find issues. 

The solution has the ability to stop attacks and can adapt to evolving threats. It can ingest a lot of threat intel data, which actually gives us the latest information about how the threats are happening. It does a quick analysis of that. 

Some customers use Defender XDR's multi-tenant management capabilities. That said, most of the time, they might not need a multi-tenancy. In one or two cases, customers may have done it, but not very frequently. The multi-tenant management capabilities for investigating and responding to threats across tenants are pretty decent. It provides a very unified view. That's one of the core capabilities of Microsoft XDR - the unification of the view. In a security situation, I might have solutions in multiple places. However, our tenant will be protected, and we will receive alerts. It helps a lot with individual client monitoring. It will help me hunt other tenants as well. It makes it so we have a very cohesive environment. 

Defender XDR has enabled some of our customers to discontinue the use of other security products. However, it's not always based on capabilities. In Qatar, for example, it's a government mandate to use Microsoft as much as possible, so we move a lot of customers over exclusively to Microsoft in those cases. That doesn't mean the other product wasn't performing. It just means there is a heavy preference towards being solely on Microsoft. 

The Microsoft XDR solution has helped some customers to reduce costs. One of the major cost reductions is on the resources side (not on the technology side). As a service provider, we can move to a much leaner team with the XDR setup than with a non-XDR setup. When you have different environments to monitor and different alerts coming in from different devices, then you need more people to do the monitoring and analysis. However, when you have a unified view of the environment, then you can reduce the team to a certain extent. We can do a 25% reduction on a team, which is a considerable reduction since resources are expensive. How much a company can save depends on the environment. If it's small, the reduction in cost may not be significant. It can be as low as 10% or as high as 25%, depending on the size of the environment. 

It's helped us save time. It's difficult to specify how much; however, it's likely up to 25% thanks to the reduction in the analysis needed. 

From a performance standpoint, improvements could be made. 

I've used the solution for one and a half years. 

I'd rate the stability eight or nine out of ten. If it's just a Microsoft environment, the reliability is very good. If it's a mixed environment, I'd rate the stability seven out of ten. 

The solution is highly scalable. 

Technical support is good. We have enterprise support and they are responsive.

Positive

I do not handle the initial setup process. The customer may deploy it across multiple locations. The size of the environment can vary from 100 users to 1,000.

There isn't really any heavy maintenance. You just have to renew the licenses. If it's a small environment, one person can handle that. If it's bigger, there may be two or three people. 

My understanding is that Microsoft is trying to change the pricing. However, right now, it's bundled together. If it could be decoupled a bit, it would help customers be able to afford the solution. 

We are service providers, and we resell Microsoft solutions. 

XDR is basically used for unification. It's more of a dashboard. When you have an XDR, you can monitor the entire environment. You can also see and take actions across the entire environment, which is actually a very big advantage when it comes to a particular software analyst's day-to-day job. They can be monitoring one screen. Typically, if an issue is found, a ticket needs to be made, and that's passed onto an engineer, but with XDR, a lot can be automated. It can help reduce costs related to manpower and make the process more efficient. 

I'd rate the solution nine out of ten and recommend it to others. Smaller companies may not need it; however, if a company is growing fast or is already sizable, it's a good option—especially if it is a mostly homogeneous Microsoft environment.

I am a purple teamer in my current job, so I also work with detection response in my organization. My job is to configure alerts and monitor incidents, and to do that, my company uses Microsoft Defender XDR. My company has endpoint detection tools for all the endpoints in the organization, and through Microsoft Defender XDR, we are able to get a top-down view of all the incidents on a daily basis and then actually be able to even customize what kind of alerts we want to look for and what kind of attacks are happening. One of the things that I personally love about the tool is the attack story that it provides. Every time there is a specific incident, it creates a graph and maps it to Mitre Att&ck Framework, so it could be initial access, or you may have malicious activity within the network. The tool can track all of the aforementioned areas, and it gives a confidence level. For example, if it is a high-confidence, high-risk alert, then the tool would probably quarantine that particular endpoint on its own, and then an investigator goes on there and actually verifies it. In my experience in the last six months, the false positive rates have been close to zero. Every time there is a case of high confidence alert, there has never been a case where it was not a malicious activity, and it is something I love about the product.

In terms of the most valuable feature of the product, I think it stems from the way it classifies incidents, as it is the most important area in my field of work. Another valuable feature of the tool is threat hunting. For example, there could be a chain of phishing emails that are being sent to our organization, and it may come up as an alert. Then, I know that I can use the artifacts, after which it gives a list of artifacts, which could be email addresses or IP addresses, to identify the threat actors. I can then go ahead and hunt for them across all endpoints within the network, making it essentially something similar to an SQL query that I can run based on what I am looking for. I get more leads in terms of which other mailboxes this particular phishing attack might have gone to where the user may not have interacted with it. The tool allows us to be more proactive in terms of getting close to the initial compromise. I think the threat-hunting feature is coupled with the alerts that my company has configured, and it allows us to proactively stop attacks, which is probably the most important thing for us.

I think that the tool can do a lot of things in a pretty effective way. A lot of times, one of the things I look at is how the false positive rates are, and so far, I see that they have been close to zero. Honestly, I don't think there is a lot in the area of false positives where the tool could improve. I do think that maybe having a feature within my organization where there are three different domains within which we have to operate would be helpful, as there is currently no unified view within the domains. Within a specific Active Directory, you can have Microsoft Defender XDR running, and so everything, including all the endpoints in that domain, are areas you are able to look at from one particular user interface, but there is no feature in which you can merge two different domains. For example, if there are xyz.com and abc.com, all of the endpoints within each of the domains, our company will have a separate UI from Microsoft Defender XDR, and because of it, we have to monitor three different UIs at each point in time. There is also a lot of automation that I have put in place, so every time there is a high-risk alert, our company gets an email in our InfoSec mailbox essentially. I think having a feature where you can merge everything onto a single dashboard would be something from which my company would definitely benefit because it's just a lot of sifting through different user interfaces and then collating data from it. In our company, we should just make sure that we are able to respond immediately, especially whenever there is a security issue within the organization.

I have been using Microsoft Defender XDR for six months. My company is a customer of the product.

I have been in the company for six months, and I think there has only been one time where I remember there was a bit of a slowdown which was associated with the antivirus server and it was not related to Microsoft Defender XDR. Considering the aforementioned issue, my company had to raise a ticket for support, but it has only happened once.

So far, the scalability offered by the product has been fine because it serves as an internal tool managing essentially all of the endpoints within the network, which essentially includes all of the employees, servers, access points, and all of that. In the last six months, my company has not really scaled up the use of the tool that much, and so the numbers have been constant, more or less. If my company ever plans to double up in size in a short period of time, it will probably be the time when the tool's scalability will be tested. I don't think I have the data points right now to answer questions related to the tool's scalability feature.

I have contacted the product's support team. I feel that Microsoft offers a very good support team, as they are usually well-equipped, and the support team members are currently the ones who set up the tool from scratch. The support team has complete visibility of the environment. Every time there is an issue, it gets resolved within 30 to 45 minutes, sometimes more if it is a bit complicated. For example, if the server is slowing down for some reason, the support team is able to sort it out pretty quickly. I think my experience with the tool's support team has been pretty good. I rate the technical support a nine out of ten.

Positive

Before Microsoft Defender XDR, I used some other solutions of the past. In one of my previous organizations, we used to use an SIEM solution like Splunk. The company had a lot of open-source tools, so we used Microsoft Defender XDR and ELK stack to generate alerts from a network monitoring point of view. The company also had Snort rules running on the same endpoint, which was like a blue team device for monitoring the network, and we also had a Splunk Universal Forwarder on the endpoint that was connected to Splunk's server, which was useful for visualization. Splunk was not an XDR tool; it was more about monitoring alerts that we had configured within the organization, customizing them, and making sure that we were able to catch threats based on signatures. There was less automation in the sense of how you can react to an incident. For example, in Microsoft Defender XDR, the moment there is a high-risk and high-confidence alert, it quarantines the endpoint or that particular mailbox and sends an alert to our company, and in such a manner, it stops the attacks, and also lets the investigators know that it is not a false positive, which is something I was missing in a SIEM solution that I used in the past. Alerts were being generated from Snort, and the company where I used to work had an ELK stack running, so we configured the alerts on it. The company also had a Splunk Universal Forwarder that would forward the alerts to a Splunk interface, and it is where we used to visualize all the alerts. In general, it was a combination of different tools that allowed my previous company to have the aforementioned process in place.

The solution is deployed on the cloud model, and our company has opted for the cloud services offered by Azure. In our company, we have Microsoft Access Control Service in place, so everything is controlled through Azure. If there are new members in the team, we give them read-only access to XDR through Azure, so it helps manage the identity and access, and then you can access Microsoft Defender XDR's portal. Our organization also creates specific IDs for every investigator to access Microsoft Defender XDR.

I don't think I can speak much about the pricing model of the product because it is not something I work with, and so I don't know the amount of money being burned by the company for the solution, making it an area beyond my visibility. With the little idea I have about the costs, I can say that XDR tools tend to be a bit expensive. If you are using Microsoft Defender XDR, then you need to go for a subscription-based pricing model. In my organization, which is a relatively large company with close to 3,000 employees, the solution works out well for us. For example, if I had a startup, it probably wouldn't be cost-effective to have an XDR solution in place, and that is where I would probably look at more open-source tools to work with and maybe have a SIEM solution which was a startup, a reason why we had to rely on open source tools. My previous organization also had opted for a subscription to use Splunk, which was expensive, but it was better than getting an XDR tool.

Speaking of whether I started to see the benefits of the product immediately after its deployment or if I had to wait for some time, I would say that Microsoft Defender XDR has been in place from the time I joined my current organization. I immediately saw the benefits of using the product. I wasn't present in the organization at a time when they had moved initially to Microsoft Defender XDR, so I can't speak about the time point during which others in the company saw the benefits or effects of the use of the solution. I think the tool has been very efficient because I have worked in other organizations where they were not using Microsoft Defender XDR, as they preferred SIEM solutions. I have seen that in scenarios where SIEM-based tools were used, it was more of the investigator who had to figure out what was happening because you just had a ton of data coming in from the bottom up. In my previous companies, we had a Splunk interface through which we could indulge in monitoring. I see a stark contrast between the previous products and Microsoft Defender XDR, and it is because the latter-mentioned tool not only allows you to get that bottom-up view where whatever is happening on an endpoint level, I am able to monitor while also being able to push things from the top to down. For example, if I wanted to quarantine a particular file on a subset of endpoints, I can do that from Microsoft Defender XDR, where I can put it on a block list and mark it to a particular Active Directory group, after which I am able to then block that out. The tool is quite effective from a detection and response point of view.

If I consider whether it is better to have just one solution instead of a combination of tools, I would say that it is always better to have a combination of products. The SIEM solution I had used previously was quite efficient in collecting data and in being able to process large amounts of data from where we had a lot of endpoints within a particular network, which I think was fast in many ways. Microsoft Defender XDR internally does the same thing as an SIEM solution. If you ask me, it is always best to have an SIEM solution integrated with an XDR tool because most SIEM products are very good at handling large amounts of alerts, and if you have configured it properly, then you can have a very precise view of what is happening at any given point in time within the network, and once you have it, you can have that database forwarded to XDR that can push down. The XDR tools are very good at classifying events. If you have actions in place as to what needs to be done, then, for example, if an email is marked under the phishing category, you would want to get rid of it from the inbox first. Ideally, it shouldn't even land in the inbox, but if it does, then you want to quarantine it. Pushing a certain action down to the affected devices, I think XDR tools do it brilliantly. I think it is always good to have a match between a SIEM tool and an XDR product or a customization between different tools to help achieve your goals.

The product does require maintenance. With the cloud instances that host the server, our company continuously monitors the health, as we have health checks in place that generate alerts in case something goes wrong, a major reason why we use Microsoft Defender XDR. My company also has Kaspersky's antivirus server, which is essentially hosted on a different server. Sometimes, because of the number of endpoints we have in our company's network, the server does slow down due to resource constraints. It is not my job to maintain the servers in my company, but we have a different team that deals with it. In our company, we do have a couple of instances where the servers are internally managed.

I think Microsoft Defender XDR is one of the best detection and response tools I have worked with as it is quite effective in flagging serious threats for the organization. In our company,we have faced multiple attacks over the last few months, but none of them have been successful, and I think Microsoft Defender XDR has played a major role in it.

Firstly, potential users of the solution should consider that the tool comes with a lot of already customized alerts for any Active Directory environment, but it is always good to understand, especially if you are a new user of the tool. Even if someone is new in the security team, I think it is that person's job to analyze the business, the kind of attacks you could expect coming in, and the kind of visibility that the organization provides on the internet. Once a person gets a good idea about the aforementioned areas, you need to customize alerts and create custom alerts for your organization because that is an area that is going to be unique and different for each and every company, so it won't ever be the same. Microsoft Defender XDR certainly helps with mapping the seven steps of the cyber kill chain, and if the product sticks to it and looks at every single step, lists down the kind of threats, and then customizes the alerts according to that, I believe the users will have a successful time in being able to detect threats before they happen or even while they are happening.

I rate the overall tool a ten out of ten.

I am a consultant responsible for deploying and providing customer support for Microsoft products. We use Defender XDR for endpoint protection. It helps them secure endpoints with an advanced XDR solution that conducts behavior analysis and things like that.

Defender XDR provides more visibility into all the connected services, including the security stack and all the productivity software. They're all integrated. It's much less maintenance and has fewer headaches during integration and setup. Implementing the solution and getting the customer fully protected takes very little time. According to Gartner, it's one of the best solutions on the market,  and it requires a limited amount of time and resources to get it fully operational.

By adopting Defender XDR, our customers have discontinued other security products. The solution can replace products like Kaspersky, McAfee, Trend Micro, and even CrowdStrike. 

It has affected customers' security operations by simplifying permissions and reducing the total cost ownership if we discontinue all the security products that the customers used before. Customers usually save around 20 percent, but it's more than simply replacing one component with another. It replaces several security solutions like email and cloud application protection. If you compare the total cost of ownership of on-prem solutions versus Microsoft, it is better to go with Microsoft. You also get lifetime upgrades for the systems and features that you implement.

Microsoft XDR's system of analysis and investigation is super convenient for our customers. It integrates with other Microsoft solutions like Defender for 365 to protect email traffic from malicious external web links and phishing. Customers like that the platform provides a single pane of glass for all the security services. Many of them do not have the capacity to support complex systems, so it's better for them to have most of the tools integrated into one platform. 

You can integrate XDR with Microsoft's identity solution Entra ID if you have a premium license. Those tools are fully integrated, but you need to purchase a separate solution called Defender for Identity to get tools to protect identities and connect the Enterprise Data Center with Defender.

Defender XDR's coverage isn't limited to Microsoft products. You can use almost any solution and achieve the same single point of control. For example, you can integrate Microsoft Defender for Cloud Applications, which covers all the cloud service providers. It isn't limited to only Microsoft infrastructure.

Customers say they want absolutely seamless integration between other Microsoft solutions and Defender XDR, including the ability to change device settings within the Defender portal. They need to contact the IT team responsible for the device management tools to change some settings. They would prefer that those changes be initiated directly from the Defender portal or applied from Intune without involving the IT operations team.

I have used Microsoft Defender XDR for five years. 

Defender XDR is almost 100 percent stable.

Defender XDR is infinitely scalable. 

I rate Microsoft standard support six out of 10 and premium support eight out of 10. The response times for basic Microsoft support leave much to be desired. It can take up to two weeks to resolve issues if you don't have a support contract. 

Neutral

Deploying Defender XDR is relatively straightforward, but it depends on whether the customer has already integrated its on-premise infrastructure with the Microsoft cloud.

Deployment requires one or two engineers on our side. We determine the scope of the work and the deployment before rolling out the clients to the endpoints. The biggest question is whether the customer already has the network infrastructure prepared for that service based on the Microsoft documentation. For example, we must determine if the endpoints connect directly to the Microsoft cloud or through a proxy server, firewalls, etc.

Defender includes four or five products different products. The most useful is Defender for Endpoint, which typically takes up to two weeks to deploy, while Defender for Office and Defender for Identity take one week to deploy. Defender for Cloud Applications can be deployed in a few days. It also depends on how the customer will use it. If it's being used for compliance, the customer's requirements may be totally different. 

The number of maintenance and administrative personnel depends on the organization's size and the number of solutions deployed. It's hard to calculate how people would be necessary for that particular part of the security ecosystem. However, Defender XDR takes up to three people to manage. 

Defender XDR is expensive, but the cost is justified. Defender is included in an E3 or E5 license. If you don't have a premium Microsoft license and you purchase Defender separately, the whole model will be different. You can also pay extra for premium support. 

I rate Microsoft Defender XDR nine out of 10. I recommend starting it as soon as possible, but you must also plan for any future on-premise solutions that you might bring into the system. Consider any prerequisites you need if you decide to go with the product. The biggest issue is that your network infrastructure needs to be set up according to the Microsoft documentation.

My company operates as a service provider, so we use Microsoft Defender XDR in our office to provide our customers with security services.

I won't say that the product helped improve how my organization operates, but there is a need to build trust between the user and the product. Microsoft Defender XDR has been used in my organization since we purchased Windows 10 or 11, after which a user does not need to install any products from Microsoft separately. Some of my company's customers insist they want to install antivirus software separately in their environment due to trust issues.

The most valuable feature of the solution stems from the fact that Microsoft Defender XDR is easy to integrate with other Microsoft platforms or products. Some other vendors of security products provide great features or capabilities of detection, but the best feature of Microsoft is its integration capability.

One important point about the solution that is an area of concern where improvements are required is related to the control center it provides. Generally, antivirus products provide a central control to manage every device in terms of who is installing it or who is trying to disable it, but Microsoft doesn't have such a control center for the antivirus product it provides.

I have been using Microsoft Defender XDR for three years. My company has a partnership with Microsoft. My company is also a reseller of Microsoft products.

As a part of Microsoft's attempt to reduce costs, there has been a direct cut down of the local technical support team. Sometimes, you have to use the technical support offered by Microsoft from other countries, but at times, we speak different languages, just like how people speak in Chinese or Mandarin, but there are still some differences between them. The front-line support from Microsoft has only limited technical abilities or access to their internal system. Sometimes, my company cannot even escalate an issue to Microsoft's senior team members.

The support team of Microsoft is nice as they attempt to solve the problems together with you, but I believe that due to some cost-related issues, they don't have enough permissions. Sometimes, users might feel blocked when trying to connect with the support team.

I rate the technical support a seven out of ten.

Neutral

My company started with Microsoft Defender XDR when we partnered with Microsoft. Some of our company's customers prefer CrowdStrike, Fortinet, and FortiSIEM.

You don't need to indulge in troubleshooting, making the initial setup phase an easy process because you could just use a GPO on your server to deploy everything. When there comes a problem to onboard some specific devices, and you need to indulge in troubleshooting, sometimes Microsoft Defender XDR's team says it is a problem with the devices a user is trying to onboard, and it's really hard for our company as service providers since we cannot always ask customers to reinstall their server.

Microsoft purposely makes its license combinations complex and includes combinations like Microsoft 365 E3 and Microsoft 365 E5, Office 365 E3, Office 365 E5, and Office 365 E1, so you get confused. Microsoft tries to sell you a bundle of a lot of things together. The licensing model of the product should be made more understandable.

There are other good products in the market, and it is difficult to state which one is better since all of them have micro differences in terms of pricing. There may be components like the user interface or maybe some other elements to judge other products, but when it comes to Microsoft, the most important factor stems from the fact that most people use Windows, so it's all integrated.

The product provides unified identity and access management as long as I use all of the products offered by Microsoft.

It is important for me that identity and access management are included within Microsoft Defender XDR because everything is controlled by your identity in the digital world, making it look like a user's government ID in the digital world. My company has tried a lot to talk to and educate our customers since some try not to use a complex password or MFA, which is the most important thing to protect your identity.

Some integration functions in Azure portal allow users to integrate their third-party applications. With the solution, it is not easy to track third-party applications. For transactions recognized by your credentials, it is not easy to track as they would stop, after which we are informed there is a problem. In my organization, we only know how some third-party applications ask to check the credentials, but we don't know what Microsoft Defender XDR does with it, so the product's security doesn't extend beyond just Microsoft technologies.

The product does stop lateral movement and advanced attacks like ransomware or business email compromise. The product blocks a lot of ransomware, which is good. It is considered to be a strict product, so if some of our customers use some local mail service, they have been blocked because Microsoft considers it to be not secure. Microsoft puts a lot of effort into security.

Microsoft Defender XDR's ability to stop attacks covers the product's ability to adapt to evolving threats. It is better to use it as a cloud-based solution that keeps adapting to changes and providing new features.

The product must adapt and evolve to manage threats since there is a new zero-day vulnerability every day, and there is no way to get protection from it. You cannot rely on the users or the admin to upgrade the features daily, so it's better to adopt it automatically with a cloud-based solution like Microsoft Defender XDR.

There were some problems when my organization tried to discontinue other products during the implementation phase of Microsoft Defender XDR since Microsoft tried to integrate all the products in our organization's environment together. If you have used Microsoft Defender XDR, you have to use an antivirus from Microsoft along with Microsoft Identity Platform Endpoint to get the best results. Sometimes, some customers may try to install some third-party antivirus in their environment other than the one provided by Microsoft, which gets blocked. Sometimes, antivirus software from a vendor goes into passive mode. When an antivirus software is in passive mode, some of its advanced features are not usable, causing some problems the user needs to deal with when using it.

The product's ability to save costs depends on how a user looks at a problem while using the solution. I worked as a part of the security team, and we always used to talk to our company's customers. The solution is sometimes like insurance, especially if you want to avoid some bigger problems and you need to spend some money to protect your environment. In some other IT teams or from some other client's point of view, Microsoft Defender XDR costs a lot of money, and they don't see anything. In the security world, no news is good news. You don't want to have to see everything happen and get plenty of alerts trying to prove the product's worth. The product has to control the attack surface so that you won't be attacked that much, or if there are any attacks, it can reduce the impact.

The product definitely saves time for my organization and our company's client teams, especially considering that it is not possible to manually go through the logs every day. The product did help pop up the abnormal activities so that my organization could just review the important things or abnormal activities.

It is hard to say how much time the product saves since it depends on factors like whether you are using some other products or using Microsoft Defender XDR alone. I guess that the product can save over 60 percent of my organization's time. When you use Microsoft Defender XDR in your IT infrastructure, and it works for you, then you just put it in there, and you will come to know when there are some abnormal activities or when you are attacked. With Microsoft Defender XDR, you can get some signs if you are being attacked.

Microsoft Defender XDR is a nice solution and can be combined with other solutions from Microsoft, but they offer limited flexibility. I want the product to be a high surveillance solution for me and not just an information-oriented tool, but nowadays, Microsoft doesn't provide any options to help choose the users' preferences.

I rate the overall product a seven out of ten.

It addresses various use cases, including monitoring and securing file storage like OneDrive and SharePoint. It has recently incorporated Teams integration to safeguard against malware. Additionally, it serves as a replacement for on-premises Advanced Threat Protection, offering enhanced capabilities. It has proven valuable in highlighting critical scenarios related to credential use and legacy Active Directory, providing substantial assistance in these areas.

When transitioning to Microsoft Defender for Endpoint from our previous use of ATP, we observed significant improvements. Legacy ATP involved numerous signals and a substantial learning curve, but Microsoft Defender for Endpoint establishes a more effective baseline. In comparison to Cylance, which generated a considerable amount of background noise, Microsoft Defender for Endpoint enables us to concentrate on the more critical alerts that demand our attention. Our team is actively phasing out disparate security tools in favor of a streamlined approach. The efficiency gained from having a single pane of glass is a powerful asset for our team.

One of the most valuable aspects is the comprehensive insights it provides into on-premises identities, particularly within Legacy Active Directory. This allows for the examination of use cases related to identities, ensuring there is no misuse of accounts or computers. A crucial aspect for our team is the inclusion of identity and access management tools from the vendor. Despite being a sizable global company, our team is relatively small, considering our global reach. Therefore, minimizing overhead is a top priority for us, and integrating these tools from the vendor becomes crucial in achieving that goal.

My suggestion would be for Microsoft to continue aligning all components within this ecosystem. This consolidation is beneficial as we strive for a more unified and comprehensive view, essentially a single pane of glass, which is highly valued. In the future, I hope for increased third-party integration. While Microsoft plays a role, it's equally important for third-party providers to step up. In our organization, the information security team has endorsed a specific set of products. Integrating the telemetry from these approved products into our systems would be immensely beneficial, providing a more comprehensive view and enhancing our overall security posture. Extending security coverage is of paramount importance. Integrating telemetry could bridge these gaps, fostering greater cooperation among individual teams within the organization. Having teams collectively examine the same information might contribute to advancing collaboration and overall security efforts. The capability to not only thwart attacks but also to adapt to evolving threats is crucial.

I have been using it for the last three years.

It is exceptionally stable, without encountering any notable issues or complaints. Microsoft seems proactive in communication through the message center, keeping users informed about any ongoing issues, and we appreciate the clarity provided through multiple channels.

It has the capability to scale seamlessly, especially with Microsoft's expertise in the cloud. We have over six thousand end users globally distributed across various facilities, with some on-premises deployments due to specific requirements. However, our overarching strategy is cloud-first, and the majority of our infrastructure operates in Azure. In terms of endpoints, the number is substantial, likely exceeding seven thousand when considering both servers and clients.

We haven't had the need to contact them so far. In general, our experience with Microsoft support has been variable—it can be both beneficial and challenging. While they offer a wealth of resources, there are instances where the response may not align with our expectations. I would rate it eight out of ten.

Positive

I made the switch from Bitdefender to Defender primarily due to cost considerations. In my professional assessment, Bitdefender appears adequate from a client perspective, but when it comes to enterprise deployment, I don't view it as fully enterprise-ready. We encountered numerous challenges, particularly with installing Bitdefender's agent on Server 2022, which proved to be a significant hurdle for my team, consuming valuable time and resources. The advantage of Defender lies in its ability to seamlessly bring together threat telemetry from servers across various cloud providers, including Azure, and extend this protection to our Windows endpoints, offering a robust and integrated security solution.

The initial setup was straightforward.

Our implementation strategy was relatively gradual and soft. We enabled the features, allowed it to ingest the data, and then began assessing the generated alerts. Taking a somewhat silent approach, we deferred more to the expertise of our information security team, considering their role as the cornerstone in this aspect. As we moved forward, we aimed to identify areas for improvement and address the specific queries and needs that our team raised during the process. Our ongoing maintenance primarily involves fine-tuning our alerts to align with our specific use cases.

In terms of return on investment, the potential for cost reduction is a key consideration and Defender does provide it. The time saved is substantial, especially if we can navigate through our internal processes efficiently. Specifically for my infrastructure team, using Defender for Endpoint has significantly reduced the time spent delving into emerging issues. As a rough estimate, I would say it saves us approximately six hours a week that would otherwise be spent navigating through the complexities of individual components within Microsoft 365.

I find the pricing to be quite competitive, especially considering its inclusion in our E5 subscription, which provides a comprehensive set of functionalities. Initially, when I evaluated the pricing for add-ons with our E3 subscription, it seemed reasonable. However, we opted for the E5 subscription, absorbing the additional features seamlessly.

I'd recommend exploring Microsoft's Learn documentation, a resource that is sometimes overlooked but provides valuable insights into the capabilities of Defender. It's a good starting point to understand its features. For large enterprises with tools like Visual Studio subscriptions (formerly MSDN), Microsoft offers the option to set up an E5 tenant for testing. This can be deployed freely for up to twenty-five licenses, excluding the Windows license. I suggest diving into hands-on experimentation in a lab environment, combining practical experience with informational reading for a comprehensive understanding. Overall, I would rate it nine out of ten.

We use 365 Defender to manage organization-level devices and vendor security compliance. We are a retail-focused organization that offers cloud services through Azure, GCP, and AWS, but we manage all the security through 365 Defender. Some of our users are based in other countries, and everything is centralized. We operate in multiple regions. 

We can easily track any other malicious activities or additional applications that will prevent it. We can get it here. It will be a helpful tool once we create policies for DLP and third-party programs. 

365 Defender stops the lateral movement of advanced attacks. It prevents something that happens on the device level from affecting us on the organization level. The solution enables us to track all the details, like the IPs and the device types. 

365 Defender helps us deal with unknown threats by creating custom policies, which enable us to block access by specific unknown sources and unsafe links. 365 Defender has multi-tenant capabilities, and we have multiple tenants, but I'm only involved in the retail part, so I don't have authority over other tenants. 

We were able to discontinue some of our other security products when we implemented 365 Defender, but there are some exceptions. We can use non-Microsoft solutions when the customer requires it. Mostly, we use cloud solutions. We've saved some costs on the security side at the organizational level by reducing equipment costs. Using 365 Defender's automation capabilities, we can cut our vulnerability management time by about 40-50 percent. 

I like 365 Defender's advanced threat hunting. The dashboard is user-friendly with templates for site policies, etc. The most important use case is evaluating the risk links and applications. 

The cost can be high if you want to build custom license packages. Another area for improvement is the policies. In Azure, we need to implement policies in JSON format, but in 365 Defender 365, it would be helpful to use a different format so we can customize the platform.

I have used 365 Defender for more than two years. 

365 Defender can have some performance issues during enrollment. It can take a while at times, but sometimes it's duplicated immediately. That's an issue with some other cloud-based programs like Intune and Azure products. 

I rate Microsoft 365 Defender support nine out of 10. Their support representatives provide solutions based on priorities. They prefer to follow the proper SLA part. 

Positive

The deployment is quick, straightforward, and involves only two people. 

Sometimes 365 Defender is expensive, but it can be moderate, depending on the organization's size and the license type. We're satisfied with the cost because it gives us a product that protects our entire environment with DLP. To compromise some cost, of course, we are to complete the most secure environment. 

I rate 365 Defender nine out of 10. 

We're using it for our email filtering to check incoming emails and URLs. We're also using it for vulnerability management to see the status of our assets that are registered on the system. We also check it to see what kinds of threats and campaigns are currently being launched via emails.

It provides us with better insight into what's going on across our platform. It has also given us a very easy way to respond when threats or alerts come through. And when looking for someone in particular, it helps with that. It hugely improved our insight into what's going on inside the company's premises and environments.

365 Defender also helps find high-value alerts, but we haven't used it for complete automation. It has some automation features where it can try to block or quarantine things, but beyond the default automation configuration, we haven't explored deeper into using automation. The default settings work well.

And while we've always used one or two dashboards, this system has made it easier to have a quick overview on a single platform.

In addition, the threat intelligence helps prepare you for potential threats, to a certain limit, because it gives you insights into where your shortcomings are, your vulnerabilities. It also gives you some security recommendations to make improvements.

And the solution has decreased our time to respond because on high alerts you can get a quick response. The system will notify you very quickly if it detects something at a certain thread level or a custom threat level that you set.

Microsoft 365 Defender has a very great interface to help protect registered devices when it comes to web protection, which is very handy.

We also use the alert systems often. It's a great threat intelligence source for us, providing alerts for things it detects on the network and on the machines. We've used it often when there is a potential incident to see what was done on a computer. That works quite nicely because you can see everything that the user has done, including websites accessed, et cetera. And if something was on the machine, we can see what it was trying to do.

I use the alert system on a daily basis. It gives you a very good analysis of where something was found, which employee or which device. And it often gives you a good history on that. The alerts help me to monitor and check what is going on. That's a very valuable system to have.

We've also tried the attack simulation, which sends out phishing emails internally as a test to see how the users respond. We get feedback and use the training simulation as a result. We've only done that once, and it's something we want to work on a little more.

In addition, we're using the assets on the system as well as the inventory functionality. It checks all the machines to see what software is installed on them.

We've used a lot of the features on the cloud, although not everything to its full potential, but we've used 70 to 80 percent of all the features on the cloud.

In the beginning, it's difficult to navigate the system because it is quite large. Just trying to find your way and understand how the system works can be hard. After spending quite a lot of time searching it's a lot easier, but I wish it were a bit more user-friendly when you're trying to find things.

The information it provides is great, but for a newcomer, it is quite tedious and takes a long time to load. Here in South Africa, when you click, oftentimes you have to wait quite some time before you get to the next page. It's not necessarily internet-related. I think it's just that the service is a bit slow.

Also, while the solution does help to prioritize threats, unfortunately, it doesn't do so for the entire environment. The reason is that it only supports full integration from Windows 10 and up. It provides you certain information from your server environment, but when you start going with legacy services, it is a bit lacking.

Another issue that is sometimes a headache is that they constantly make changes. Things will be merged, they will get different names, or be moved around. Things will be added and other things go somewhere else. They do a lot of development to make the product better, but it's very frustrating having to search for stuff after they've moved it, because you don't always know that they have moved things. They might have little banners, but if you're just working and don't read them, you don't know where things have gone. 

I would also really like to see better integration with the server platforms for managing your server environment. That's something it currently doesn't do. For all the server environments, you either need to make use of group policies or SCCM to manage that independently. It can provide you information on the system, but it doesn't have control over your server line.

Also, I make use of 365 Defender on a business level and on a personal level. On the personal level, there is a lot less functionality. Something that would be very nice is that, for the level you are on, you would only see the product you are subscribed to. For instance, if you log on via the business, you have all your action areas, anything you can do and see, on the left. Because you're using it at a corporate level, you can see and do everything. On the personal level, or in a small business where you're only using some of the features, you still have all the same options, but when you click on them, it tells you that you need to upgrade or subscribe. They should only show you what you have access to, and not all the tabs and then say, "You need to subscribe to get access to this." It just clutters the whole area.

We have been using Microsoft 365 Defender for about two years.

Overall, it has 95 percent stability. We don't have any issues with it. It works well. Microsoft does provide frequent information when there are issues or delays. But the stability is very good.

We're still learning a lot about its capabilities. It's more capable than what we use it for. That is due to a restriction on our resources and availability to get to know the system even better.

We have contacted Microsoft tech support multiple times. They are quick to respond to the original request. Sometimes I have been quite surprised because they have replied within 15 minutes. Some of the questions we had were resolved quickly, on the order of 60 minutes. I had one that took almost two years to get resolved. But in general, they are quick to respond. Their support is very good and quick.

Positive

Before 365 Defender, we made use of Avast as our antivirus, which had its own web console. For malware protection, we used an on-prem Cisco IronPort system that was scanning all our emails. And most of our SIEM logging information was done manually. We had much less insight into what was going on in the company.

Because it was a new solution for us, we had a company that works with Microsoft assist us, to make sure that all the configurations were standard. But since then, we've maintained most of it ourselves. On our side there were no more than five people involved.

It's a very expensive product, but for any threat it has definitely stopped or protected us from, in that sense, it has saved money and time, by preventing things that could have happened. But is it affordable? No, it's expensive.

If you look at everything that the solution entails, and the big cost to companies, especially medium-sized companies, one would like to have a bit of a price decrease due to economic circumstances. The functionality is fantastic, but for medium and small-sized companies it's overpriced. It would be better if it were a little bit cheaper.

We did look at other solutions. In the end, we decided on 365 Defender because it was all integrated. It worked to our advantage because all the products that we needed were already on the machines. All the products that you get from the Defender area are part of the built-in Windows 10 features. It gave us a better way of controlling and managing things. Overall, it made more sense to have one central place to manage and control and be alerted.

My advice is don't be frightened when you start getting into the solution. If you are not used to the environment, it is a mouthful, and it can really scare your socks off. There's just so much to it that you won't really know where to start.

The best thing I can recommend to anybody who is starting is to get somebody who knows the system to give you a walkthrough. Also, look at the tutorials to see what the functionalities are. It will be beneficial for any person to get a good overview of what's going on in 365 Defender, the capabilities and how it looks. But getting in contact with somebody who has some experience already in using it will help you to ask where to find things. "Where do I go from here? Show me how you're set up, so I can at least see some of the functionalities."

My very first impression of 365 Defender was that I was looking for something, but I didn't even know where to start. It was too overwhelming. As I spoke to other people who knew about the system, they gave me an overview and that made it easier for me to understand and to know where to go.

365 Defender is our main deployment, but we've got the endpoints also connected on Intune. They work together to deliver coordinated detection and response in our environment. Our complete suite is pretty much all Microsoft. Our environment is a 50/50 hybrid. We use Intune for certain policy changes and some of the deployments. But because our environment has a lot of legacy systems, we make use of the normal, on-prem deployment services as well.

Sentinel is linked to our on-premises Active Directory. It helps identify things that are happening on-prem. For example, when a user's account instance gets locked out, it will show you, on Defender, from which local machine it was locked out. Or if certain things are accessed, it will show that information on the on-prem Active Directory. It works well. For investigating and responding to threats, it definitely helps by dumping the information in a centralized location with the alerts to identify a bit more flow pattern. If something happens that's not on the cloud area, but it's on-prem, it helps track and identify movement. The information from Sentinel is an added bonus.

Overall, Defender 365 has saved us time, compared to the old ways of doing things, but at the same time, I wish the site was faster. Sometimes it can be very slow.

Best-of-breed solutions versus a single vendor's suite comes down to personal experience. With best-of-breed, at least you know that they have been tested in the industry and have a lot of history behind them. Also, the redundancy would be a lot better. Going with a single vendor sometimes makes it a little bit difficult, especially if they are only focusing on one area. It's a difficult question. It might come down to the way someone was "brought up" in the security industry or the way that they trust these companies.

I give Microsoft 365 Defender a nine out of 10. Once you get to know the system, it's really awesome. It provides a lot of insights.