Microsoft Defender XDR Reviews

Our primary use case for Microsoft Defender XDR is to serve as our email security solution, offering file protection, scanning, alerts, and incident management. It is a part of every Microsoft 365 deployment we do.

The integration of Microsoft products simplifies management, reporting, and investigations. It offers capabilities that other solutions don't offer.

The feature I find most valuable is Defender for Endpoint. It's because endpoint management is my primary focus, and this feature integrates well with my other skills.

The licensing process needs improvement and clarification, as it is currently difficult to understand which features are licensed to which users.

I've been using Microsoft Defender XDR for about ten years since it was known as Office 365 Advanced Threat Protection.

I have no concerns about the stability of Microsoft Defender XDR.

We are only a small organization, and our operations don't even challenge Microsoft Defender XDR's capabilities.

The customer service and support have been good. Whenever it is needed, they are fast to respond.

Positive

We used various solutions over the years, but since then, we've been using the Defender variants.

The initial deployment was straightforward.

We implemented Microsoft Defender XDR ourselves in-house.

There are no issues with pricing, but sometimes, the clarity in licensing is a concern. I still need to verify what's included with each license occasionally.

I would rate Microsoft Defender XDR a ten out of ten.

We use Microsoft Defender XDR to secure all data transfers between the company network, databases, and user devices. It also protects against malware, ransomware, and other security threats.

Microsoft Defender XDR provides unified identity and access management.

Microsoft Defender XDR can extend beyond to cover more than just Microsoft technology.

The most beneficial aspect of Microsoft Defender XDR is the integration with Office 365.

We can realize the benefits of Microsoft Defender XDR anywhere from two weeks to three months, depending on the organization.

Microsoft Defender XDR stops the lateral movement of advanced attacks.

When a user exhibits suspicious activity, Defender XDR and Microsoft Sentinel work together to provide real-time protection and automation for prevention. This includes threats like insecure connections, lateral movement by malware, and unauthorized email sending. While Microsoft Defender XDR is a powerful solution on its own, combining it with Microsoft Sentinel and automation creates an even more robust defense.

Microsoft Defender XDR helps to discontinue other third-party solutions in our environment.

The cost savings potential of Microsoft Defender XDR depends on the size of an organization and the specific licensing chosen.

Microsoft Defender XDR streamlines security team workflows by offering a unified console for investigation, blocking, and mitigation.

The integration between all the Defender products is the most valuable feature.

The management and automation of the cloud apps have room for improvement.

I have been using Microsoft Defender XDR for 3 years.

Microsoft Defender XDR is stable.

The scalability of Microsoft Defender XDR depends on your organization's network for on-premises deployments, but it offers excellent scalability for cloud deployments.

Scaling Microsoft Defender XDR on-premises can lead to network and access control list problems, as well as VPN restrictions.

Microsoft Defender XDR boasts a straightforward setup process. This ease of use stems from its integration with existing Microsoft products. Once we have the appropriate license, we can be up and running quickly. Extensive documentation is available, and Defender XDR enjoys broad industry compatibility. Many other security solutions readily integrate with Defender XDR, opening their products to its robust security features.

The deployment time depends on each environment and can take anywhere from a couple of days to one month.

The number of people required for deployment also depends on the environment and varies between two to eight people.

The price we see for Microsoft Defender XDR is typically the discounted rate we offer to our customers. However, when we bundle Defender XDR with other Microsoft products, the overall bundle price may differ. Despite any initial price considerations, Defender XDR offers excellent value. It's important to compare similar products to make a fair assessment. For organizations already using Microsoft products, which applies to roughly 90 percent of our customers, Defender XDR is easy to set up. Unlike some third-party security solutions, Defender XDR integrates seamlessly with our existing Microsoft environment, eliminating the need for complex identity management configurations and development efforts.

While the standalone price of Defender XDR might seem high, its value becomes clear when considering the ease of implementation and smooth integration with our existing Microsoft infrastructure, especially when bundled with other Microsoft products.

I would rate Microsoft Defender XDR nine out of ten.

Between one and two people are required for maintenance which is conducted twice a month to roadmap Microsoft and check new features.

I recommend thoroughly reading the documentation. Additionally, if there are opportunities to attend Microsoft events, such as a partner workshop focused on Defender, these would be valuable resources. By participating in these activities, you can gain a deeper understanding of what needs to be done within your environment to successfully implement Microsoft Defender XDR.

We use Microsoft Defender XDR in our multi-tenant environment comprising Windows, Linux, and the Cloud.

We have Microsoft Defender deployed in a hybrid environment across AWS, Azure, and GCP.

Microsoft Defender XDR provides unified identity and access management. The identity protection the solution provides is good. 

If we had to use a separate solution for identity and access management I believe the performance would be clunky.

Microsoft Defender XDR extends beyond just Microsoft technologies, encompassing a wider range of platforms and services. This broad coverage is a key strength of the solution.

Since implementing Microsoft Defender XDR, the centralized view and management console have been beneficial.

Microsoft Defender XDR limits the lateral movement of advanced attacks.

It integrated seamlessly into our SIEM environment so there are no disruptions to our security operations.

The ability to adapt to evolving threats is critical as the landscape is expanding daily.

The multi-tenant management capabilities for investigating and responding to threats across tenants are good.

We are enabled us to discontinue the use of other vulnerability management tools.

The reduction in the number of vulnerability management tools we use has helped reduce manual operations.

Microsoft Defender XDR has helped reduce our costs by ten percent.

Microsoft Defender XDR has helped save our security team between five and ten percent of their time.

The unified view of the threat landscape on a central dashboard is the most valuable feature.

The naming convention keeps changing and has room for improvement.

The licensing is a nightmare and has room for improvement.

I have been using Microsoft Defender XDR for three years.

Microsoft Defender XDR is stable.

Microsoft Defender XDR is a SaaS product so it is scalable.

The technical support is good.

Positive

We previously used VMware Carbon Black and switched to Microsoft Defender for the multi-cloud environment support.

The initial deployment is straightforward. We identify the critical assets and just deploy for those initially and then slowly roll out for the rest. Around five people were involved in the deployment.

The implementation was completed in-house.

We have seen a return on investment.

I would rate Microsoft Defender XDR a nine out of ten.

The summarization of emails is a valuable feature. I get more than 1000 emails a day. It is hard to read them all. Summarization makes it a lot easier. The solution also provides transcription features.

It doesn't work in Word, Excel, and PowerPoint consistently. We find it full of bugs. It doesn't work properly. The tool gives inconsistent answers and crashes a lot. I spoke with the Microsoft team regarding these issues. The person I spoke to said that our expectation was too high and that we should have expected that it would only operate at 70% accuracy, which was a bit of a shock.

I have been using the solution for four years.

We use most of E3 and E5. We're using 92% of the catalog. Everything runs in the cloud. In the past six months, there have been incidents where the cloud has had some issues. We've escalated them to Microsoft and have had a conversation about stability.

The tool is scalable.

The support is decent. It could be better in certain circumstances. Overall, it's acceptable for what we need it for.

We were using a Symantec tool before. We stopped using it because we were exiting a relationship with the Symantec tools. We chose Microsoft Defender for Office 365 because we had a relationship with Microsoft, and it did similar things to what we used the Symantec tool for. It was an easy choice.

The initial setup was complex. It doesn't work. Semantic Index takes 48 hours. Getting people to onboard is not as simple as turning it on and making it work.

We have to ensure that we are teaching people about these tools, their value, and the use cases to determine whether they will use them. If we turn it on and somebody is not trained to use the tool, they will abandon it. It's still not functioning properly. It's a bit of a risk for Microsoft to push out a tool that's not ready yet.

We did the implementation ourselves. We have a large enough internal team.

The solution is too expensive. Each license costs us $30.

Google is an alternative. The comparison is based on market share, penetration, usefulness of tools, and cost. Microsoft has the lead. It's embedded. We use it as a productivity suite for our company. Excel, Word, and PowerPoint are tools that people use on a daily basis.

The tool provides a little bit of unified identity and access management. It's not the most important thing for us. Security is a multi-layered strategy, and Defender is one aspect.

The product is one of the many tools we deploy to ensure that the lateral movement of advanced attacks does not occur. If it were the only tool we had, I wouldn't be as confident in saying that we have the proper levels of security, but it is one of the multiple tools we have. So, lateral movement is almost impossible.

The solution might be able to adapt to evolving threats in a smaller shop. However, it is not so in our organization.

We run a bank. We are testing out Copilot. We're about to roll it out to several thousand users. The tool hasn't yet helped improve things in our organization, but it has the potential. Copilot is new. It's difficult to determine the ROI and its value. It's hard to tell. We do get some value out of the product.

Overall, I rate the product a seven out of ten.

It is, of course, an antivirus tool. I work as a lead for a SOC team, and it's our job to monitor all the endpoints in our organization. We are looking for any unusual activity happening on the devices, and Defender monitors them.

If there are any changes or unusual activities, it triggers an alert. An analyst will pick up the alert from the Microsoft 365 Defender and go through the timeline to understand what triggered that alert and whether to categorize it as a security incident or not. Some of them turn out to be false positives, and some turn out to be true positives.

We use it for other tasks like IOC management. In the cyber world, different applications have different vulnerabilities. If an application is used in our organization, we make sure all the IOCs, whether hash values, malicious IP addresses, or malicious domains, are blocked in the Microsoft 365 Defender.

It has given us a very wide range of visibility over the endpoints and it's easy to manage. If I see a threat or an attack pattern emerging from a certain location, I can easily isolate those endpoints at a very quick pace. That has pretty significantly improved our proactive measures when it comes to security in the last three years.

Apart from that, it gives us an overall picture, and not just of the endpoints. It has identity and access management and an email security module as well. If there is anything related to phishing or spam emails, we can analyze that in the same portal. We don't have to rely on multiple portals. It's just a single pane of glass where everything is visible. It gives us a clear picture and our visibility has increased a lot.

Another thing I like about Defender is that if a threat is detected, it starts the investigation by itself, by running the scans on itself, trying to isolate the device, and determining which IP addresses or websites it is connecting to. It gives us a detailed picture. All we have to do is make sure all these are blocked. But the initial triage and investigation are pretty much done by Defender itself. That is one of the significant areas of improvement for us, which I definitely like about this product. Automation is one of the key features in Defender, which saves us a lot of time. Sometimes, we don't need manual intervention. It does its job automatically.

If an analyst would take 40 to 45 minutes just to understand what was going on with respect to the alerts that were coming in with the product we were using previously, 365 Defender has reduced that time by half, by 20 to 25 minutes. That is a pretty good improvement. When you're working in a cyber security environment, you need to be very quick to respond because, in a matter of minutes, you'll be firefighting. And that's not what you want.

Among the most valuable features are the alert timeline, the alert story, which is pretty detailed. It gives us complete insight into what exactly happened on the endpoint. It doesn't just say, "Malware detected." It tells us what caused that malware to be detected and how it was detected. It gives us a complete timeline from beginning to end. It gives us a pretty detailed overview of the timeline of the attack.

Another benefit is that Defender absolutely stops lateral movement or advanced attacks like ransomware. The MITRE ATT&CK framework is pre-integrated, and all the use cases or categories that have been defined in Microsoft Defender are based on that framework. Lateral movement is part of that. There are multiple cases of lateral movement available in Defender, and ransomware, of course, is one of them.

We also have threat analytics in the solution. If there is a zero-day attack, it gives us the information. As of now, we haven't seen any impact on our devices. If there is any impact, it shows us, and we can take action accordingly. Those aspects work pretty well.

The only problem I find is that the use cases are built-in. There is no template available that you can modify according to your organization's standards. What they give is very generic, the market standard, but that might not be applicable to every organization. For example, an organization might look into an alert in a different way, not in the way Microsoft provides. There is no way to modify a template according to your needs, and that is something that I really don't like.

Those kinds of alerts are generating too many false positives for us, creating additional overhead. For example, part of the identity and access management is called "impossible travel activity." It generates false positives for us but there is no way I can modify the rule they have given that causes alerts. I cannot use that template or create a new one using that template, which I then modify to fit my organization's standards.

When we raised the issue with Microsoft, they said, "It's a product feature. What you are requesting is a product enhancement. We can take your request, but we are not sure when it's going to happen."

I have been using Microsoft 365 Defender for almost three years.

I have not observed even one time that the tool has lagged or crashed.

It is pretty scalable and user-friendly. There are no issues with the scalability.

We have raised a few tickets for cases we needed assistance with. Their support is good. The response is good. Sometimes, the challenge is that an issue might be a high priority for us, but they might not consider it a high priority based on their understanding. Their severity levels vary compared to ours. That's fair, of course. It's not something I am complaining about. Overall, the response from their support is always positive.

Positive

We were using McAfee ePO, but we have completely stopped using it now that we have 365 Defender. Discontinuing McAfee has definitely reduced manual correlation. Most things are automated in the Defender portal, so if a high-severity alert comes in, an automated investigation is triggered. That is one of the key features.

Irrespective of whether your organization is a mid-sized company or a big company, Defender is pretty scalable and very easy to use. As a cloud solution, you don't have to worry about it crashing. The alert timeline is pretty detailed. It catches most of the threats out there. You don't have to worry too much if there is a new threat because Microsoft makes sure that it is already addressed by Defender. If something comes up, it will sound an alert.

If you are looking for a nice antivirus product that doesn't take up many of your endpoint resources—compared to other antivirus software on the market, some of which take huge resources from your machine—it comes built-in with Microsoft. You don't have to install anything.

It's a cloud deployment, so I don't think there is any maintenance required from our end, unless there is a policy change requested at the organization level.

The platform provides unified identity and access management. When I started using it three years ago, that was a separate product. It was under Azure Cloud App Security. Now, they have integrated into Microsoft 365 Defender. We can see identity and access management-related alerts in Defender. Identity protection is something we have not explored that much. Our main focus lies on the endpoint.

Still, it's good to have it in Defender itself because it comes as a complete package. Just because we are not actively using it doesn't mean it's bad. It gives us detailed information, but we are working on the endpoints, focused on the device side. But if a brute-force attack is happening, it comes from a specific device. We don't have to rely on multiple portals to get that information. Everything is available in a single window, because we have that user information. You also see user access to devices and check if there are any malware-related alerts on that device. And that information is in the same portal. Integrating identity and access management in the same portal is a pretty good feature rather than having a separate feature altogether.

The main use case has been for threat hunting, not in the sense of actively looking for the threat, but in terms of analyzing the ongoing process within clients' machines. I was looking into what kind of changes happen when you install any new software and it asks for so many permissions. I wanted to analyze the criticality of the permissions being asked and so on. Usually, when we install any software, we just click next, next, and next. We don't look at the details. So, my role was to check how it behaves within a system. For that reason, I used Microsoft Defender. 

I used the query language to do advanced threat hunting. I ran different queries to collect the data. The data was then brought into Power BI. We had data coming from different channels. So, we used Power BI to collect it at a single point.

My usage of it was on a very small scale. I am not aware of its overall impact on the organization, but it did help us a lot to know and achieve what we wanted to achieve. Without Microsoft 365 Defender, the detection for our use case would have been impossible.

It provided more visibility into threats, and it came with some of the default functions from Microsoft, which was an advantage. They had already defined different tables in advanced threat hunting, which was very helpful. I am not aware of other vendors providing that.

Its threat intelligence helped to prepare for potential threats before they hit and to take proactive steps. That was my target for that project. We were actively looking for vulnerabilities inside the software, and we wanted to detect the software supply chain aspect. That was a difficult task, but we wanted to be ahead before any attack happened. That's why we were using Microsoft 365 Defender.

It saved time. They had already defined different tables to identify different artifacts within the system, which saved about 50% of our time.

Within advanced threat hunting, the tables that have already been defined by Microsoft are helpful. In the advanced threat hunting tab, there were different tables, and one of the tables was related to device info, device alert, and device events. That was very helpful. Another feature that I liked but didn't have access to was deep analysis.

I liked its portal a lot. I am currently using a different vendor, and there is a big difference between them. Microsoft had a very good portal, and its user interface was good. Irrespective of where I was, with a click, I could see comprehensive details about something on the right side. The related information was always on the right side. So, I didn't have to jump over different tabs and functionalities. The information was always there on the right side, which is something I liked in Microsoft 365 Defender portal.

The documentation on their website is somewhat outdated and doesn't show properly. I wanted to try a query in Microsoft Defender 365. When I opened the related documentation from the security blog on the Microsoft website, the figures were not showing. It was difficult to understand the article without having the figures. The figures were there in the article, but they were not getting loaded, which made the article obsolete. They should refresh all their articles and see that the steps and figures aren't missing. They can also provide more documentation.

I used it just for four months in a previous company.

I never had any problems with it. It was always stable.

It's scalable. You can query each and every machine in the company.

I was working for a client, and that client had more than 50,000 people.

I never contacted them directly, but based on what I heard during the meetings, they seemed to be quite helpful and good.

I didn't use any other similar solution before Microsoft 365 Defender. That was the first time I used Microsoft 365 Defender. That was my first experience. Now, I'm using a different product, and I can see that Microsoft 365 Defender was much better than the current product.

Microsoft 365 Defender is very good for analyzing something. There are multiple types of data and multiple ways to utilize that data. With a single click, you can have all the related data for a particular topic. That's really good, and that is what I'm missing in the current product.

I did not use Microsoft Defender for Cloud, but I saw the cloud part for monitoring cloud applications. It was nice, and it had some added functionalities. For example, application risk scoring was very good. It shows what data has been considered to give a particular risk score, which is useful for a new learner like me. It was helpful to know the criteria for scoring. They also included so many applications. There were more than 24,000 cloud applications inside their catalog. That's a really good catalog.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would agree that multiple vendors are better than a single vendor because every vendor has different capabilities. It's always better to use the best products from different vendors than to use all the products from the same vendor.

I would rate Microsoft 365 Defender a nine out of ten. 

Defender XDR is a solution that protects your enterprise systems and devices.

Defender XDR has helped a lot in terms of capturing all kinds of activities happening on the endpoints where it is. If you want to know what happened at a point in time, you can go to the history and search everything. This helps you investigate exactly what happened if you have a security breach. It doesn't take much time, but I don't have anything to compare it to because Defender is the only XDR we've used. 

Defender XDR has a feature called the timeline that lets you track all activities. It helps a lot with investigations. Microsoft has many identity management features and products that complement each other.

It covers the weaknesses and vulnerabilities of non-Microsoft solutions, but it will not help you to do the remediation. You need another third-party tool to do the remediation. 

Defender protects against advanced attacks like ransomware or email phishing. The protection Defender provides is excellent. It's a great product for preventing attacks and reducing risks for organizations. 

There are a few technical issues with Defender XDR that can be improved. Sometimes, the endpoint devices are not reporting properly to the Defender 365 portal. When you're getting all the information from the Microsoft portal, the devices are sometimes not in sync. We have hundreds of endpoint devices, some needing to be onboarded again. 

I have used Defender XDR for three years.

I rate Microsoft support nine out of ten. It's excellent. 

Positive

We did a POC for a McAfee product. There weren't many differences, but Microsoft Defender was included with our E5 license. The major difference is that we saved money by not purchasing another product. 

Defender XDR is a cloud-based solution. You can access it and see all the information you need inside the Microsoft portal. 

Defender XDR is not expensive. It's average compared to other products. 

I can get Defender bundled with the E5 package. We had considered replacing it, but after evaluating some competing products, we decided there was no significant difference between the third-party products and Defender. 

I rate Microsoft Defender XDR eight out of ten. I think there is room for improvement in terms of its coverage of non-Microsoft technologies. 

I've been using it for endpoints and for Microsoft 365, along with Microsoft Defender for Identity. I use it to create policies for anti-spam, anti-malware, anti-phishing, as well as safe links.

I also use it for the security score, making sure that our company achieves a good security score across the organization.

It has helped us increase our rules and policies, protecting our users, information, and data.

When I deploy a policy for anti-spam or anti-phishing, the solution automatically helps us mitigate those kinds of attacks that could expand across the organization. The automation stops those attacks and emails and sends the emails to a secure place where the admins can accept or eliminate them.

It has also eliminated having to look at multiple dashboards, which not only makes things easier, but helps us detect, and see for ourselves, the threats that are happening across the organization.

In addition, the threat intelligence helps prepare us for potential threats, providing us with security steps to take based on what other experts have done, the steps and recommendations, to prevent those threats. It collects information from the website that Microsoft has where security experts provide information.

And with our endpoints, it has helped us save time because, before we installed Microsoft 365 Defender, we had an antivirus solution that took our time. In addition, by using Defender for Identity, we have been saving time with the password self-reset, because we no longer need IT members or administrators to help reset users' passwords. They can do it by themselves. And with Microsoft Defender for Cloud, we're no longer installing the software on their computers, so there are time-savings as a result.

And one of the greatest characteristics of 365 Defender is that it natively helps you coordinate, detect, and prevent threats, and it provides investigations across the organization's domain. And with the responses across the endpoints and various resources in the cloud, it has many sophisticated solutions integrated to protect against cyberattacks. It has absolutely helped us to save money because it is just one solution, rather than paying for multiple services at the same time.

The security score and the threat intelligence are really good features. I also like the Exchange message trace.

The visibility into threats is also very impressive because Microsoft helps you predict things and provides analytics to help you really improve your security. And all of this technology works across the domain, so it is pretty helpful in terms of threat analytics. It immediately detects and tells you what you can do, with recommendations.

The solution also indicates threats as high, medium, or low priority. When the priority is high, that is when I put all of my effort and knowledge into it, and focus on it, because it is valuable for the enterprise.

We also use the solution's role-based access control across the organization. Because, as a company, we work remotely, we make sure that our users have access to what they need and we better protect our company from intruders and cyberattacks.

Intrusion detection and prevention would be great to have with 365 Defender.

I've been using Microsoft 365 Defender for nearly a year.

The stability has been great so far.

It's very scalable. That's one of the benefits of the cloud. You can scale or downsize it whenever you want.

We have many locations and departments around the world. I'm located in the Dominican Republic, but there are people in Europe and the United States.

Their technical support is great because they mostly provide responses in less than 24 hours.

We were facing downtime with our Outlook email, and they told us what was happening with our data center. After they responded to us, we provided the information to the head administrators. After two hours, they restored our services.

Positive

The solution doesn't require any maintenance, as far as I have seen.

Between a single- and a multi-vendor security solution, it depends on whether you are using multiple technologies. Microsoft solutions are pretty much integrated, and help you with the pre- and post-breach. If you are using Microsoft, I would absolutely recommend Microsoft 365 Defender. But if not, I would recommend something else because, with just Microsoft, you probably would not be getting the best solution. There would probably be latency.