Microsoft Defender XDR Reviews

It is, of course, an antivirus tool. I work as a lead for a SOC team, and it's our job to monitor all the endpoints in our organization. We are looking for any unusual activity happening on the devices, and Defender monitors them.

If there are any changes or unusual activities, it triggers an alert. An analyst will pick up the alert from the Microsoft 365 Defender and go through the timeline to understand what triggered that alert and whether to categorize it as a security incident or not. Some of them turn out to be false positives, and some turn out to be true positives.

We use it for other tasks like IOC management. In the cyber world, different applications have different vulnerabilities. If an application is used in our organization, we make sure all the IOCs, whether hash values, malicious IP addresses, or malicious domains, are blocked in the Microsoft 365 Defender.

It has given us a very wide range of visibility over the endpoints and it's easy to manage. If I see a threat or an attack pattern emerging from a certain location, I can easily isolate those endpoints at a very quick pace. That has pretty significantly improved our proactive measures when it comes to security in the last three years.

Apart from that, it gives us an overall picture, and not just of the endpoints. It has identity and access management and an email security module as well. If there is anything related to phishing or spam emails, we can analyze that in the same portal. We don't have to rely on multiple portals. It's just a single pane of glass where everything is visible. It gives us a clear picture and our visibility has increased a lot.

Another thing I like about Defender is that if a threat is detected, it starts the investigation by itself, by running the scans on itself, trying to isolate the device, and determining which IP addresses or websites it is connecting to. It gives us a detailed picture. All we have to do is make sure all these are blocked. But the initial triage and investigation are pretty much done by Defender itself. That is one of the significant areas of improvement for us, which I definitely like about this product. Automation is one of the key features in Defender, which saves us a lot of time. Sometimes, we don't need manual intervention. It does its job automatically.

If an analyst would take 40 to 45 minutes just to understand what was going on with respect to the alerts that were coming in with the product we were using previously, 365 Defender has reduced that time by half, by 20 to 25 minutes. That is a pretty good improvement. When you're working in a cyber security environment, you need to be very quick to respond because, in a matter of minutes, you'll be firefighting. And that's not what you want.

Among the most valuable features are the alert timeline, the alert story, which is pretty detailed. It gives us complete insight into what exactly happened on the endpoint. It doesn't just say, "Malware detected." It tells us what caused that malware to be detected and how it was detected. It gives us a complete timeline from beginning to end. It gives us a pretty detailed overview of the timeline of the attack.

Another benefit is that Defender absolutely stops lateral movement or advanced attacks like ransomware. The MITRE ATT&CK framework is pre-integrated, and all the use cases or categories that have been defined in Microsoft Defender are based on that framework. Lateral movement is part of that. There are multiple cases of lateral movement available in Defender, and ransomware, of course, is one of them.

We also have threat analytics in the solution. If there is a zero-day attack, it gives us the information. As of now, we haven't seen any impact on our devices. If there is any impact, it shows us, and we can take action accordingly. Those aspects work pretty well.

The only problem I find is that the use cases are built-in. There is no template available that you can modify according to your organization's standards. What they give is very generic, the market standard, but that might not be applicable to every organization. For example, an organization might look into an alert in a different way, not in the way Microsoft provides. There is no way to modify a template according to your needs, and that is something that I really don't like.

Those kinds of alerts are generating too many false positives for us, creating additional overhead. For example, part of the identity and access management is called "impossible travel activity." It generates false positives for us but there is no way I can modify the rule they have given that causes alerts. I cannot use that template or create a new one using that template, which I then modify to fit my organization's standards.

When we raised the issue with Microsoft, they said, "It's a product feature. What you are requesting is a product enhancement. We can take your request, but we are not sure when it's going to happen."

I have been using Microsoft 365 Defender for almost three years.

I have not observed even one time that the tool has lagged or crashed.

It is pretty scalable and user-friendly. There are no issues with the scalability.

We have raised a few tickets for cases we needed assistance with. Their support is good. The response is good. Sometimes, the challenge is that an issue might be a high priority for us, but they might not consider it a high priority based on their understanding. Their severity levels vary compared to ours. That's fair, of course. It's not something I am complaining about. Overall, the response from their support is always positive.

Positive

We were using McAfee ePO, but we have completely stopped using it now that we have 365 Defender. Discontinuing McAfee has definitely reduced manual correlation. Most things are automated in the Defender portal, so if a high-severity alert comes in, an automated investigation is triggered. That is one of the key features.

Irrespective of whether your organization is a mid-sized company or a big company, Defender is pretty scalable and very easy to use. As a cloud solution, you don't have to worry about it crashing. The alert timeline is pretty detailed. It catches most of the threats out there. You don't have to worry too much if there is a new threat because Microsoft makes sure that it is already addressed by Defender. If something comes up, it will sound an alert.

If you are looking for a nice antivirus product that doesn't take up many of your endpoint resources—compared to other antivirus software on the market, some of which take huge resources from your machine—it comes built-in with Microsoft. You don't have to install anything.

It's a cloud deployment, so I don't think there is any maintenance required from our end, unless there is a policy change requested at the organization level.

The platform provides unified identity and access management. When I started using it three years ago, that was a separate product. It was under Azure Cloud App Security. Now, they have integrated into Microsoft 365 Defender. We can see identity and access management-related alerts in Defender. Identity protection is something we have not explored that much. Our main focus lies on the endpoint.

Still, it's good to have it in Defender itself because it comes as a complete package. Just because we are not actively using it doesn't mean it's bad. It gives us detailed information, but we are working on the endpoints, focused on the device side. But if a brute-force attack is happening, it comes from a specific device. We don't have to rely on multiple portals to get that information. Everything is available in a single window, because we have that user information. You also see user access to devices and check if there are any malware-related alerts on that device. And that information is in the same portal. Integrating identity and access management in the same portal is a pretty good feature rather than having a separate feature altogether.

My role is to monitor Microsoft 365 Defender. We investigate various alerts and incidents that occur there. We utilize the solution to block any malicious domains, URLs, or other harmful elements that could affect our environment. Microsoft 365 Defender is our tool of choice for this purpose, and it helps improve our secure score. We assess the available remediation options to determine if they are suitable for our enrollment. Additionally, we use it for email analysis and make use of all the features provided by Microsoft 365 Defender.

Microsoft 365 Defender offers excellent visibility into our environment. We have a dedicated team that focuses solely on handling threats. As for me, I mainly deal with the architectural aspects of the overall environment. However, we rely on Microsoft 365 Defender for threat detection, and in the future, we plan to implement Sentinel as well. The reason for choosing Sentinel is that its integration is much more compatible, as Microsoft does not send various logs for other third-party tools like QRadar or any other tool. Therefore, we have decided to move forward with Sentinel.

Microsoft 365 Defender assists in prioritizing threats across our organization by offering real-time threat analysis. However, it does not provide upcoming threat alerts, such as identifying vulnerable technologies for our environment. To secure them, we can access the security score and follow the recommended actions. The platform displays current metrics and trends.

We are currently in the process of integrating Microsoft Defender for cloud apps and Microsoft 365 Defender, with 80 percent completion. Both solutions work together to deliver coordinated detection and response across the environment. We have one unified dashboard to monitor and control both solutions from a single place.

To create a fully comprehensive threat protection environment, we will integrate Sentinel with Microsoft 365 Defender and Microsoft Defender for cloud apps. This integration will allow us to receive additional data related to threats that are currently not shared by Microsoft.

Microsoft 365 Defender is an excellent tool. It is compatible with Teams and Outlook, making it ideal for threat detection and mail security in a Windows environment, which is commonly used by many corporate entities.

Microsoft 365 Defender is helpful in automating routine tasks and identifying high-value alerts. The Microsoft dashboard facilitates the remediation of alerts by grouping alerts of the same kind, which is beneficial.

Microsoft 365 Defender helps reduce the number of dashboards we need to look at, but it does not completely eliminate them.

Microsoft 365 Defender has saved us time by consolidating many of our solutions into a single tool.

Microsoft 365 Defender helps reduce our MTTD, but Sentinel would help decrease our MTTD even further.

The 'Incidents and Alerts' tab is a valuable feature where we can find triggered alerts.

Microsoft Cloud App Security has now transitioned its alerts to 365 Defender. As a result, all alerts that were triggered in Microsoft Cloud App Security are now visible in Microsoft 365 Defender.

It is beneficial that we can search for any of the devices. If we choose any of the devices, it will display the alert, incident, and the entire timeline related to that particular device. These are the features covered, including the ability to run antivirus directly on the device, isolate the device, and apply restrictions. These are the positive aspects of the solution. The same applies to 'Identity' as well. 

We can also investigate that router using email. The image represents the user's complete inbox. We can find out who the main users are, what the titles of the emails are, and how much malware we have received, including the number of phishing emails. We can see all this information in that explorer. Additionally, that thing is also beneficial.

There is a section titled 'Action and Submission.' When we submit any kind of share value for evaluation to Microsoft, they take a significant amount of time for the process.

When discussing the secure score, which includes overviews and recommended actions, some of these recommended actions are not applicable to us, particularly those related to Microsoft Internet Explorer, which we do not use in any of our environments. Nevertheless, there are instances where options to disable macros and various configurations appear, even though they shouldn't be present.

I have been using Microsoft 365 Defender for two years.

Microsoft 365 Defender is stable.

Microsoft 365 Defender is scalable. The solution can handle numerous endpoints, and as our user base grows, the number of endpoints automatically increases.

Many times, the engineers assigned to our tickets are not very knowledgeable about the solutions and features.

Neutral

I would rate Microsoft 365 Defender an eight out of ten. There are many rapid and independent changes happening each month or every other month, making it difficult to keep track of them.

I prefer adopting a best-of-breed strategy instead of relying on a single-vendor security suite. I have observed this approach being implemented in numerous organizations.

Microsoft 365 Defender surpasses most platforms available in the market in terms of advancement and offers extensive integration with other Microsoft solutions. I highly recommend this solution.

We primarily use it for endpoint security. Specifically, it serves as our solution for antivirus detection, malware detection, and related aspects focused on safeguarding individual devices. 

Its single-pane interface is a time-saving feature, as it eliminates the need to check different locations which is excellent for efficiency. It allows us to phase out the use of other security products. For example, we previously ran Sophos on-premises. However, upon transitioning to Microsoft 365 and leveraging the included Defender, we discontinued the use of Sophos. This shift not only streamlined our security approach with a unified solution but also contributed to cost savings, as everything is encompassed within the same license—a concept that aligns with the efficiency of a single-pane interface.

The most valuable aspect is that it comes included with the licensing, which is excellent. It provides a single pane of glass within the 365 admin interface, streamlining our experience by consolidating information in one place and eliminating the need to navigate through multiple interfaces.

It would be highly beneficial if CoPilot could identify anomalies within the network and notify the IT team. For instance, if a user typically accesses around a hundred megabytes of data daily from familiar files and locations but suddenly diverges to an uncommon destination, uploading ten gigabytes of data to an unfamiliar website, that would be a significant anomaly. Pausing such activity and alerting the IT team for a human assessment would be a valuable feature to ensure security.

I have been working with it for three years.

No stability issues noted, and there haven't been any concerns regarding false positives. Overall, the experience has been positive.

Scalability is straightforward; no issues are encountered. We predominantly use Windows 10, and so far, I haven't observed any issues. Some of us have transitioned to Windows 11, and it appears to function well.

We haven't contacted their tech support, which I consider a positive indicator.

In terms of ROI, our expectation is to gain a comprehensive analytical perspective by upgrading to E5, activating Sentinel, and deploying other products like Entra. This move aims to provide a more extensive understanding of user activities, login details, and other relevant metrics. Currently on a three-year Microsoft term set to end on April 1st, we've inquired with our vendor about transitioning from E3 to E5 immediately.

In our security solution evaluation, we considered Trend Micro and Sophos, focusing more on Sophos due to its cloud version. However, challenges in patching the on-premises Sophos led us to choose Microsoft Defender. The simplicity, inclusion in our package and regular patching made Defender more attractive. Additionally, our decision was influenced by community adoption, as no other law enforcement agencies in Canada were using Trend Micro. Defender's seamless integration and zero additional cost aligned with our strategy of opting for solutions without extra expenses.

Overall, I would rate it eight out of ten.

We implemented Defender two and a half years ago, utilizing it in a passive mode with only the sensor active for data collection and basic EDR results. Although it has been running on all devices, we are currently in the process of making the final transition from the existing setup to fully leverage Defender as our EDR solution.

We utilize analytics on both iOS and Android platforms, and it holds significant importance for us. Compliance with mandates, often stemming from executive orders, requires meeting specific contract requirements. In response, we employ analytics to implement and maintain controls consistently across various device types. The capability to adapt to emerging threats is of utmost importance to us. We lack the time and resources to constantly learn about new indicators and threat actors. We expect that the threat intelligence from Microsoft and other providers seamlessly integrates into the system, enabling automatic updates based on the current global threat landscape. The unified single pane of glass is a significant benefit. It consolidates everything into one interface, eliminating the need to navigate through multiple portals for information.

The greatest value lies in integration, I believe. The ability to integrate and observe a more cohesive narrative across the products is crucial.

There are still some components, such as vulnerability management within the vendor product, where improved integration would be beneficial. Currently, it's not visible in the same interface, requiring us to search elsewhere to access that information. While it has streamlined data collection and retrieval, there's still room for improvement in terms of user-friendliness for certain individuals. While the ultimate goal is to enhance security, there's room for improvement in terms of pricing.

We are currently in the migration process from Sophos to Microsoft Defender.

It offers high stability.

The backend infrastructure and structure in place seem to be easily scalable to meet our requirements.

Customer service and technical support vary. Opening support cases for different components within the security stack or Microsoft entity often reveals that first-level support is lacking. It typically takes two or three weeks to get an escalation, and by then, the issue may have resolved itself. Escalations are challenging, as first-level support struggles to comprehend the problem, leading to repetitive discussions. I would rate it four out of ten.

Neutral

We transitioned from Sophos to Microsoft Defender primarily due to cost reduction and the elimination of duplicated technologies.

The initial setup used to be complex, but now it's much more streamlined.

We follow a phased approach for deployment, beginning with a proof of concept pilot. However, our main deployment cycle revolves around Defender, facilitated via Intune, where all devices are managed. Building the package and incorporating scripts into Intune is the key process for the sequential implementation, which has evolved over time. Maintenance involves keeping pace with changes, not just patching. Microsoft has significantly improved patch cycle management, but dealing with the constant stream of changes they introduce remains a challenge.

It proved to be effective in cost savings. Our return on investment is tied to the existing investment in the current SKU. We anticipate not only recouping the dollars spent but also gaining the advantage of a unified interface, a single pane of glass. This consolidation allows us to streamline our operations, saving valuable time and effectively reclaiming productivity that would otherwise be spent navigating between different platforms on a daily basis.

When seeking a security suite, even with an E5 enterprise license, additional purchases are still necessary. The license cost for a year is approximately forty-four thousand, and this annual saving is a significant factor in our decision to switch.

In the past, we explored alternatives such as Carbon Black and Cylance, particularly for their machine learning and AI components, which were quite innovative at that time, approximately three years ago. However, our approach has evolved, and we've shifted significantly towards the Microsoft Stack. The decision is influenced by our existing environment, where we can readily assess the capabilities available within Microsoft.

The critical aspect is comprehending your existing setup. During our migration, we opt for a like-for-like transition instead of going for something entirely new, as the latter could be disruptive to some processes. Defender offers extensive capabilities, but understanding where to begin is crucial to avoiding disruption. Start with a like-for-like migration and plan the subsequent ramp-up to align with its capabilities. Overall, I would rate it eight out of ten.

We mainly use it to defend endpoints.

We have seen fewer threats with the solution. The attacks that we experienced in prior years have reduced drastically since we implemented Defender.

We also use Microsoft Defender for Identity. Their integration is very good. If you are a Microsoft 365 SaaS solution user, it is perfect. It works very well with all the services provided by Microsoft. These services work natively together to deliver coordinated detection and response across our environment. We are pretty much a Microsoft shop, so the integration of these different services is very important for us to secure our offices.

Microsoft 365 Defender's threat protection is very comprehensive. The service that is available now is much more comprehensive than what was available a few years back. The only area that I see lacking is the dashboard. I can create my own dashboard, but the preset security dashboards should be much more functional.

Its threat intelligence helps prepare us for potential threats and take proactive steps before the threats hit. The vulnerability scanning feature is great, and the Secure Score feature that scans the endpoints for vulnerabilities and keeps them up to date reduces a lot of the attacks that can possibly happen.

Microsoft 365 Defender has saved us time. It has saved at least 30% to 40% of our time.

Microsoft 365 Defender has saved us costs. Previously, we had to pay for third-party protection services separately, but because it is now integrated with our E5 licenses, it saves us a lot of money.

Microsoft 365 Defender has decreased our time to detect and respond. We now have visibility and this led to about a 20% to 30% reduction. 

The EDR and the way it automatically responds to ransomware and other attacks are valuable features.

The visibility into threats is not as good as other products in the market such as CrowdStrike, but if you know where to look, you can gain access to what is going on. The way the dashboard is designed is not as great as other products.

It helps to prioritize threats across the enterprise, but a lot of administrative overload is involved in determining which threats to prioritize. As compared to other products, it is a bit lacking.

Similarly, it helps to automate routine tasks and finds high-value alerts, but a little bit more automation would be appreciated.

Automated playbooks and automated dashboards would be preferable to the way the data is currently being presented. That is because a lot of organizations that I have worked with over the past years do not have full-on SOC or threat detection services. They should put in more automated response capabilities and dashboards for smaller organizations.

I have been using this solution for almost three years.

It is a very stable product. Our attack metrics have come down drastically since we integrated with Defender. In my opinion, it is a very stable product.

It is very scalable. I do not know about third-party clouds or third-party solutions, but when you are a Microsoft shop or have Azure or a hybrid setup, it is very scalable.

We have multiple departments and multiple locations. We have client-facing computers, and we have in-house and on-prem computers. We also have Azure VMs. 

Their support can be better. Their response time is good, but their knowledge and documentation are a bit lacking. Technology is moving faster than the documentation and the knowledge that is being provided to the support team. Their support team pretty much looks at the same documentation that we are looking at, but the technology is moving a lot faster than they can catch up. I would rate their support a seven out of ten.

Neutral

We used CrowdStrike and Trend Micro. We switched to Microsoft 365 Defender because we wanted to integrate services.

The solution is deployed on the cloud, but the endpoints are connected on-prem. In our organization, we have quite a few endpoints, so it took about three or four weeks.

The setup will be straightforward for big organizations if they have a complete IT department, but for a small organization, implementing the same service becomes trickier because they do not have full-fledged IT departments. That is where the problem lies. 

More automation would be better. However, automation is present with Autopilot and other services where you can integrate everything.

In terms of maintenance, you have to fine-tune the services on a regular basis and tweak the deployment as per your requirements.

We have about eight admins who worked on the implementation of the solution.

We have probably seen 30% to 40% ROI.

It is fairly priced because we get complete integrated services with the E5 license.

To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single-vendor strategy worked for us because it brought down our investment in terms of licensing and cost. The deployment across the organization has been a lot easier than integrating third-party solutions in different areas of the organization. For example, Defender integrates very well with both the endpoints and the cloud. Whereas with a third-party solution, we have to get different applications that need to connect back to the service to get the solutions that we require. Native integration is very useful for us when it comes to Microsoft. That is what I would recommend.

If you are a Microsoft shop, I would highly recommend it, but you have to do a PoC.

I would rate Microsoft 365 Defender a nine out of ten.

We primarily use the solution for email protection to scan incoming emails and attack simulation. Attack simulation allows our users to practice detecting phishing emails without any risk. The product also gives us an overview of our security situation. 

We operate a hybrid environment with a wide variety of users around the world. 

We use multiple Microsoft security products, including Defender for Endpoint, Sentinel, and Defender for Cloud Apps.  

We have integrated all our Microsoft security solutions, and the integration is easy and seamless, though an Azure account is required to connect Sentinel with other products. 

The solutions work natively together to deliver coordinated detection and response across our environment.  

The multiple Microsoft security products provide comprehensive threat protection, especially by combining 365 Defender and Defender for Cloud Apps, Endpoint, and Identity.  

The solution allows us to remediate threats better, and the Microsoft Secure Score tells us where we need to improve the security of our organization.

365 Defender saves us time in the region of 10%.

With security products, it can be hard to determine how much money they save us by protecting us from attacks, but I would say our cost savings are around 15%. 

The tool decreased our time to detect and respond, as we can quickly navigate to the required dashboard to get on top of unfolding threats. It reduced the time by 5% for each.  

The attack simulation is excellent; initially, this feature wasn't very robust, but Microsoft improved what we could achieve with it. We can now customize our practice phishing emails and include our company logo, for example. Attack simulation also helps integrate with third-party solutions where applicable and provides an overview of our security architecture through testing. The summary includes areas for improvement in our protection and what steps we need to take to get there.

365 Defender works seamlessly with other Microsoft products like Defender for Endpoint, and once we've onboarded a device, it's easy to see the entire progression of a malicious email. This includes the IP origin, and these are some of the things I love about the product.

The solution provides us with excellent visibility into threats; there are various features that clearly show when our organization is under attack, which country the attack originates from, and what we need to do to mitigate it. 

365 Defender prioritizes threats across the enterprise, which is essential because it gives us an overview of what we need to do to improve our security. We don't need to think of what we must do which is significant for us. 

The solution's threat intelligence helps us prepare for potential threats and take proactive steps before they hit. Over time, the threat intelligence learns and gets better, much like an AI.  

A simple dashboard without having to use MS Sentinel would be a welcome improvement. 

We sometimes get false alerts, and Microsoft told us the issue was with them and that they were aware of it. They were supposed to remediate it, but we had to do much ourselves. The false positives need to be reduced. 

We've been using 365 Defender for four years. 

The stability isn't bad, but we get too many false positives.

Microsoft has been able to scale up the solution over time, so it's scalable. All we need to do is purchase licenses according to our requirements. We have around 1,000 users.

The customer support is good, but there is room for improvement. 

Neutral

The deployment was straightforward and quick; it took minutes. Onboarding the other solutions can take a little longer, depending on the environment and migration methods.

The setup can be done by one or two staff. In a scenario with many thousands of users and a proficient security admin, the deployment could be done in 15 to 20 minutes. The solution doesn't require any maintenance on our end, as it's cloud-based. 

The product gives us an ROI as it protects our organization from potentially costly attacks. Our ROI is around 5%.

The product is fairly priced for what we get from it. 

I rate the solution seven out of ten. 

We use MS Sentinel, but I wouldn't say it ingests data from our entire ecosystem. It's straightforward to integrate, but getting the most out of Sentinel requires a lot of configuration, which needs significant expertise and time.

Sentinel enables us to investigate threats and respond holistically from one place, and that's important for us. The process is primarily automatic once the logic hub and configuration are set up.  

Regarding the comprehensiveness of Sentinel's security protection, it's less a tool for protection and more of a solution for providing an overview, management, and optimization of security processes. The most significant security features are found in the Defender line of products. 

We can automate some aspects of 365 Defender, but MS Sentinel is required for more complete automation.

365 Defender doesn't eliminate having to look at multiple dashboards; we still need to click through numerous dashboards for a complete security overview. Sentinel allows management from a single XDR dashboard.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor's security suite, I'd say, why not save the stress of dealing with multiple vendors? You can have one vendor one click away and seamless integration between your products. 

I recommend the solution; I've worked with it in three different organizations and realized how seamless it is to use the Microsoft suite. They integrate well and help us protect all the services in Microsoft 365.

My company mostly uses Microsoft Office products, so we use 365 Defender for our security. 365 Defender is deployed globally, and it works the same whether you are in Europe, China, or India. It currently covers around 4,000 people worldwide. 

Defender reduced our attack surface with built-in rules for USB-based threats. Sometimes employees plug in a USB containing threats. Defender will immediately stop malicious executables from running. 

We have our own method for defining incident priorities. For example, most identity-related incidents are on the higher side. However, if we see a large number of low-level alerts affecting a single user in a short period, then those need to be checked. Automation can help in these cases. It's good to have, but I don't think Microsoft is currently very capable of machine learning. 

Defender has a security dashboard, but there is a different console for vulnerability management. We can create multiple reports where alerts are categorized and labeled, and Defender provides a single console where we can fetch all those reports. 

There isn't a foolproof method for preventing all cyber attacks, but best practices can reduce risks and limit the impact of threats. If you identify threats, you can build block lists and create regular employee training to tell people what to avoid. 

Preventing threats requires a strong firewall and antivirus solution. Defender is a good one. You can also implement threat prevention and detection technology in your remote environment. Nothing can completely prevent attacks from happening, but you can create policies using threat intelligence to ensure they are stopped. 

365 Defender helps us save time by simplifying threat response. For example, one of my customers uses USB to transfer data from one place to another. Some USB drives contain malicious programs, so I configured a rule to stop the executable. If a user copies documents from the USB with a harmful executable, Defender will lock it down. They can only copy the documents, but the executable will not run. 

It saves us lots of time. It reduces the time we spend on these tasks by about 50 to 60 percent. I switch it to audit mode and collect logs. After a month, I have received hundreds of alerts. With my rule in place to block USB executables, we no longer get alerts for that particular threat. Implementing that single rule reduced our alerts by around 30 percent. 

Defender reduces the detection time. We have a SOC team to review all those logs and alerts, and it helps them work quickly. There is little delay between detection and remediation. 

Microsoft Defender's most critical component is its CASB solution. It has many built-in policies that can improve your organization's cloud security posture. It's effective regardless of where your users are, which is critical because most users are working from home. It's cloud-based, so nothing is on-premise.

When dealing with remote users, you need the coverage of firewalls, antivirus, and all those essential security measures. There are multiple policies available that can help the organization secure its environment to prevent something malicious from entering. You need to flag users logging in from a different IP and guard against brute force attacks by detecting multiple failed login attempts.

There is also an option for identity. Most organizations aren't entirely on the Cloud. They still rely on on-prem data centers, so you need Defender for Identity. Another advantage of a cloud-based solution is that you don't need to constantly upgrade it monthly, quarterly, or weekly. All of your infrastructure is online. 

You need multiple solutions for outside threats. I can see if someone is logging in from a malicious IP before they can access the environment. You cannot completely block cybersecurity threats, but you can proactively resolve them and create a wall around your environment. 

365 Defender's attack surface reduction rules could be more customizable. Microsoft has its own pre-defined rules that can be adapted to every organization, but Defender should support the ability to create custom rules from scratch.

Defender also lacks automated detection and response. You need to resolve issues manually. You can manage multiple Microsoft security products from a single portal, and all your security recommendations are in one place. It's easy to understand and manage. However, I wouldn't say Defender is a single pane of glass. You still need to switch between all of the available Microsoft tools. You can see all the alerts in one panel, but you can't automate remediation. 

Automated remediation can be improved. I'm currently creating a remediation structure there and pushing it to my vendor, but the vendor should have their own way of resolving things. It only alerts you that something is happening. The security administrator needs to take action because Defender's automated capabilities aren't up to par. 

I have been using 365 Defender for more than a year. 

365 Defender is stable. I haven't seen an outage in the past year. We've had 100 availability. Occasionally, the servers go down for maintenance, and the sensors stop working. It doesn't happen frequently. 

365 Defender is highly scalable. 

Microsoft's support is excellent. Most issues resolve on their own, but when we need support, they typically resolve the issue quickly. 

Positive

At my previous company, we used other antivirus and identity solutions, but they weren't a complete package like 365 Defender. For example, CrowdStrike was our EDR solution, which had extended capabilities, or XDR. We had various solutions that collectively did the same thing as Defender. 

365 Defender is cloud-based, so the deployment is straightforward and only takes 10 to 15 minutes. You need to change a few configurations on your devices using Intune. One person is sufficient to do the job. It's a simple installer. 

After the deployment, you don't need to do any maintenance because it's on the cloud. The only thing deployed on-premise is the ATP sensor, which automatically upgrades. 

365 Defender is bundled with our Microsoft Enterprise license. Additional costs for support, etc. depend on the license level. If you have a premium account, you will receive priority support, but it costs more. 

I rate Microsoft 365 Defender a nine out of ten. I personally wouldn't recommend only using a single solution or vendor. If you don't try other products, then you won't be aware of what is happening in the market. There should be multiple products involved, so you can compare the solutions and go with the best one. 

It has helped us identify a lot of loopholes within our environment and mitigate risk. It has improved user experience as well.

The visibility into threats provided by the solution is amazing. If you have Sentinel, you can integrate it with Microsoft 365 Defender. You can then access all of the logs at once with a code. You would be able to quickly analyze and react to any threat.

We are able to prioritize threats with this solution. Depending on the type of license you have, you will be able to access different capabilities. We place very high importance on prioritizing threats because the easiest way to get attacked is through the user or the endpoint. You must have multiple layers of security.

We use several Microsoft security products such as Sentinel, Defender for Office 365, and Microsoft Defender for Cloud Apps (Cloud App Security). Microsoft has the highest form of integration, so these solutions integrate in a straightforward manner. Once Microsoft Defender for Cloud Apps is unlocked, you can connect to third-party applications as well.

These solutions work natively together to deliver coordinated detection and response. The threat protection that these Microsoft security products provide is comprehensive and very effective.

We use Microsoft Defender for Cloud and make use of its bi-directional sync capabilities. It gives us access to reports and makes reporting much easier as well.

Microsoft Sentinel enables us to ingest data from our entire system. Data ingestion is very important to our security operations because it makes it easy for us to know if there are any vulnerabilities or threats. It flags it, and we can analyze it and also create a query, which brings to light threats. We can then mitigate the threat or attack breach on the device.

Sentinel enables us to investigate threats and respond holistically from one place. It makes life easier for us and helps us not to be caught unaware. There are many forms of alerts that notify you immediately of any threats. You can set up automations, which might even fix the issue or mitigate the issue immediately without the need for intervention. That is, you can create a rule to automatically fix a particular problem.

Sentinel captures a lot of logs, and you'll be able to create action plans through the application to directly handle particular threats. The integration has been done already, so automatically it will send a signal to the environment or to the solution you have integrated with to carry out a particular action.

The cost of Sentinel is on the higher side compared to that of other standalone solutions.

We can automate routine tasks and write scripts to carry out difficult tasks, which makes things easier for us.

This solution has helped us to save 60% to 70% of our time.

Microsoft 365 Defender provides one XDR dashboard, so we don't have to look at multiple dashboards. In the Import Center, all you need to do is to select the solutions that you want, and it will give you multiple options on different categories and different data. It's amazing and straightforward, and you won't need to open other tabs.

We have been able to prepare for potential threats before they hit and take corrective steps. We can immediately identify users or systems that have viruses or malware. We can also find scripts that have errors underneath them. We can discover each element from the history and delete it. It covers a lot of aspects, and the integration with Sentinel helps as well.

Because there's someone actually monitoring everything, when there is a threat or any form of abnormality, all they would need to do is to create a rule or a query to create a particular section and add the action that needs to be carried out. It's easy to get to reports as well. Overall, the solution has decreased our time to detection and our time to respond by 60% to 70%.

Microsoft tends to provide too many features, which makes the solution prone to bugs.

Also, 365 Defender needs to be more flexible during deployment. When it comes to causal admittance, at times it seems slow.

We have been using this solution for about three years.

The stability is okay. Microsoft has evolved a lot, so they tend to make sure that the solution is up to date and up to par with best practices in the environment. They add new features as well.

It's very scalable.

The level of support you get depends on the knowledge of the engineer who has picked up your ticket. I'd rate technical support at seven out of ten.

Neutral

The initial deployment is straightforward as long as you meet the prerequisites. 
It doesn't really take a lot of time to deploy. All you need to do is to set up the policy, then assign the license to the users. Microsoft handles the maintenance of the solution.

Defender Plan 1 is tenant-wise, and Defender Plan 2 is per-user, which makes it more expensive. To have certain features, you would need to purchase the E5 license. For all of the capabilities that the tool provides, the price, though it can be high, is fair. 

I don't think having a single vendor's security suite is the best because once the threat actors are in through the surface, it's easy for them to penetrate. This is because they'll know all the cracks in that particular product. However, if you have another vendor protecting you as well with a different signature database that is separate, then the attackers have multiple walls that need to be cracked.

An average-sized organization can go for the Business Premium plan. Larger organizations can go with E5, which comes with the full functionalities of Microsoft 365 Defender. Overall, I'd give this solution a seven out of ten.