Microsoft Defender XDR Reviews

Microsoft 365 Defender is an extension of Windows Defender. Windows Defender is an AV that is integrated with Windows OS, and with this extension, you also get the EDR functionality for security purposes. Microsoft 365 Defender gets more access to the device and provides more insights and control over that. Apart from the Windows platform, it also includes other OSs, such as Linux and macOS.

We do have multiple options for deployment. We did deploy it on the cloud. We got the on-cloud license, and we onboarded our devices to the portal. The portal is deployed on the Azure cloud.

It helps us prioritize threats across the enterprise. We also have options to prioritize a specific device and monitor it. We can keep a device on high alert or on the watch out for each and every event. There are different severity levels, such as critical, high, medium, and low. We can set severities on any of the devices. Based on the set severity level, Microsoft 365 Defender can track events, and we can monitor those events from the console.

We get more insights and more information about the devices that we have. Because most of them are Windows devices, we have integrations with Intune or SCCM. It is easy to transfer all the information and see everything in one single portal. If we want to configure anything or control the devices in the whole organization, it is easy because all of them are in the same environment. It is easy to manage and control them.

There are fewer compatibility issues and errors and a better ability to track events. With third-party solutions, I used to see more issues related to compatibility and setting the ports. For each and everything, we had to either go through the support documents or through the support to get information. Most of the Microsoft documentation is publicly available. It is not that you only get that when you open a support case. That's an advantage compared to others.

It helps to automate routine tasks and the finding of high-value alerts. We have KQL or SQL queries that we can set up. We can schedule them so that it automatically queries for a specific device or all the devices and gives us a report that we can simply export.

Its threat intelligence helps to prepare us for potential threats before they hit and take proactive steps. It has helped us to recover a few devices. Because it is integrated with the OS, we get information about failed logins.

It saves time and manual labor. Previously, we used to use a deployment portal such as Filezilla or GPOs. We used to manually update the signatures, but now, it is automatic. It saved me pretty much half a day's work.

It has decreased our time to detect and our time to respond. It has saved half a day's work. The sensor constantly connects to the console. In case of an issue, we get an email immediately. We also get a notification in the console. Previously, we used to manually scan the device or query something and then get the results. Because it is automated, we don't need to manually do that. Previously, we used to manually isolate or block a device, or we used to work with different teams to get the device offline, but now, we can simply search the device name in the console and isolate a device from there, which is convenient for us.

The EDR features are valuable. By getting the EDR features, we have more control over the device. We have information about events in real-time and more protection against zero-day threats and zero-day vulnerabilities. We can monitor every event or action that a device is going through. We can get an idea if it is something malicious or if we have to take any actions.

Because Microsoft 365 Defender is integrated with the OS, we get more insight into the events or threat activities. With a third-party solution, we could have some limitations or compatibility issues with the OS, whereas with Microsoft 365 Defender, there are no compatibility issues for Windows, and we get more insights and more information on the threats simply by logging into the console.

The onboarding and offboarding need improvement. I work with other vendors as well, and they have an option to add a device or remove a device from the portal, whereas with Microsoft 365 Defender, we need to do that manually. However, once you do that, everything can be controlled through the portal, but getting the device onboarded and offboarded is currently manual. If we have an option to simply remove a device from the portal or get a device added from the portal, it would be more convenient. The rest of the features are similar. This is the only area where I found it different from others. I would also like to be able to simply filter with a few of the queries that are already there. 

It has been almost three months.

I would rate it a seven out of ten in terms of stability. It is quite stable but it can be improved for a few scenarios. It is still new for macOS and Linux, and for these OSs, I would rate it a six out of ten in terms of stability.

It is scalable. We are using it pretty extensively. It is for multiple departments, and there are multiple teams handling it. In the tenant I have, there are 2,000 devices that are currently onboarded. We also get information about which devices are not onboarded. I can see that a few hundred devices are not onboarded. We also have a few other clients or partners who are using it but on a small scale. 

It is good. We do get constant responses and inputs from them whenever we raise a case. They are quite helpful. I would rate them an eight out of ten.

Positive

I started working with this solution because I changed my organization. That was the major reason. 

Being able to get the information simply from a single portal and the integration with other portals have been some of the benefits. Previously, we used to get data manually, and then we used a SIEM or event collector to send that data to other portals. Now, we can integrate with other Microsoft portals, such as Intune, and get the same information there as well. That's one convenience I have found.

I am not involved with tenant deployment. I am involved with the onboarding of the devices. If you have the right knowledge, it is completely fine. They do have an admin console. You can deploy multiple tenants and also control through that console, but I don't have access to that. I only have access to my own tenant. I only have control over that. We can also include a tenant for a specific organization from the admin console. That admin console is deployed on Azure.

Most of the maintenance is automatic. Because we allow Windows updates, most of the Defender updates are also included in Windows updates. We don't have to specifically go and check. If we see any alert or we find any suspicious events or something on the console while we are investigating, then it might need manual checks. We do get some recommendations through the console itself for what we can do to improve the device security score. So, it requires some maintenance, but that's only when we detect something or we are investigating something. For maintenance, we have different teams in each section. We have around 15 to 20 people.

I don't have the metrics, but we started to see its benefits within a couple of weeks from the time of deployment.

Its licensing and pricing are handled by someone else. My role is limited to incidents or issues with the portal, but you get what you pay for. It is worth the cost.

We did compare it with VMware Carbon Black and McAfee. We did check Symantec as well, but Symantec didn't have EDR capabilities. So, we dropped it. The final call was Microsoft because we found the integrations and other things easy. It saves time for us because we don't need to go through another team or get a separate team involved just for data transfers.

I would definitely recommend this solution. Getting the product is easy. You simply get the license, but after getting the product, you need to go through the deployment and configuration of the product to match your environment. You can just try out the product and experiment in your own way and learn each and every feature. The documentation is completely public. 

I would rate it an eight out of ten because there are a few areas where it can be improved.

I'm a deployment engineer for Microsoft products, and we work with multiple SMEs. Customers adopting Microsoft products want the same features they had in their third-party solutions. We look at their requirements and the types of features they need. We determine the security mechanism that best addresses their vulnerabilities. We might suggest Defender for Identity,  Defender for Endpoint, 365 Defender, and Defender for Cloud Apps. In addition to those security solutions, we offer device management. We provide everything.

Defender improves our security operations. I've had chances to collaborate with our SOC team. Our customers face many random attacks they don't know how to prevent, and the SOC team handles them remotely. The security engineers can investigate the incident or use the information from the customer's environment to offer a recommendation. If the customer doesn't have the detection mechanism, we can recommend a product or find a solution for them. 

The solution can help customers save money because we can bundle it with all the other Microsoft solutions, like email and Defender for endpoint, identity, and cloud apps. Most of our customers use Windows 10 devices and Microsoft Active Directory, so everything is on the same page. Defender can save time by automating investigation and response. We don't need to spend much time because it'll automatically take action in many cases. 

The best feature is threat hunting. There are a lot of other features I like, such as the alert mechanism. The chain alert mechanism has a huge impact. It combines all the alerts into one incident and automatically correlates them with AI. 

Defender has integrated identity access management, and you can add DLP features through a separate solution called Microsoft Purview. Within the cloud, we can create access policies based on each user's risk. It's integrated with Azure AD and on-prem Active Directory, so all the user identities can be managed in a single portal.

We use the multi-tenant management capability, so we can cover customers that have multiple regions. We can easily investigate across tenants based on severity. For high-priority alerts, we start from scratch and ignore what's happening on the endpoints or emails. We isolate the device and ensure that nothing will be released from it. Next, we check this device and some more details.

There is no common area where we can manage all the policies for the EDR, third-party solutions, devices, servers, Windows, Mac, etc., but it's on the roadmap, and we were waiting for that feature. 

I have used 365 Defender for about four years.

365 Defender is stable. There is no downtime. Still, Microsoft is constantly rolling out features, so there are sometimes bugs after new releases. Our customer experience team is collaborating with Microsoft and sharing feedback with them. 

365 Defender is scalable 

I rate Microsoft support nine out of 10. The support depends on the product and the customer's issues. 

Positive

I work with customers coming to Microsoft from other third-party products, so I try to understand what the product does and suggest a solution. The names are different, but all the technology is the same.

Deploying Microsoft Defender isn't complex if you have experience. The deployment depends on the number of users, apps, and the client's requirements. If the client wants to implement XDR, it takes about a month to achieve full functionality.  Endpoint protection takes around five to ten days. It's a cloud product, so it doesn't require any maintenance. 

Defender XDR is agentless, so you don't need to install an agent anywhere. It's a cost-effective option.

I rate Microsoft 365 Defender nine out of 10. We recommend it to our customers. 

It's the main tool that we use for the customer that we support. We don't use any other tools to monitor the environment.

It helps us prioritize threats.

In addition, Microsoft Sentinel enables you to ingest data from your entire ecosystem. One of the main reasons we use Sentinel is to receive logs from different sources and create analytical routines to generate alerts. Sentinel enables you to investigate threats and respond from one place and that is also very important because it becomes part of the monitoring team.

Microsoft 365 Defender has also helped eliminate looking at multiple dashboards, giving us one XDR dashboard. That means we don't have to spend too much time checking different pages. We just have one specific portal with all the information.

The solution has saved us time, although we haven't measured how much. It has reduced our time to detection and time to response by about 20 percent.

The most valuable features are the 

• integration among all the Microsoft tools
• details of the alerts.

We also use Microsoft Sentinel, Defender for Cloud, Defender for Identity, and Microsoft Defender for Cloud Apps. They are all integrated and it was very easy to integrate them. In my experience the with the integrations, it was just a click of a button and things were integrated. It's just a button.

They work natively together to deliver coordinated detection and response across the environment. We get more details when we integrate more tools, so it's relevant to have integration enabled. When it comes to monitoring an environment, this is very important, because you get different perspectives and points of view on the same alert.

I have a positive impression of the visibility into threats that the solution provides. It brings a lot of information and details related to the alerts or any security threat.

There are other SIEM solutions that are easier to use, mainly based on the creation of rules, use cases, and groups.

There could also be an improvement on the customization part. Sometimes we need to customize a few configurations but we can't.

I have been using Microsoft 365 Defender for a year and a half.

We have never had any problem with downtime.

The scalability is good.

Sometimes, they still take too much time to reply. But when they do reply, it's positive support.

Neutral

I was not involved in the initial setup, but there is no maintenance involved now.

My advice would be to have someone from Microsoft involved in the deployment part to help. There are a lot of details that they have information about, and it's impossible to know everything.

We use Microsoft Defender XDR to secure data. 

Microsoft Defender XDR has reduced our security staff. 

The product integrates security into one tool instead of having third-party security tools. 

The solution does not offer a unified response and standard data. 

I have been using the product for three years. 

Microsoft Defender XDR is stable. 

The solution is scalable. 

It takes weeks for the support to respond. They are not helpful. 

Negative

Microsoft Defender XDR's deployment was very easy. 

We have seen ROI with the tool's use. 

Microsoft Defender XDR's licensing is complicated. 

Microsoft Defender XDR has helped us reduce two full-time employees. 

The solution is our identity source, which protects our identities through Microsoft Intra ID.

The solution helped us save time by not flipping between the systems.  

I rate it an eight out of ten. 

We use Microsoft Defender XDR for our Microsoft 365 email service.

It helps protect us against ransomware. We were a victim of a malware attack in 2018 before implementation.

Email protection is the most valuable feature of Microsoft Defender XDR.

The price has room for improvement. The price should be adjustable by region.

I have been using Microsoft Defender XDR for almost 5 years.

Microsoft Defender XDR is stable.

Microsoft Defender XDR is scalable.

The technical support is good.

Positive

Microsoft Defender XDR is priced high.

I would rate Microsoft Defender XDR 8 out of 10.

No maintenance is required from our end because it updates with the OS.

I primarily use the solution as an engineer. I use the product to protect the endpoint and I use it to protect my customer's environment. 

The web protection on offer is very good. For a company that doesn't have a firewall, it's quite useful.

It gives feedback and helps protect internet access. It provides you with analysis on the state of the environment and you have a direct link to Microsoft which is doing its own research on security. You're constantly getting feedback from Microsoft resources so that you can be up to date in your own environment and you'll have a better understanding of the security landscape. 

The solution is great for companies on a budget.

Defender provides helpful visibility into threats. It covers a lot and comes with a next-gen antivirus. With that, you can register to the cloud, and, if you have cloud protection, your environment is protected even more. 

It helps us prioritize the threats across our enterprise. It covers all of our devices. You can cover your entire operation with the license you purchase.

Microsoft 365 Defender is easy to integrate with other products. You just have to configure some things in order to integrate everything and you are SDR compliant. We currently have it integrated natively, so we don't have to worry about configurations.

The comprehensiveness of Microsoft's threat detection is good. Microsoft provides a lot of security. It gives you visibility and IT has a lot of control over everything. You can see your environment, including clouds. You can block things within your environment as needed. The applications are easy to manage. It also has app governance to be able to gain visibility into permissions.

The product has helped automate routine tasks and the finding of high-value alerts. It has an automatic investigation feature that you can enable. It's great for automation. Thanks to automation, it has helped reduce the time it takes to analyze security events and alerts. You don't have to wait to take action. If there is a threat, you can neutralize it faster and it will record everything for audit records. While I know it has saved us time, I can't quantify that into a specific amount of hours.

We no longer need to look at multiple dashboards. Now, everything is centralized under one dashboard. 

The product's threat intelligence helps us prepare for potential threats and take proactive steps. Since we've been using it, we've had no security incidents.

The only issue I've had is, when it comes to deployment, the steps I must take around policy setup. That is challenging. We're working on the onboarding and configuration policies. We're collecting feedback from customers and partners in hopes of refining the future design for deployment.

I've used the solution for about two years.

The feedback I have received from customers is that the stability is very good. 

The product scales well.

If you have a license through a partner, it's the partner that will support you.

The only issue with Microsoft is the response times. They are very competent, however, sometimes you will send an email and get no response. 

Neutral

I previously used Sophos. I then switched to Microsoft Defender. The Sophos deployment is quite easy in comparison. You can do everything from a single portal. They had already achieved effective centralization. 

Right now, there are two different ways to onboard. You might have to have a different partner to configure policies. However, right now, you can also create policies from the activity center, so you don't have to do it from the device itself.

How long a deployment takes depends on your scope and the number of devices you are covering. 

If you do not get a license for the portal, you'll have to use the manual to deploy. If you have an older server you may encounter some issues. However, if you upgrade the server at the same time, you'll have fewer problems.

We do use more than one Microsoft security product. We've integrated with other products. 

I do not make use of the directional sync capabilities at this time. I'm also not using Microsoft Sentinel.

I'd rate the solution eight out of ten. If the deployment of the agent was better, I'd move my grade closer to ten. It should be more automatic. You also shouldn't have to install the logs. 

We make use of Microsoft Defender for Office 365 for endpoint security and email and we use Defender umbrella for impersonation and sales. Under Defender umbrella, we use a lot of products depending on the customer requirements. As a company, we use Defender for email as well as for endpoint security.

We are able to consolidate licences and make use of many Microsoft products using this solution. If we have any Microsoft customers, we encourage them to use this solution for enterprise defence. 

This solution could be improved if it included features such as those offered by Malwarebytes. 

We have used this solution for many years and we are a Microsoft partner. We use this solution on a daily basis.

This is a stable solution. 

This is a scalable solution.

We have not yet needed to contact Microsoft for support with Defender. 

We have previously used a number of different solutions including Trend Micro, Symantec, Sophos Intercept X and Malwarebytes. Overall, we are more comfortable using Defender.

The initial setup was straightforward. 

I would rate this solution a nine out of ten. 

We are using it for incidents and alerts. It is helpful for threat hunting.

We have tied it to Azure AD or Microsoft Entra, and we are trying to implement it for Linux.

It saves the investigation time. There is a lot of information about the threats and other things.

Advanced hunting is good. I like that. We can drill down to lots of details.

It is user-friendly. It has a lot of parts. For me, it was pretty quick to get a sense of it.

It protects from phishing emails, but sometimes, some of the emails are not detected. They are getting delivered into the inbox, not in a junk folder or spam folder. Users are reporting them as phishing emails.

At times, when we have an incident email and we click on the link for that incident, it opens a pop-up, but there is nothing. It has happened a couple of times. 

In terms of additional features, it is too early for me. I am still learning all the parts. I am just scratching the surface of the tool. One year is not enough to get every detail of it.

I have been using Microsoft Defender XDR for about a year.

It is stable, but sometimes, we experience an issue. Clicking the link in an incident email opens a small window, but we cannot find anything there. This has happened a couple of times. There is a bug.

Other than that, we have not experienced any downtime or any big issues. It is pretty stable.

We have plans to maximize its usage. We are trying to see how to get the most out of it, but my older colleagues would know more about it. I am still learning it.

I have not contacted them.

I am not sure. I am relatively new. I have only been working here for a year. They already had it in place.

I have not worked on a similar tool before. This is my first XDR tool.

It is on the cloud. I am not aware of its deployment because it was already deployed before I joined.

I cannot recommend it because this is the only tool for XDR that I have used. I have not used any other tool, but it is a good tool.

I would rate Microsoft Defender XDR a nine out of ten.