Microsoft Defender XDR Reviews

It is, of course, an antivirus tool. I work as a lead for a SOC team, and it's our job to monitor all the endpoints in our organization. We are looking for any unusual activity happening on the devices, and Defender monitors them.

If there are any changes or unusual activities, it triggers an alert. An analyst will pick up the alert from the Microsoft 365 Defender and go through the timeline to understand what triggered that alert and whether to categorize it as a security incident or not. Some of them turn out to be false positives, and some turn out to be true positives.

We use it for other tasks like IOC management. In the cyber world, different applications have different vulnerabilities. If an application is used in our organization, we make sure all the IOCs, whether hash values, malicious IP addresses, or malicious domains, are blocked in the Microsoft 365 Defender.

It has given us a very wide range of visibility over the endpoints and it's easy to manage. If I see a threat or an attack pattern emerging from a certain location, I can easily isolate those endpoints at a very quick pace. That has pretty significantly improved our proactive measures when it comes to security in the last three years.

Apart from that, it gives us an overall picture, and not just of the endpoints. It has identity and access management and an email security module as well. If there is anything related to phishing or spam emails, we can analyze that in the same portal. We don't have to rely on multiple portals. It's just a single pane of glass where everything is visible. It gives us a clear picture and our visibility has increased a lot.

Another thing I like about Defender is that if a threat is detected, it starts the investigation by itself, by running the scans on itself, trying to isolate the device, and determining which IP addresses or websites it is connecting to. It gives us a detailed picture. All we have to do is make sure all these are blocked. But the initial triage and investigation are pretty much done by Defender itself. That is one of the significant areas of improvement for us, which I definitely like about this product. Automation is one of the key features in Defender, which saves us a lot of time. Sometimes, we don't need manual intervention. It does its job automatically.

If an analyst would take 40 to 45 minutes just to understand what was going on with respect to the alerts that were coming in with the product we were using previously, 365 Defender has reduced that time by half, by 20 to 25 minutes. That is a pretty good improvement. When you're working in a cyber security environment, you need to be very quick to respond because, in a matter of minutes, you'll be firefighting. And that's not what you want.

Among the most valuable features are the alert timeline, the alert story, which is pretty detailed. It gives us complete insight into what exactly happened on the endpoint. It doesn't just say, "Malware detected." It tells us what caused that malware to be detected and how it was detected. It gives us a complete timeline from beginning to end. It gives us a pretty detailed overview of the timeline of the attack.

Another benefit is that Defender absolutely stops lateral movement or advanced attacks like ransomware. The MITRE ATT&CK framework is pre-integrated, and all the use cases or categories that have been defined in Microsoft Defender are based on that framework. Lateral movement is part of that. There are multiple cases of lateral movement available in Defender, and ransomware, of course, is one of them.

We also have threat analytics in the solution. If there is a zero-day attack, it gives us the information. As of now, we haven't seen any impact on our devices. If there is any impact, it shows us, and we can take action accordingly. Those aspects work pretty well.

The only problem I find is that the use cases are built-in. There is no template available that you can modify according to your organization's standards. What they give is very generic, the market standard, but that might not be applicable to every organization. For example, an organization might look into an alert in a different way, not in the way Microsoft provides. There is no way to modify a template according to your needs, and that is something that I really don't like.

Those kinds of alerts are generating too many false positives for us, creating additional overhead. For example, part of the identity and access management is called "impossible travel activity." It generates false positives for us but there is no way I can modify the rule they have given that causes alerts. I cannot use that template or create a new one using that template, which I then modify to fit my organization's standards.

When we raised the issue with Microsoft, they said, "It's a product feature. What you are requesting is a product enhancement. We can take your request, but we are not sure when it's going to happen."

I have been using Microsoft 365 Defender for almost three years.

I have not observed even one time that the tool has lagged or crashed.

It is pretty scalable and user-friendly. There are no issues with the scalability.

We have raised a few tickets for cases we needed assistance with. Their support is good. The response is good. Sometimes, the challenge is that an issue might be a high priority for us, but they might not consider it a high priority based on their understanding. Their severity levels vary compared to ours. That's fair, of course. It's not something I am complaining about. Overall, the response from their support is always positive.

Positive

We were using McAfee ePO, but we have completely stopped using it now that we have 365 Defender. Discontinuing McAfee has definitely reduced manual correlation. Most things are automated in the Defender portal, so if a high-severity alert comes in, an automated investigation is triggered. That is one of the key features.

Irrespective of whether your organization is a mid-sized company or a big company, Defender is pretty scalable and very easy to use. As a cloud solution, you don't have to worry about it crashing. The alert timeline is pretty detailed. It catches most of the threats out there. You don't have to worry too much if there is a new threat because Microsoft makes sure that it is already addressed by Defender. If something comes up, it will sound an alert.

If you are looking for a nice antivirus product that doesn't take up many of your endpoint resources—compared to other antivirus software on the market, some of which take huge resources from your machine—it comes built-in with Microsoft. You don't have to install anything.

It's a cloud deployment, so I don't think there is any maintenance required from our end, unless there is a policy change requested at the organization level.

The platform provides unified identity and access management. When I started using it three years ago, that was a separate product. It was under Azure Cloud App Security. Now, they have integrated into Microsoft 365 Defender. We can see identity and access management-related alerts in Defender. Identity protection is something we have not explored that much. Our main focus lies on the endpoint.

Still, it's good to have it in Defender itself because it comes as a complete package. Just because we are not actively using it doesn't mean it's bad. It gives us detailed information, but we are working on the endpoints, focused on the device side. But if a brute-force attack is happening, it comes from a specific device. We don't have to rely on multiple portals to get that information. Everything is available in a single window, because we have that user information. You also see user access to devices and check if there are any malware-related alerts on that device. And that information is in the same portal. Integrating identity and access management in the same portal is a pretty good feature rather than having a separate feature altogether.

It has helped us identify a lot of loopholes within our environment and mitigate risk. It has improved user experience as well.

The visibility into threats provided by the solution is amazing. If you have Sentinel, you can integrate it with Microsoft 365 Defender. You can then access all of the logs at once with a code. You would be able to quickly analyze and react to any threat.

We are able to prioritize threats with this solution. Depending on the type of license you have, you will be able to access different capabilities. We place very high importance on prioritizing threats because the easiest way to get attacked is through the user or the endpoint. You must have multiple layers of security.

We use several Microsoft security products such as Sentinel, Defender for Office 365, and Microsoft Defender for Cloud Apps (Cloud App Security). Microsoft has the highest form of integration, so these solutions integrate in a straightforward manner. Once Microsoft Defender for Cloud Apps is unlocked, you can connect to third-party applications as well.

These solutions work natively together to deliver coordinated detection and response. The threat protection that these Microsoft security products provide is comprehensive and very effective.

We use Microsoft Defender for Cloud and make use of its bi-directional sync capabilities. It gives us access to reports and makes reporting much easier as well.

Microsoft Sentinel enables us to ingest data from our entire system. Data ingestion is very important to our security operations because it makes it easy for us to know if there are any vulnerabilities or threats. It flags it, and we can analyze it and also create a query, which brings to light threats. We can then mitigate the threat or attack breach on the device.

Sentinel enables us to investigate threats and respond holistically from one place. It makes life easier for us and helps us not to be caught unaware. There are many forms of alerts that notify you immediately of any threats. You can set up automations, which might even fix the issue or mitigate the issue immediately without the need for intervention. That is, you can create a rule to automatically fix a particular problem.

Sentinel captures a lot of logs, and you'll be able to create action plans through the application to directly handle particular threats. The integration has been done already, so automatically it will send a signal to the environment or to the solution you have integrated with to carry out a particular action.

The cost of Sentinel is on the higher side compared to that of other standalone solutions.

We can automate routine tasks and write scripts to carry out difficult tasks, which makes things easier for us.

This solution has helped us to save 60% to 70% of our time.

Microsoft 365 Defender provides one XDR dashboard, so we don't have to look at multiple dashboards. In the Import Center, all you need to do is to select the solutions that you want, and it will give you multiple options on different categories and different data. It's amazing and straightforward, and you won't need to open other tabs.

We have been able to prepare for potential threats before they hit and take corrective steps. We can immediately identify users or systems that have viruses or malware. We can also find scripts that have errors underneath them. We can discover each element from the history and delete it. It covers a lot of aspects, and the integration with Sentinel helps as well.

Because there's someone actually monitoring everything, when there is a threat or any form of abnormality, all they would need to do is to create a rule or a query to create a particular section and add the action that needs to be carried out. It's easy to get to reports as well. Overall, the solution has decreased our time to detection and our time to respond by 60% to 70%.

Microsoft tends to provide too many features, which makes the solution prone to bugs.

Also, 365 Defender needs to be more flexible during deployment. When it comes to causal admittance, at times it seems slow.

We have been using this solution for about three years.

The stability is okay. Microsoft has evolved a lot, so they tend to make sure that the solution is up to date and up to par with best practices in the environment. They add new features as well.

It's very scalable.

The level of support you get depends on the knowledge of the engineer who has picked up your ticket. I'd rate technical support at seven out of ten.

Neutral

The initial deployment is straightforward as long as you meet the prerequisites. 
It doesn't really take a lot of time to deploy. All you need to do is to set up the policy, then assign the license to the users. Microsoft handles the maintenance of the solution.

Defender Plan 1 is tenant-wise, and Defender Plan 2 is per-user, which makes it more expensive. To have certain features, you would need to purchase the E5 license. For all of the capabilities that the tool provides, the price, though it can be high, is fair. 

I don't think having a single vendor's security suite is the best because once the threat actors are in through the surface, it's easy for them to penetrate. This is because they'll know all the cracks in that particular product. However, if you have another vendor protecting you as well with a different signature database that is separate, then the attackers have multiple walls that need to be cracked.

An average-sized organization can go for the Business Premium plan. Larger organizations can go with E5, which comes with the full functionalities of Microsoft 365 Defender. Overall, I'd give this solution a seven out of ten.

One of my largest customers deployed Defender for Endpoint, but they also wanted Defender XDR to get a specific feature. Defender XDR is included in the E5 license, but it's a bit too expensive. Our customer wanted Defender XDR's file integrity monitor tools for compliance. My client is using Defender with Sentinel, but I'm unsure how much they use it. 

My clients like Defender's file integrity monitoring. They're monitoring Windows and Linux system files.

My client would like the solution to be more customizable without using code. You can only build on the default console, but we're not allowed to change it. 

We have a similar tool to Defender's file integrity monitoring. Under the VMware VM properties, there is a change-checking tool, and it will tell us if the extension is in a different location. You can configure checking and do the monitoring. When I log into Defender's file integrity portal, I cannot see that this machine was enabled.  It's the same agent and extension. 

It's confusing because I don't know how to tell the customer they don't need to pay $15 per month because you already can enable the extension in VMware. Under the Defender account, it all seems like it's high code, and we cannot change it. Every customer has requirements for us to customize those things. 

I have used Defender XDR for about a year. 

Defender XDR is an enterprise-scale solution. 

I rate Microsoft support 4 out of 10. 

Neutral

I rate Defender XDR 3 out of 10. I don't think Defender XDR is ready to deploy in its current state. It has too many solutions inside, and they're not fully integrated. 

I use 365 Defender to protect against phishing attacks and filter out our email to pick up certain vulnerabilities. For example, if someone sends out their credentials, it triggers an alarm. 

Features like filtering and phishing simulation increase our email security. The main purpose is to protect employees and sensitive company information. Everything is connected, so an intruder can potentially access sensitive, confidential information by breaching just one account. 365 Defender is a good way to protect the entire environment. 

Defender helped us automate tasks because we had everything preconfigured. We create alerts and automated responses, which save us some time. Threat intelligence is helpful. For example, if there is a suspicious IP address based in Russia, we can block that address. I didn't do much of that, but it's possible.

365 Defender provides solid visibility because we can map out what's happening and get a good overview of the intelligence. The timeline feature is excellent. I also like the phishing simulation. We have phishing campaigns to educate employees and warn them about these threats. 

I also like that Microsoft has a lot of resources online. It's easy to Google information about the tool and what it can do for your organization. 

The interface could be improved. For example, if you want to do a phishing simulation for your employees, it can take a while to figure out what to do. The interface is a bit messy and could be updated. It isn't too bad, but doing some things can be a long process. 

I used Microsoft 365 Defender for 10 weeks during an internship. 

365 Defender is highly stable. I've never had any issues with it. It can be slower at times, but that may not be product's fault. Maybe there's too much traffic or an issue with the connection. 

365 Defender can scale. More than a thousand people work for this company, and some of them have multiple endpoints, like laptops, workstations, phones, etc. 

I've used CrowdStrike and some other tools for endpoint and email security. Microsoft Defender is excellent because it covers everything in one place, including endpoint protection, email security, phishing simulation, spam filtering, etc.  

365 Defender is billed per account. I don't know the exact price, but my supervisor told me that Microsoft Defender is cheaper than the alternatives. It's bundled, so you get all the features in one place. 

I rate Microsoft 365 Defender a nine out of ten. It's an excellent product that protects employees and organizations from attacks. If you have it configured correctly, you should be good. It's an ideal solution for new companies that are starting up and need protection. 

If I were asked to pick between a best-of-breed strategy or getting all of my solutions from one company, I would say that it depends on the product. Many companies have products that offer the same quality as others. The Microsoft family covers so much, but you can also try CrowdStrike for endpoint protection or Proofpoint for email security. 

Each platform offers flexibility, and some can be better than Microsoft, but when it comes to creating configurations, I feel that it's a better option. Also, you can get a better price by purchasing all your solutions from one company. 

We primarily use the solution for email protection to scan incoming emails and attack simulation. Attack simulation allows our users to practice detecting phishing emails without any risk. The product also gives us an overview of our security situation. 

We operate a hybrid environment with a wide variety of users around the world. 

We use multiple Microsoft security products, including Defender for Endpoint, Sentinel, and Defender for Cloud Apps.  

We have integrated all our Microsoft security solutions, and the integration is easy and seamless, though an Azure account is required to connect Sentinel with other products. 

The solutions work natively together to deliver coordinated detection and response across our environment.  

The multiple Microsoft security products provide comprehensive threat protection, especially by combining 365 Defender and Defender for Cloud Apps, Endpoint, and Identity.  

The solution allows us to remediate threats better, and the Microsoft Secure Score tells us where we need to improve the security of our organization.

365 Defender saves us time in the region of 10%.

With security products, it can be hard to determine how much money they save us by protecting us from attacks, but I would say our cost savings are around 15%. 

The tool decreased our time to detect and respond, as we can quickly navigate to the required dashboard to get on top of unfolding threats. It reduced the time by 5% for each.  

The attack simulation is excellent; initially, this feature wasn't very robust, but Microsoft improved what we could achieve with it. We can now customize our practice phishing emails and include our company logo, for example. Attack simulation also helps integrate with third-party solutions where applicable and provides an overview of our security architecture through testing. The summary includes areas for improvement in our protection and what steps we need to take to get there.

365 Defender works seamlessly with other Microsoft products like Defender for Endpoint, and once we've onboarded a device, it's easy to see the entire progression of a malicious email. This includes the IP origin, and these are some of the things I love about the product.

The solution provides us with excellent visibility into threats; there are various features that clearly show when our organization is under attack, which country the attack originates from, and what we need to do to mitigate it. 

365 Defender prioritizes threats across the enterprise, which is essential because it gives us an overview of what we need to do to improve our security. We don't need to think of what we must do which is significant for us. 

The solution's threat intelligence helps us prepare for potential threats and take proactive steps before they hit. Over time, the threat intelligence learns and gets better, much like an AI.  

A simple dashboard without having to use MS Sentinel would be a welcome improvement. 

We sometimes get false alerts, and Microsoft told us the issue was with them and that they were aware of it. They were supposed to remediate it, but we had to do much ourselves. The false positives need to be reduced. 

We've been using 365 Defender for four years. 

The stability isn't bad, but we get too many false positives.

Microsoft has been able to scale up the solution over time, so it's scalable. All we need to do is purchase licenses according to our requirements. We have around 1,000 users.

The customer support is good, but there is room for improvement. 

Neutral

The deployment was straightforward and quick; it took minutes. Onboarding the other solutions can take a little longer, depending on the environment and migration methods.

The setup can be done by one or two staff. In a scenario with many thousands of users and a proficient security admin, the deployment could be done in 15 to 20 minutes. The solution doesn't require any maintenance on our end, as it's cloud-based. 

The product gives us an ROI as it protects our organization from potentially costly attacks. Our ROI is around 5%.

The product is fairly priced for what we get from it. 

I rate the solution seven out of ten. 

We use MS Sentinel, but I wouldn't say it ingests data from our entire ecosystem. It's straightforward to integrate, but getting the most out of Sentinel requires a lot of configuration, which needs significant expertise and time.

Sentinel enables us to investigate threats and respond holistically from one place, and that's important for us. The process is primarily automatic once the logic hub and configuration are set up.  

Regarding the comprehensiveness of Sentinel's security protection, it's less a tool for protection and more of a solution for providing an overview, management, and optimization of security processes. The most significant security features are found in the Defender line of products. 

We can automate some aspects of 365 Defender, but MS Sentinel is required for more complete automation.

365 Defender doesn't eliminate having to look at multiple dashboards; we still need to click through numerous dashboards for a complete security overview. Sentinel allows management from a single XDR dashboard.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor's security suite, I'd say, why not save the stress of dealing with multiple vendors? You can have one vendor one click away and seamless integration between your products. 

I recommend the solution; I've worked with it in three different organizations and realized how seamless it is to use the Microsoft suite. They integrate well and help us protect all the services in Microsoft 365.

Defender XDR is a solution that protects your enterprise systems and devices.

Defender XDR has helped a lot in terms of capturing all kinds of activities happening on the endpoints where it is. If you want to know what happened at a point in time, you can go to the history and search everything. This helps you investigate exactly what happened if you have a security breach. It doesn't take much time, but I don't have anything to compare it to because Defender is the only XDR we've used. 

Defender XDR has a feature called the timeline that lets you track all activities. It helps a lot with investigations. Microsoft has many identity management features and products that complement each other.

It covers the weaknesses and vulnerabilities of non-Microsoft solutions, but it will not help you to do the remediation. You need another third-party tool to do the remediation. 

Defender protects against advanced attacks like ransomware or email phishing. The protection Defender provides is excellent. It's a great product for preventing attacks and reducing risks for organizations. 

There are a few technical issues with Defender XDR that can be improved. Sometimes, the endpoint devices are not reporting properly to the Defender 365 portal. When you're getting all the information from the Microsoft portal, the devices are sometimes not in sync. We have hundreds of endpoint devices, some needing to be onboarded again. 

I have used Defender XDR for three years.

I rate Microsoft support nine out of ten. It's excellent. 

Positive

We did a POC for a McAfee product. There weren't many differences, but Microsoft Defender was included with our E5 license. The major difference is that we saved money by not purchasing another product. 

Defender XDR is a cloud-based solution. You can access it and see all the information you need inside the Microsoft portal. 

Defender XDR is not expensive. It's average compared to other products. 

I can get Defender bundled with the E5 package. We had considered replacing it, but after evaluating some competing products, we decided there was no significant difference between the third-party products and Defender. 

I rate Microsoft Defender XDR eight out of ten. I think there is room for improvement in terms of its coverage of non-Microsoft technologies. 

It is an integral part of our security infrastructure, primarily serving to monitor both our server and client environments comprehensively.

Its strength lies in providing a holistic view of the protection it offers. When a threat is detected, the system not only identifies the nature of the threat but also provides valuable insights into how and why it was detected. This thorough understanding empowers us to take well-informed steps to remediate the threat effectively. The unified Microsoft environment enhances overall ease of use, making it considerably simpler for our team members to collaborate and work efficiently, given our familiarity with Microsoft products. Unified identity and access benefits stand out as crucial, especially as we delve deeper into compliance considerations. The increasing importance lies in having a centralized view, streamlining visibility through a single interface rather than navigating across various sections in Defender.

The incident threat response and its ability to facilitate effective remediation against threats are the standout features. I haven't encountered a similar level of comprehensive incident response in other solutions before.

Perhaps there's room for visual enhancements to make the platform more appealing. Stability could be improved by avoiding frequent changes to the interface.

We have been working with it for approximately a year.

It has proven to be scalable within our organization, which, while not exceptionally large, consists of around eight hundred users globally. It strikes a balance, meeting our needs effectively without being overly complex.

The technical support is generally good, but we sometimes find the first-line support process a bit cumbersome. After initiating a case, we, as experienced professionals, go through the standard script diligently (ABC), only to find that first-level support requests the same steps again. While I understand the need for thorough troubleshooting before escalation, it can be time-consuming. I would rate it six out of ten.

Neutral

Compared to antivirus or security products such as Trend Micro or McAfee, Microsoft Defender XDR appears notably more user-friendly and offers a clearer interface. The adoption of Microsoft Defender allowed us to phase out the use of other security products, including our long-standing reliance on McAfee and Trend Micro. The transition was prompted by the effectiveness of Advanced Threat Protection offered through Microsoft Defender 365. The decision to consolidate under Microsoft's umbrella proved advantageous, making the adoption process smoother and more efficient for our organization.

The initial setup wasn't overly complicated. We only needed to create a few scripts, which were then executed on our local machines within the environment. This process seamlessly integrated the machines into Defender within our tenant.

We use a third-party software tool for executing scripts and deploying software packages.

We've achieved significant cost savings, primarily in the realm of security. As Microsoft continues to enhance Defender, we anticipate further opportunities to streamline and consolidate various aspects of security monitoring and software under the Microsoft umbrella. I'd estimate the savings to be in the tens of thousands of dollars annually.Considering our relatively small team of around thirty IT professionals, especially those at the first level primarily using security products like Defender, the streamlined access within the same application prevents them from having to navigate through multiple applications. This efficiency translates to a potential saving of around a dozen hours per month per individual.

Understanding the subscription model has been a bit challenging, as every feature or requirement comes with an additional cost.

Overall, I would rate it eight out of ten.

We typically use Defender's default settings and are implementing MITRE ATT&CK use cases on Microsoft Defender this year. We do manual threat hunting and check to see if there is a trending attack. We have the latest IOCs and sweep across the organization looking for them. 

When implementing Defender, we usually use its advanced hunting features to determine particular techniques used across the whole environment. We use multiple Microsoft security products, including Defender for Endpoint, Defender for Cloud Apps, Sentinel, email and collaboration, data loss prevention, and Microsoft Purview.

Defender XDR enables us to prioritize threats according to the algorithm or our custom rules. We can prioritize threats and have the option to automate the response. For instance, let's say we are facing a sticky key hijack. When you press shift several times at the login screen, you can open the command prompt of that particular host. That is a vulnerability of Microsoft Windows. When this happens, we can automate a priority alert and also isolate that endpoint from the network immediately. 

The solution reduces our remediation time by enabling our security analyst to respond quickly, make some automations, and edit the rules to detect any potential threats. The extent to which the solution reduces the remediation time depends on the analyst's skill. If the security analyst is good, Defender XDR will help them.

XDR saves money if you are using Microsoft products. XDR is more inclined toward Active Directory, a Microsoft product. No other XDR can integrate with Active Directory so seamlessly and use it to its fullest potential. Microsoft also offers multiple sub-products. If we purchased third-party solutions for email, endpoint, XDR, cloud applications, etc., and managed them on a single platform, it would be more expensive than Microsoft solutions. When we do a cost-benefit analysis, Microsoft Defender XDR offers a better value. 

I like Defender XDR's automation capabilities. XDR isn't automated by default, but you can automate it to respond. If an attack is performed anywhere within the organization, you can isolate that instance from the network. This is what I can figure out for it. When integrated with Sentinel, you can set up playbooks to automate all the alerts gathered on Sentinel from different Microsoft solutions. Sentinel has a wider range of capabilities than XDR. 

Defender XDR has good threat visibility, but it could be better in some areas, like when we are hunting for a specific host. For example, let's say we are investigating email services, and want to trace an email account to its host PCs and investigate the emails in its inbox. We want more visibility into the email side of investigations. It would be better if these features could be more integrated into the console like you could have a tab for Cloud Apps to see the cloud applications a user had communicated with. 

Microsoft's threat analytics are somewhat helpful for anything related to Microsoft products. For instance, it can update us about any single sign-on vulnerabilities or something along those lines. However, Microsoft was very late in terms of the recent LockBit attacks. LockBit compromised some significant organizations, and Microsoft didn't provide the report fast enough. It was reported on my normal cybersecurity information websites first. The site analytics are a bit weak when it comes to non-Microsoft clouds.

Defender XDR is capable of providing intelligence reports about threats specific to Microsoft components, but if we are implementing a Microsoft solution across an organization, many other products and side factors must be considered. I feel like Microsoft falls behind some other vendors in threat intelligence.

When we do investigations, it would be better if Microsoft could populate the host dashboard more. When we open any host for investigation, we want the entire timeline of what is happening on the host, including all the users logging in, their hardware, Windows version, etc. 

I have used Defender XDR for nearly 2 years. 

We haven't faced issues with stability. XDR doesn't lag during investigations. We've seen a few minor bugs in the XDR console but not often. There have been no major issues that disrupted our operation. 

Defender XDR has good scalability. If you want more endpoint visibility, you don't need to scale your organization much. You only need to integrate that particular endpoint by running a script and deploying an agent to it. 

I haven't contacted Microsoft support about XDR, but my client has. One of the alerts was triggering incorrectly based on a default setting. We asked their team to investigate why the solution was excessively triggering. I just disabled the default rules and made custom policies. Now, everything is working fine.

I previously used CrowdStrike EDR. It's hard to compare the two products because CrowdStrike EDR was focused on endpoint detection, so it cannot investigate emails or have any other XDR capabilities. One is an XDR and the other an EDR. 

We compared Microsoft Defender XDR to Trend Micro's Vision One. Defender's advantage over Vision One is ease of use. Managing and enabling policies is much easier on Microsoft Defender. There's a considerable difference between their default rules. In some cases, alerts will trigger in Defender, but not Vision One. Overall, Microsoft Defender XDR is preferable over Vision One.

I rate Microsoft Defender XDR 7 out of 10. It's a useful product for a professional security analyst who knows how to increase the visibility. You only need to make some front-end changes and put the data on host names into XDR. 

If someone asked me whether a best-of-breed or single-vendor approach is better, I would support mixing different products. Each security vendor has its own intelligence base. By including other vendors, I am gaining visibility into more indicators of compromise. Nevertheless, I would still pick Microsoft Defender XDR and Sentinel together because they are well integrated. All the big companies and banks use Microsoft. Windows is a popular operating system across the world. Defender and Sentinel are better integrated with Microsoft systems.