Microsoft Defender XDR Reviews

In our organization, we are mainly using it for email security and SharePoint security.

It has been great for us. Previously, we didn't have a solution to protect us, especially from malware, whereas now, we are getting protection up front, especially from the malware attacks coming through emails or endpoints.

It helps us to prioritize threats across our enterprise, which is very important. It has sorted many things.

We use Defender for Endpoint, and we also use Sentinel. In my organization, they are all integrated. Sentinel pulls the data from M365 Defender via connectors. The integration is very easy. There are no problems. These solutions work natively together to deliver coordinated detection and response across our environment, which is good. We rely a lot on Microsoft products. Together Defender for Endpoint and Sentinel give me a clear picture to defend against threats and investigate the threats.

Sentinel enables us to ingest data from our entire ecosystem. It's always good to get a centralized, holistic view of our security operations. We are using centralized Sentinel dashboards mainly to get all the threats and information in one place. It's good.

Microsoft security products provide comprehensive and deep threat protection. I'm pretty satisfied with that.

It has saved us time. It has saved more than 50% of our time. 

It has decreased our time to detect and time to respond. It has been helpful, and the time to detect is really fast. We don't have to do anything. We just have to rely on it. In terms of the time to respond, if something is under the radar or intelligence of Defender, the tool itself responds and gives us what happened. When it comes to something that is not on Defender's radar, Sentinel is generally where we go. So, it saved more than 50% time in terms of detection and response.

Email security and endpoint security are valuable.

It provides good visibility of Microsoft products but not for third-party products. It's a good product if we have Microsoft product lines to protect or defend, but it lags when it comes to a mixed environment or non-Microsoft products. The Defender agent itself is more compatible with Windows 10 and Windows 11. Other than these two lines, there are so many compatibility issues. Security is not only about Microsoft. The core technical aspects of it are quite good, but it would be good if they can better support non-Microsoft solutions in terms of putting the agents directly into VMware and other virtualization solutions. There should be more emphasis on RHEL and other operating systems that we use, other than Windows, in the server category.

On the Defender side, for custom detection queries, KQL and the dashboard are not that great, but we are not doing automation directly from the Defender side. We leave Defender intelligence as it is, and we collect everything from Defender to Sentinel and handle the response from the Sentinel side. So, all our automation is happening through Sentinel only. We don't have any extra customization on top of Defender.

The maturity of the portal or dashboard is missing. The dashboard is something that Microsoft is changing every month, and we are seriously not liking it. As a management person, I am not bothered about it, but my team is suffering because there are many versions. You are working on a version and then a new version comes and then the preview toggle button comes. Now, they are combining all the parts into a single console. It confuses technical teams a lot. I'm not happy with their approach or experiments when it comes to the Defender portal. They shouldn't change it again and again.

The SOAR side of Sentinel is zero. If any subscriber subscribes to Azure Sentinel, SOAR is zero. Microsoft says that Sentinel is a SOAR solution, but I don't agree because they are only exposing the existing Azure automation engine towards Sentinel. My automation ask is that when there are already so many detection rules and connectors, why is the SOAR capability not in-built? Why can't they make the Azure functions behind it available in a template form and let us modify and use them? It will save my team's time in preparing the automation of the response. If my team has to create the logic, they have to invest a lot of time.

Their support needs to be improved. I'm not happy with their support.

I have been using this solution for more than a year.

For stability, the product must be mature enough. It should not keep on changing every month.

It's scalable. Target points are in my capacity, and I can scale it without any problems. There is no limit to the agents for Defender, but on the server side, Microsoft would have the answer. 

Location-wise, we are spread in five locations within one country, and department-wise, we have around 11 departments.

Their support is bad. They weren't at all able to solve my problems. They buy the time but never get back. I have to follow up with them again and again. They just take the logs and sleep on them. I'm not happy with their support. I would rate them one out of ten.

Negative

We were using another solution. Our organization at the time was too much dependent on the on-premises infrastructure. We were using Symantec, but it was a very quick shift within one quarter or two toward the cloud products and services. We are now heavily reliant on Microsoft Cloud products. We have the Azure environment and a lot of cloud applications, and we have shifted to M365 and Sentinel.

We have a hybrid deployment. Within the cloud, it's straightforward, and when it comes to the target points, it's doable. 

Our biggest challenge was removing the old Symantec signatures from the registries, devices, and servers. That was what we mainly struggled with a lot. Otherwise, deployment was going very smoothly. We had around 46 virtual machines or servers. The problem was that the MDATP agent was not ready to protect them. We struggled a lot there. We went to Microsoft, and Microsoft said to go back to Symantec, and when we went to Symantec, they asked us to go back to Microsoft. That took a long time for us. Everything else was smooth. When the target point is Windows, it's very smooth.

It took around 20 to 25 working days. In terms of the staff, other than the infrastructure team, there were five people including me.

In terms of maintenance, we have to just work on the detection rules and nothing else. There is no other maintenance. It's a complete cloud solution.

It's quite hard to measure the money saved from using this solution because we have not got any attacks that have resulted in any kind of ransom or monetary loss. It's defending us, and as of now, as per my report, there are no financial losses due to any attacks.

Microsoft's pricing differs geographically. We are based in India, and we have India-based licenses. Money-wise, it varies from product to product or OEM to OEM. We pay less for some, and we pay more for some. 

Microsoft has a lot of CSPs, indirect partners, and direct partners to deal with customers. There is so much difference in the price, which is something we are a little confused about. For Defender, they have Endpoint Plan 1 and Endpoint Plan 2, but I don't know on what basis they have classified Endpoint Plan 1 and Plan 2, but it has given me enough pain to pick and design Endpoint Plan 1 or Endpoint Plan 2 for my organization. In fact, we are still struggling with it. Too many SKUs are confusing. There should not be too many SKUs, and they shouldn't charge for every new feature.

We evaluated Okta products and QRadar.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single vendor security suite is always better. It's simple. It saves the time to detect and respond and administer.

This product is best if you have mostly Microsoft solutions in your ecosystem. If more than 20% of your solutions are third-party solutions, you can also look at and compare other products.

Sentinel enables us to investigate threats from one place, but when it comes to response, we have to put a lot of effort into it because Microsoft is not giving anything ready-made on the SOAR side. We have to put a lot of effort into orchestration and automation. The SIEM of it in terms of the collection of security events and information is wonderful, but when it comes to the SOAR capabilities, there is nothing in-built. They are just the analytical rules for the detection purpose, not for the response. The response is something we have to sit and design. So, the defending capabilities of Defender are good. It has some intelligence, but on the response side, Sentinel is blank. We have to start from scratch. It's a circle, and we have to keep on evolving. When comparing the cost, I am not that exposed to other products' costs, but as per my understanding, the cost of Sentinel is a little bit on the higher side because Microsoft generally charges on a log ingestion basis. It also depends on the amount of log data we are ingesting in Sentinel.

Its threat intelligence hasn't helped to prepare us for potential threats before they hit and to take proactive steps because it depends on the type of attack, the type of payload exploits, and other things. However, as per my previous report, in the last six months especially, there have been quite impressive preventive features, especially related to the process memory injection attacks or attacks coming from emails and links. It's very good for those.

Overall, I would rate this solution a seven out of ten.

We use it for endpoint protection, monitoring network traffic, and enabling automation of issues, we utilize Microsoft Defender XDR. If we are specifically referring to Defender for Endpoint, it is a perfect solution to monitor user behavior and activities across all of our web portals. This provides an easy way to analyze and generate reports about user online activities.

Microsoft Defender XDR's security extends beyond Microsoft technologies and that is crucial for us.

Defender 365 stops the lateral movement of advanced attacks. An attack disruption would cause a lack of availability of our systems and corruption of data if there is a breach.

Microsoft Defender's ability to stop attacks includes an ability to adapt to evolving threats which is extremely important.

Microsoft Defender has enabled us to discontinue the use of a few different products. We consolidated our antivirus, web filtering, and EDR, and we had an endpoint monitoring tool that we now use Defender for.

Reducing the number of solutions we use has significantly impacted how our security team operates. This is because everything is now managed under one control and one tenant. This unified approach facilitates a natural integration with the various Microsoft products we rely on for collaboration, data storage, email communication, and other critical resources essential to our company's operations.

The discontinuation of many of our security products has reduced manual correlation.

Microsoft Defender has saved our security teams 20 percent of their time by providing a single console to manage everything. 

It helps prioritize threats across our company. It is a product that I use every day. I go into the portal all the time. It is very crucial to my security strategy.

We use additional Microsoft solutions. Most of them are available with E3 or E5 packages, including governance and DLP tools. We have integrated most of the ones we are using. Doing so was not that easy but not that complicated. It requires a lot of knowledge. They work natively together for coordinated detection and response, which is a critical component of my endpoint strategy for security and control. Without that, I would have a huge gap and I would have to find a different product.

One of the aspects I use it most for is as a basic antivirus installed on endpoints.

One of the biggest downsides of Microsoft products, in general, is that the menus are often difficult to find, as they tend to move from place to place between versions. It's unclear who makes these decisions, but simplicity would be a highly welcome change. A great way to achieve this simplicity would be to have built-in wizards within the products to help users accomplish tasks. This would eliminate the need to guess where to find the necessary options to enable or disable features.

The features I would like to see added to Defender are improved web filtering capabilities and a WAF service. However, I may be mistaken, and Microsoft may already offer a similar solution. I understand that our finance department rejected most of the Defender for Azure services due to their cost, but I lack the information to judge their expense myself. I believe that, as with the Azure environment itself, which was initially considered expensive but became increasingly popular over time, the Defender for Azure solution will also gain traction if its price becomes slightly more competitive.

When it comes to visibility into threats, 365 Defender is slightly complicated, and much more complicated than competitors like CloudStrike. That's just the "Microsoft way" where everything is usually slightly more complicated. The interface is not clear.

Also, it is not clear when the system is offering a recommendation or just a way to validate something. It is not clear what will be automatically done and what you will have to do yourself.

I have been using Microsoft Defender XDR for almost five years.

Microsoft Defender XDR is stable.

Scaling it is not easy and not complex. It's in between. With Microsoft, sometimes it feels like they hide the menus and you need to search for them with a magnifying glass.

The quality of technical support I receive varies depending on the country from which it originates. Sometimes, I feel I possess greater technical knowledge than the support representative and find it more productive to research solutions online, such as through Google. Conversely, I find that teams based in Europe or the United States typically provide more professional and informative responses.

Neutral

Previously, we used ESET, Cisco Umbrella, and JumpCloud for endpoint security, along with Cisco web filtering. I found Defender convenient due to its integration within our existing Office 365 environment. Since Office 365 is built on the Azure platform and integrates seamlessly with other Microsoft services like email, SharePoint, and others, it was more natural to use everything under the Office 365 umbrella rather than navigate to third-party solutions.

Implementing Microsoft solutions has proven more complex than initially anticipated. Due to ongoing changes, the project remains in progress. Migrating from our previous third-party solutions and establishing full functionality required several weeks, potentially extending to three months.

We hired One Pass, an American consulting firm, for our project. However, I am dissatisfied with the work they delivered. One Pass is a large company with too many people communicating with us simultaneously. We had difficulty speaking to the appropriate person because individuals either transferred us to other employees or were unavailable due to vacation.

My advice is to read up on best practices so that you know what the best way to deploy it is. Otherwise, it will be a mess.

It is very effective as long as you don't need real-time information. For me, that's okay. When there is a need for real data, on the spot, which is not available from Defender, it is available CrowdStrike. But for the way I run my business, it is okay.

In terms of a best-of-breed strategy rather than a single vendor’s security suite, I would go with a single suite.

I would rate Microsoft Defender XDR an eight out of ten.

Microsoft Defender XDR is deployed across our organization, encompassing multiple locations, departments, and continents. With approximately 200 international users, we rely on a team of four in-house administrators for security management. Additionally, we utilize the services of external companies for first-line support, who also handle specific tasks within our Microsoft 365 environment.

At FileVine, we provide case management software for attorneys, so we have considerable SOC 2 compliance requirements. We need more than a firewall; we also need a solution that helps us upkeep and manage devices, laptops, etc. 365 Defender fulfills these requirements, and SOC 2 compliance is our primary use case.

We're a hybrid company using both Macs and Dells, deployed across multiple regions.

The solution helps us improve compliance regarding end users installing updates. It clarifies which users need to update and how they can go into Terminal or PowerShell to perform that process. We don't have to waste time looking for what needs to be done, which is a useful functionality. The product automatically informs us of high and low priorities, which is great; it allows us to deal with the most significant priorities first.

365 Defender helps us automate routine tasks, and we get updated daily. We can integrate Splunk to see what's going on and what needs to be updated. Automation significantly impacts our security operations; it feels like we have a vault around us that nobody can breach.  

The Endpoint Manager is incredible; it has a very straightforward interface and is exceedingly easy to use. Pulling out and deploying different tags or resources is a simple task across various departments with different levels of security. The notifications are also simple and satisfying; it's great to see the bubble informing us which devices are compliant and which are waiting to update.

The visibility into threats provided by the solution is excellent. When a threat triggers a response based on our set rules, it's stopped, and we are notified via email. We can then analyze the threat and make a decision; this entire process is straightforward and user-friendly. 

The product helps us prioritize threats across the enterprise, especially in the legal domain. It is very valuable, and one of the reasons we have been so successful at Filevine is the security measures we have in place. We use many tools, one of them being Microsoft 365 Defender, which significantly contributes to our IT team and company's success.   

Our integration of multiple solutions helps to deliver a coordinated detection and response in our environment. We integrate with Zscalar, which is very easy and manageable. We thought it might be difficult, but it works very well. Much like a car, our security system is composed of many moving parts working together, which helps us move forwards as a company and thrive in a relatively challenging economic time. 

The comprehensiveness of the threat protection provided by using multiple Microsoft security products is excellent. It's a simple system; we have incoming and outgoing traffic rules. When a rule is triggered, we are notified by email to look over the situation. For example, we can see viruses and malicious actors attempting to breach our security and respond by blacklisting the IP address. Sometimes, we gather information and pass it on to the FBI, as we have many SOC 2 clients.

365 Defender helped eliminate multiple dashboards, which is great because I like to be as minimalistic as possible regarding dashboards. Now, I only have to look at one or two at most, simplifying the security landscape, and I love that about the tool.  

The solution's threat intelligence helps us prepare for potential threats before they hit; most recently, we were protected from the August 2022 Apple hack. We had measures in place, so none of our devices were affected. We were spared any data compromise, and it's an excellent example of why we invest in security solutions. It builds our confidence and strengthens our case with the higher-ups for increasing and maintaining our cybersecurity budget. 

The product certainly saves us time. We trust in the protection and can focus on different projects, including automation, so we don't have to spend time dealing with issues and security breaches. I'd say we save four or five hours a week.  

365 Defender saves us a lot of money because we don't have to recover data or hire outside lawyers to help us with legal trouble. We don't need to invest in physical products or external security teams and solutions. We can keep our security operation within the company, so all our money is invested in people who care about our product and business.  

The solution quickly notifies us when a threat is detected, increasing our response speed. Other products I used in the past sometimes had significant delays with notifications, which is far from ideal when dealing with potential security threats. 

Correctly updated records are the most significant area for improvement. There have been times when we were notified of a required fix; we would carry out the fix and confirm it but still get the same notification a week later. This seems to be a delay in records being updated and leads to false reporting, which is something that needs to be fixed.

I have been using the solution for a few years. 

The solution is very stable with low latency. 

The product is highly scalable, which is fantastic because we have been expanding significantly. It's up and running and good to go very quickly, which has been excellent for our expansion in Florida, New York, Maine, and Canada.

I have yet to contact support. One thing that helps in this regard is that I have an AZ-900 handbook with Microsoft fundamentals. 

365 Defender was already in place when I was brought into the company, but they previously used Jamf Protect. They switched because it cost too much and wasn't fulfilling the requirements. It didn't perform as well as 365.

I can't speak to the setup as the solution was in place when I arrived at the company. However, 365 Defender is one of the most lightweight tools we use in terms of maintenance. We keep it up to date, and it works very well.

I would say the solution gives us a significant ROI, especially considering the issues in the industry recently. Russia and China hacked many companies, but we never had that problem, and that's a lot of money saved for us. That's not entirely because of 365 Defender, but also thanks to our excellent security team and the robust toolset at our disposal to protect our operation.

The solution is affordable, and we haven't been hit with any hidden costs. The subscription model is straightforward, and it's easy to understand how much additional features cost. If we need to cancel a license or feature, we do that well in advance to avoid being charged for it, but overall, the pricing and licensing are simple and easy.

I would rate the solution an eight out of ten. 

We use multiple Microsoft security products, including Defender for Endpoint, MFA as a standard on all work laptops and computers, and Endpoint Manager. We use additional tools to protect the Mac side of our operation. We use Microsoft Intune, some other MDMs, and some other assets from Defender for Cloud, and for cloud security, we use GCP, Azure, and AWS. 

Many of these products are integrated, and the integration was relatively straightforward. It was somewhat time-consuming as we previously used Jamf Protect for a long time, so switching our entire infrastructure over to the new products took some time.   

I've mainly used the EDR component within 365 Defender, which is Microsoft Defender for Endpoint. It does a good job of bringing the whole attack story together, so you can see email activity, endpoint activity, cloud app activity, and some sort of sign-in activity as well relating to Azure AD, but I've mainly dealt with it from the EDR aspect.

It definitely improved visibility when I dealt with this solution, but the main benefit is the advanced hunting because it allows you to uncover threats that you didn't realize were there, or they weren't alerted because you were looking for specific behavior. The custom detection and linking to that is something quite cool because if you know there's a behavior, you want to keep an eye out for it. For example, it might be linked to a recent threat, so you can set up that detection query, and as soon as it finds a result, it will flag an alert. That has definitely helped to be more proactive and a bit more ahead of the curve with attacks. So, it improves visibility and also helps with being proactive.

It helps to prioritize threats across the enterprise. It does assign severity to a threat, but it also gives you an overview at a glance. If you know that your organization is susceptible to certain major threats, those are the ones you probably want to pick up on. With the severity and alerts, it gives you an idea of which is the most pressing incident. If you've got one with just one alert, that's a medium, but if you've got one with five highs. You're probably going to focus on the high one. That helps to prioritize.

It helps automate routine tasks and the finding of high-value alerts to a degree. You can have certain actions where if an event starts on the endpoint, it automatically isolates that. If it occurs, for example, on the email, then you can automatically purge it. It helps with the routine tasks that people would have to manually do in the portal. With automation, it takes care of it automatically if an alert fires. It improves efficiency because, after hours, there might be no one there available to isolate a machine. This way, as soon as the alert fires, that machine is isolated, and the next morning or the next working day, an analyst can go in and see that this alert fired and the endpoint has been isolated. That definitely helps from a coverage perspective when people are unavailable because those actions occur without anyone being present.

It has absolutely helped eliminate having to look at multiple dashboards and have one XDR dashboard. I've got three years of experience. At the start, we had all the individual portals for cloud app security, endpoints, Office, etc. The whole point of 365 is to unify, and they've done a good job. The different components are broken out into sections on the left-hand side, and you can very easily click through them and navigate them. It eliminates the need for multiple tabs and dashboards. It has definitely helped with what they were aiming for, which is to have a single pane of glass view.

It has saved us time by not having multiple dashboards. We don't need to open multiple portals and sign in to them. It definitely saves time there and also in understanding the true story of an attack. It has definitely helped in terms of efficiency. It's hard to quantify the time savings because I'm not using it now, but from what I remember, it saved at least 20% to 25% time just because it does a good job of giving you the information. You can glance at the key information that you need, and then it gives some details, and then you go to other places externally to investigate further.

The threat analytics give you a report on what Microsoft has seen in the world. What I like about those is that they will show you if that's actively impacting your environment at the moment or likely to. For example, if there are vulnerabilities that are being exposed, it tells you whether you're vulnerable or not, so you can protect against them before they are here. One thing I do like is that they also give you advanced hunting queries, so you can look for the behavior associated with those threats and make sure that you've got your coverage in place. I wouldn't necessarily call it threat intelligence. It's more of threat analytics and reporting that they provide.

I'm not aware of whether it saved any money in any of my previous roles, but a lot of organizations have the E5 security license, and they don't realize it. They have third-party vendors doing their email security, endpoint security, and so on, but holistically, Microsoft's E5 license gives you all of those capabilities, and it would also be cheaper than paying multiple vendors.

It decreases your time to detect and time to respond. It does a good job. It has the auto investigation ability so it can automatically detect threats. When you build custom detections, you can have automated response actions. Those two together help you with the mean time to remediate and the mean time to resolve. The information at a glance easily lets you see if it's a false positive or something that you know in your environment, and it's gonna be non-malicious. You can glance over and dismiss those alerts, and you could potentially be setting up suppression so that you don't get notified about them in the future. All in all, it helps you to improve your remediation. The time reduction depends on the scenario. Sometimes, you can instantly see false positives that would decrease your time by 85%. On the whole, there is about 35% to 40% time savings because of the way it correlates with the signals and gives you quick ways to remediate them.

For me, the advanced hunting capabilities have been really great. It allowed querying the dataset with their own language, which is KQL or Kusto Query Language. That has allowed me to get much more insight into the events that have occurred. The whole power of 365 Defender is that you can get the whole story. It allows you to query an email-based activity and then correlate it with an endpoint-based activity. The advanced hunting capabilities have definitely been one of my favorite features.

The way the incidents are put together is also good. It can intelligently correlate activities from email to endpoint, and then you can visually see it in the timeline view or graph view. It does a good job of presenting that incident to you, and it's easy to navigate between it and then pivot to some actions as well.

For some scenarios, it provides good visibility into threats, and for some scenarios, it doesn't. For example, sometimes the URLs within the emails have destinations, and you do get a screenshot and all further details, but it's not always the case. It would be good if they did a better job of enabling that for all the emails that they identified as malicious. When you get an email threat, you can go into the email and see more details, but the URL destination feature doesn't always show you a screenshot of the URL in that email. It also doesn't always give you the characteristics relating to that URL. It would be quite good if the information is complete where it says that we identified this URL, and this is what it looks like. There should be some threat intel about it. It should give you more details.

One other limitation is with cloud-based events. Sometimes, you don't get enough details in the alert. You have to go to other portals to then complete the story or do your own research, ask the user, etc. 

The other one is that with Defender for Endpoint, the attack story is quite good in terms of queries and things like that, but sometimes, multiple events for the same thing are captured, and it's not summarized in a good way. You have to open each entry to see what that partial syntax is. It'll be good if it said that this specific partial syntax was seen fifteen times, and maybe it's something to pay attention to. They could also do some sort of pattern matching. There could be some sort of pattern matching where it says that this is the attack trying to do some enumeration or reconnaissance activities. 

I've been using it for over three years.

There are some times when it does have downtime or service outages. They do a good job of updating the service status page to let you know about that, but there have also been misclassifications, for example, for Chrome updates, generating malicious alerts and things like that. On the whole, it's quite stable.

There are sometimes when it can freeze up or not present the data that you want. It gives you data unavailable or other errors, but, usually, these are quite quickly resolved. Sometimes, it's just to do with a particular instance, but sometimes, there can be wider outages. You just have to pay attention to the service status page or raise a support case and then be notified when that's resolved. On the whole, it's fairly stable.

Because it's built on the cloud and for the cloud, it does scale quite well. However, one area where it can be a challenge is when you use the Kusto Query Language for event hunting. Sometimes, if you do quite a generic search across, for example, thirty days of data, it gives you processing errors and limitations. I guess Microsoft does that for two reasons. One, to keep the cost down on their side, and two, from a performance standpoint. That is a bit of a limitation of scaling because if you want to do generic sessions across thirty days, you're not able to, but the idea is that you should be able to filter and granularly restrict conditions to get exactly the events you want. However, it would be nice if you were able to search more widely and if the solution could scale to support that, whereas, currently, it doesn't seem to, but that's not the use case they might have had in mind.

It depends. With some clients, we've had the fast-track option, whereas, with some clients, we just had to raise support cases. Usually, when you raise support cases, you're not going through an SME, so there is a bit of basic troubleshooting and things like that. With the fast-track option, you directly get through to someone who understands security, and you can explain the issue. They understand the issue, and you can get a much quicker response. So, the fast-track option is the one where I've had better success. The normal support can sometimes be a bit drawn. There could be a lot of back and forth about not relevant things just because they're not security trained, so they're trying to understand and then help you. 

It has been a mixed experience. Overall, I would rate them a seven out of ten because there have been some gaps, and there have been some successes, especially through the fast-track program.

Neutral

We didn't have anything that was overarching and correlated all the different signals. We had different products. We had a different product for email security or a different product for the endpoint. I might be wrong here, but I don't think there's another tool that brings those aspects together as well as 365 Defender does.

From what I went through in various roles, it was mostly in the cloud. Defender for Endpoint is a cloud-based solution. In fact, most Defender solutions are now based on the cloud. The only exception is if you've got Defender for Identity. For one of our engagements, I did deal with that, so it was a mixture. Apart from Defender for Identity, all the other solutions have been on the cloud.

In one of my roles prior to my current one, I was doing onboarding for a client with Defender for Endpoint. I was getting them onto it and migrating from McAfee. I was involved in the setup, coordinating the groups and the roles, and things like that. In all the other roles, the tool was already in place. It was just about maturing it and getting hands-on.

The setup was quite complex. Microsoft Docs guide you, but there were a few gaps that I had to fill in. One example is onboarding with group policy. Microsoft does lay all the steps on the docs page, but it doesn't give you screenshots. It doesn't give you things to look out for. It doesn't give you logs that would correlate to those events and things like that. I had to put things together using external sources, such as YouTube or just Google search. On the whole, it was very okay to follow, but it just didn't have that depth. What I produced for that client was a step-by-step coding guide with screenshots that they could give to the infrastructure team to get them on board. We had a good success rate that way, whereas if I had just sent them the Microsoft Docs link, I'm sure they would have had a few more questions.

That was the only use case I had experienced initial-setup-wise. The onboarding for group policy took maybe a month or two just because we had quite a big setup. We had different groups to roll it out to. We rolled it out to pilot devices, then 10 or 20 devices, then 100, and so on. It took about a month or two.

In terms of maintenance, from the service side, you rely on Microsoft to make sure it's available, secure, and things like that. Sometimes, you get downtime, and sometimes, you get bugs. For example, last year, a Chrome update was misclassified as malicious, which caused all the alerts. You then have to raise support cases to find out what happened. Eventually, Microsoft releases a fix, so in terms of maintenance, it's more on them. The only thing from your side is making sure, for example, the roles are still relevant. If someone who has access leaves, you need to make sure that their role is revoked. You need to make sure that you've got your role set up for the least privilege and things like that on an ongoing basis because there may be certain new features in the portal that have a corresponding role assignment. If you don't have that enabled or configured, then you're not going to get that benefit. That's the only thing needed from the maintenance perspective. You just need to make sure your roles are regularly reviewed and optimized when needed.

All I can say again is the E5 gives you all the capabilities that it offers. It also gives Office 365 and one terabyte of storage. All in all, the E5 license model makes sense. There are some people who say it's quite costly, but rather than paying different vendors, it makes sense to go all in with Microsoft if you've got that licensing. From that perspective, it's cost-effective, but I can't comment much on that.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that I'm slightly biased because I'm such a fan of the Microsoft suite. Some people do say that you shouldn't put eggs into one basket, and you're giving a lot of control to Microsoft and things like that. I would advise evaluating based on your needs. For example, for your endpoints, you might see much better value in CrowdStrike, Tanium, or something like that as compared to Defender for Endpoint.

You can do PoCs. Microsoft makes it quite easy. You can have the trials and things like that. You can play around and see which one supports your environment. I wouldn't say Microsoft is necessarily the option for all organizations, but I do think it's a very compelling offer. They're constantly evolving the product. They pay a lot of attention to consumer feedback. They've enterprise feedback as well to improve the product. I wouldn't completely rule out either option. If you've got one that's tried and tested for your enterprise, and that's a third party, you can see what Microsoft can offer. If it just doesn't match up, then stick to what you have even if it costs more because all in all, you may have tried and tested processes. You may have an investment in that product, and it may just have capabilities that the Microsoft one doesn't have. I would also encourage you to add a feature request for the Microsoft one, and then they'll be more on the equal side.

I would advise doing a PoC. If you are using Carbon Black, CrowdStrike, or Titanium, evaluate it. Have a sample host or spin up some VMs or onboard them to Defender. Do some simulations and do some attacks that you think are likely going to be. See how the logs look, see the investigation processes, and do a gap analysis with your current solution. If it brings you any value, then potentially look to deploy it further. Don't just go all in without understanding what it does. If you don't have any security solution right now, and you are a small business or a local business, it's worth doing the trial and seeing what value you get from the trial because, in that situation, you don't have anything to compare to. You are an easy customer to onboard from Microsoft's perspective because you wouldn't be that complex. So, do a trial and then go from there.

I would rate it an eight out of ten overall. I do really like the product. I do like the fact that it combines all the alerts into one. I remember when I was a security analyst back in 2019, I had to open multiple tabs and close alerts in one portal and then the other portal. They've done a good job of bi-directional syncing of alerts. If you're closing in 365 Defender, it'll close in the MCAS portal or cloud apps. Overall, the biggest thing for me was just advanced hunting capability because previously, it wasn't possible to get those cloud app events or Defender for Office events to do hunting. Endpoint was the first one to have that hunting capability, and I'm glad that they've extended that to the other stacks. So, overall, I would give it an eight, and I'm really impressed.

My company mostly uses Microsoft Office products, so we use 365 Defender for our security. 365 Defender is deployed globally, and it works the same whether you are in Europe, China, or India. It currently covers around 4,000 people worldwide. 

Defender reduced our attack surface with built-in rules for USB-based threats. Sometimes employees plug in a USB containing threats. Defender will immediately stop malicious executables from running. 

We have our own method for defining incident priorities. For example, most identity-related incidents are on the higher side. However, if we see a large number of low-level alerts affecting a single user in a short period, then those need to be checked. Automation can help in these cases. It's good to have, but I don't think Microsoft is currently very capable of machine learning. 

Defender has a security dashboard, but there is a different console for vulnerability management. We can create multiple reports where alerts are categorized and labeled, and Defender provides a single console where we can fetch all those reports. 

There isn't a foolproof method for preventing all cyber attacks, but best practices can reduce risks and limit the impact of threats. If you identify threats, you can build block lists and create regular employee training to tell people what to avoid. 

Preventing threats requires a strong firewall and antivirus solution. Defender is a good one. You can also implement threat prevention and detection technology in your remote environment. Nothing can completely prevent attacks from happening, but you can create policies using threat intelligence to ensure they are stopped. 

365 Defender helps us save time by simplifying threat response. For example, one of my customers uses USB to transfer data from one place to another. Some USB drives contain malicious programs, so I configured a rule to stop the executable. If a user copies documents from the USB with a harmful executable, Defender will lock it down. They can only copy the documents, but the executable will not run. 

It saves us lots of time. It reduces the time we spend on these tasks by about 50 to 60 percent. I switch it to audit mode and collect logs. After a month, I have received hundreds of alerts. With my rule in place to block USB executables, we no longer get alerts for that particular threat. Implementing that single rule reduced our alerts by around 30 percent. 

Defender reduces the detection time. We have a SOC team to review all those logs and alerts, and it helps them work quickly. There is little delay between detection and remediation. 

Microsoft Defender's most critical component is its CASB solution. It has many built-in policies that can improve your organization's cloud security posture. It's effective regardless of where your users are, which is critical because most users are working from home. It's cloud-based, so nothing is on-premise.

When dealing with remote users, you need the coverage of firewalls, antivirus, and all those essential security measures. There are multiple policies available that can help the organization secure its environment to prevent something malicious from entering. You need to flag users logging in from a different IP and guard against brute force attacks by detecting multiple failed login attempts.

There is also an option for identity. Most organizations aren't entirely on the Cloud. They still rely on on-prem data centers, so you need Defender for Identity. Another advantage of a cloud-based solution is that you don't need to constantly upgrade it monthly, quarterly, or weekly. All of your infrastructure is online. 

You need multiple solutions for outside threats. I can see if someone is logging in from a malicious IP before they can access the environment. You cannot completely block cybersecurity threats, but you can proactively resolve them and create a wall around your environment. 

365 Defender's attack surface reduction rules could be more customizable. Microsoft has its own pre-defined rules that can be adapted to every organization, but Defender should support the ability to create custom rules from scratch.

Defender also lacks automated detection and response. You need to resolve issues manually. You can manage multiple Microsoft security products from a single portal, and all your security recommendations are in one place. It's easy to understand and manage. However, I wouldn't say Defender is a single pane of glass. You still need to switch between all of the available Microsoft tools. You can see all the alerts in one panel, but you can't automate remediation. 

Automated remediation can be improved. I'm currently creating a remediation structure there and pushing it to my vendor, but the vendor should have their own way of resolving things. It only alerts you that something is happening. The security administrator needs to take action because Defender's automated capabilities aren't up to par. 

I have been using 365 Defender for more than a year. 

365 Defender is stable. I haven't seen an outage in the past year. We've had 100 availability. Occasionally, the servers go down for maintenance, and the sensors stop working. It doesn't happen frequently. 

365 Defender is highly scalable. 

Microsoft's support is excellent. Most issues resolve on their own, but when we need support, they typically resolve the issue quickly. 

Positive

At my previous company, we used other antivirus and identity solutions, but they weren't a complete package like 365 Defender. For example, CrowdStrike was our EDR solution, which had extended capabilities, or XDR. We had various solutions that collectively did the same thing as Defender. 

365 Defender is cloud-based, so the deployment is straightforward and only takes 10 to 15 minutes. You need to change a few configurations on your devices using Intune. One person is sufficient to do the job. It's a simple installer. 

After the deployment, you don't need to do any maintenance because it's on the cloud. The only thing deployed on-premise is the ATP sensor, which automatically upgrades. 

365 Defender is bundled with our Microsoft Enterprise license. Additional costs for support, etc. depend on the license level. If you have a premium account, you will receive priority support, but it costs more. 

I rate Microsoft 365 Defender a nine out of ten. I personally wouldn't recommend only using a single solution or vendor. If you don't try other products, then you won't be aware of what is happening in the market. There should be multiple products involved, so you can compare the solutions and go with the best one. 

We use Microsoft 365 Defender to protect our privacy.

Microsoft 365 Defender's XDR platform provides identity and access management which is important for our organization.

Microsoft 365 Defender's security extends beyond Microsoft technologies, which is important to our organization.

The multi-tenant management capabilities are easy and the support is 24/7.

It has helped save us approximately USD 1,000 per month.

Microsoft 365 Defender has helped save our security team time.

The most valuable feature is the network security.

Since all of our databases are updated and located in the cloud, I would like additional support for this.

I have been using Microsoft 365 Defender for almost four years.

Microsoft 365 Defender is stable. The only downtimes are scheduled by Microsoft and we are provided with advanced notification to prepare.

Microsoft 365 Defender is scalable.

Technical support is one of the reasons we chose Microsoft 365 Defender.

Positive

The initial deployment is easy. Microsoft 365 Defender is plug-and-play. The deployment takes a maximum of one day.

We also evaluated Kaspersky and Trellix XDR but found that Microsoft 365 Defender had additional features that met our needs and their support was better.

I would rate Microsoft 365 Defender nine out of ten.

We mainly use this solution for security reasons. We use it for the complete stack of email security so we don't have to use a third-party tool, and we use the extended security features that are included in M365, like sandboxing.

The solution is deployed on the Azure cloud. We're a cloud-only company, so we only deploy cloud workloads, but we also have customers with legacy systems. If we're not able to migrate them to Azure, Defender for the server can be deployed on-premise.

The solution is deployed across Germany in four regions: Munich, Cologne, Bremen, and Hamburg. However, most people work from home.

There are about 50 endpoint users, but we have customers with thousands of users. We focus on customers with a thousand seats or more.

We use the entire M365 E5 license for everything that's going on in the M365 world. We try to accomplish everything we need with Microsoft products.

It was very easy to integrate the solutions. We integrated them so we could have an overall good view of our assets. The installation was fully automated via Intune.

Overall, the solution has decreased our time to detect and respond. If there is any issue, it's not complicated to get the information we need and respond quickly. We offer managed services to some customers, and we have a very clear view of what's going on in their security environments.

One of our main focuses is IT security. This solution has a huge impact on how we use tools and what we do in IT.

One of the biggest points is that Defender is included in the license. It's integrated fully into the M365 world. There's no need to have a third party, which is more complex and includes additional costs. Especially because we're partners, it's very good to have 100 free licenses. We're able to distribute all the information to our customers and integrate it into our projects in a very streamlined way.

We saw all of these benefits instantly. It's different with customers because they are often heterogeneous in the software they use. There's a little bit of explaining and promoting, but it's a huge benefit for most of our customers when they understand that they can have a centralized view of all these security topics. If we are able to deploy the solution to new customers, the benefits are realized in about six months because we have to train them and implement all of the security.

The solution helps with finding high alerts. I wouldn't say it helps with automation because we are piping the problem into the Jira automation, so our managed service kicks in. I would say that it's half-automated.

It helps save time when it comes to the operation and receiving information because we don't have to skip around with different products and customer situations.

This solution enabled our security operations. The legacy approach, in which the tools are in place and someone occasionally checks them, is not secure as it's meant to be today. 

It eliminates the need to look at multiple dashboards and gives us one XDR dashboard. The consolidated dashboard helps our customers get a faster view, which wasn't possible with the former solution.

The solution's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. Our security team is able to work well with it, and a lot of information is getting to our internal users. We distribute everything we learn to our customers.

Sentinel enables us to ingest data from our entire ecosystem because we're cloud-only, so there is no other architecture to monitor.

I would say the logging and analyzers are about 80% of our security operations. The ability to have a clear view of the security information is a big win. For legacy implementations, it's normal to have the security installed but not be able to monitor, detect anything, or get the information to the right people.

For the most part, Sentinel enables us to investigate threats and respond holistically from one place. Today, there are different views, different websites, and different portals to use in order to drill down and get to the real problem. It's a good starting point.

I like the easy integration and advanced possibilities. We can implement it at customer sites in a few clicks, but we can also dive deep and drill down to extended features. There's a very good starting point to get into this product and all the features from Defender. We use Plan 1 for email security because it's a common vector for phishing and attacks. The Plan 2 version goes more into advanced features and logging, which we also use for our internal security operations center.

The solutions work natively together to deliver coordinated detection and response across our environment by about 80%. There should be something to get a consolidated view, which doesn't exist at the moment. We have a known tool in place to consolidate all the information into one view for us. That would be a perfect function to have in the future.

I have more than 15 years of experience in IT security, so I have a very good understanding of the tools we need for a use case. I think the documentation helps us and all of our customers comprehend the product. For cloud products, it's normal that something new today is almost outdated tomorrow. Company-wide, we have a very good view of all these products, and we're very firm in deploying them.

I would like more of the features in Defender for 365 to be included in the smaller licenses. Even if I buy a small license and don't need everything, security shouldn't be a question. Security is one of the main aspects of all projects from our side, so it would be nice to have more features in the smaller licenses.

I would also like a more aesthetically pleasing dashboard. For German customers, it's important that the solution is in German. Multi-language support should be in all the features if possible. In many projects, we want to use digital signatures on emails. It would be perfect to have better integration of digital signing in a standard way.

In the last few months, the dashboard changed very often. When they restructure it, it's a little bit painful. Otherwise, the technology is very helpful.

The visibility into threats could be better. For the last six months, getting information from the access points has been difficult. However, the newest version fits very well. It's easy if you've found the right spot to view what's happening.

For legacy organizations or legacy customers, I would say it's possible to save time, but time-saving isn't always the best with security because it needs to be deployed and managed.

It can be installed quickly, but it takes time to check out false positives, have everything in place, and train each end user.

We have been using this solution for five years since our company started. The solution had a different name, but we have been using it since it's been available. We use company-wide E5 licenses.

The solution is stable.

We haven't had any scalability problems.

I haven't had a lot of contact with technical support.

For my personal project, I used many other legacy projects, but not at my company. We aren't selling anything other than the new Microsoft solution at the moment.

The solution doesn't require any maintenance.

We have seen ROI in project situations because we removed legacy email gateways and legacy antivirus on-premise solutions.

I would like to have more security features in the lower licenses because not every customer is able to buy E5 licenses. The bundling isn't always easy for our customers to understand. Compared to other tools, it's a good price.

I would rate this solution as eight out of ten. 

My advice to those who are looking to implement this solution is to get help from the right company so you can use the solution properly.

Defender helps us prioritize threats, but I would say it's a combination of all the information that we're getting from the internet and from other resources.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor security suite, I would say that it depends on the customer. If someone has their own VSOCK implemented and many security guys on board, then maybe best-of-breed is what they need. 

If someone is a classic customer who doesn't know a lot about security, then they should stick to a one-vendor strategy.

We are using Microsoft Defender for Office 365 for identity and email security, safe links, etc.

It works as an antivirus, and it also works for any behavioral issues in a particular machine. It protects all the applications from any vulnerability. It works in both ways. It works for vulnerability management and also for the EDR part. Earlier, we had Qualys for vulnerability management, but Microsoft Defender takes care of both. It provides information about how vulnerable a machine is, and it also takes care of the antivirus and behavioral issues in a particular machine due to some threats or any unwanted applications installed.

It helps us manage vulnerabilities. If there are any vulnerabilities in a machine due to a lack of patches or end-of-life software installed on the machine, it gives us the report. After seeing the report, we can fix those vulnerabilities by uninstalling the vulnerable applications or by patching them.

It takes care of the antivirus part. The signatures are constantly getting updated related to new viruses. It covers any identity-related issues or device-specific issues. It covers the MITRE framework. If any threat or risk is present in our environment, it takes care of that and then tells us that these are the issues that we need to work on. After we get the alerts, we do the investigation and remediation.

It provides unified identity and access management. You can create role-based access. You can create policies based on different risk levels. You can also trigger password resets. There are a lot of capabilities that are built in. You can also create conditional access (CA) policies. If any vulnerable application is installed on a device, you do not want that device to be connected to your network, you can create conditional access policies. It will first check whether the integrity of the device is as per your organization's requirements. If it is compliant, then only that device will be allowed to connect to your network. The same goes for identity. If MFA is enabled in your environment, the users will be allowed to connect only if their accounts have MFA enabled. Otherwise, the access is blocked. You can automate such things.

It is important that identity and access management are included in Microsoft Defender rather than needing an additional solution. Nowadays, you see a lot of phishing emails and unsecure links being forwarded to user accounts. In Microsoft Defender, we have secure links and safe links. Once enabled, if any malicious link is sent to a user account, when the user clicks on a link, it immediately checks whether it is safe to access. If it is found to be malicious, it is immediately blocked. If a user mistakenly clicks on a link, the risk state is changed automatically in the web portal. If you have a conditional policy in place, the access is blocked for that user. Even if the attackers have access, they will not be able to do anything. In today's scenario, it is pretty important to have these in place.

As of now, the integration part is pretty limited to Microsoft products. However, by using Sentinel, which is a SIEM solution, you can integrate other products.

It stops the lateral movement of advanced attacks like ransomware or business email compromise. You can create lateral movement policies, and you also can create high-risk users or high-risk devices. You can have customized policies for them. You can create different policies, and the alerts triggered from those devices or users are put into high severity so that you can take immediate action.

You get the telemetry of any attack observed by Microsoft Defender. You can see everything from the starting point till the remediation steps automatically taken by Microsoft Defender. The investigations can be found easily. They are pretty detailed. Everything is there in the portal.

It has the ability to adapt to evolving threats. Threat intelligence is embedded in the portal itself for new threats, technologies, ransomware, or malware. All the latest threats are automatically handled by Microsoft Defender. Remediation is also automatically available.

It saves time. There is automatic remediation, and there are playbooks that you can configure. You can automate the remediation steps that you have already tried on a particular machine. If you want to suppress some of the alerts, you can create suppression rules so that your team does not spend time investigating them. Playbooks, automatic remediation, and suppression of similar alerts save a lot of time.

Vulnerability management is valuable. We had a different product for vulnerability management. We were using Qualys for that, but after we got Microsoft Defender, we also got the vulnerability management part. It is embedded in the portal itself. We do not have to look into another solution or tool. We did not have to install any additional sensor which reduces the overhead and does not affect the machine's capability. With the same sensor, we get the vulnerability report and threat report. We also get to know any risks and issues related to malware and other things.

The portal is quite user-friendly. There is integration with Office, Intune, and other products from the same portal. From there, we can see which policies are installed on a particular machine. We also can manage devices, groups, and tagging. For a different set of teams or departments, we can create different device groups. Based on the teams and their work portfolio, we can create different policies. It is quite handy, whereas with the Qualys solution, the portal was quite cluttered. To find a particular option, we had to look at many options, whereas Microsoft Defender is quite user-friendly.

We are also getting all the reports by using the same sensor. It is light on the machines as well. It consumes less resources than other solutions available in the market.

It is evolving. We are seeing new advancements and integrations. They have integrated Copilot, so going forward, we can take the AI advantage. It will be quite easy for us to run any queries. These are the advantages that I see in Microsoft Defender in comparison to others.

The patching capability should be there. Patching is something that you cannot do even though you see the vulnerabilities present in your environment. For patching, you have to depend on another solution.

Other than that, there are still limitations in creating device groups. You can create tags, but these tags are based on limited options. There are only a few categories based on which you can create a tag or device group. If there are other conditions that you want to put, such as creating a group based on the application installed on a particular machine, you cannot do that. There are some shortcomings. Also, if you want to whitelist a particular application for a set of groups, you cannot do that. We had an incident where we wanted to whitelist a particular application that was getting blocked by Microsoft Defender, but we were not able to create those groups. We were not able to whitelist the application for some of the devices. We had to whitelist it for the whole environment, which we did not want to do.

It only has pre-built dashboards. You cannot create customized dashboards. They have a set of dashboards, but they are not customizable.

We can create reports using KQL, but it is hard to create customized reports using KQL. You get a CSV, but you need to use Power BI or another reporting product to create the report. The other products available in the market give you customized dashboards, customized reporting, and customized workflows. This is pending in Microsoft Defender.

I have been working with this solution for 1.5 years.

It is a Microsoft product. It is similar to any other Microsoft product in terms of stability. They do change the name and other functionalities, but it is pretty much similar to any other Microsoft product.

It is pretty scalable. It does not stop you anywhere.

I am working in an MNC. We have more than 6,000 people.

It depends upon the license that you have. They have a different set of licenses based on which you get support. It depends on the support packages you have purchased.

It is very easy to raise a request. They have a portal. From there, you can create a ticket by email or by chat. The response is based on the support package that you have. If you have premium support, you can get a response in minutes. 

In my previous organization, I worked with Palo Alto XDR. In this organization, we had McAfee, which is a signature-based solution. Microsoft Defender is more advanced than McAfee. It is EDR-based, whereas McAfree was signature-based. It was based on the signatures related to a particular threat or virus. It was handling threat prevention, but behavioral analysis and other functionalities that you see in EDRs were not there. We wanted to move to a behavioral-based antivirus solution. That is why we opted for Microsoft Defender.

Microsoft Defender also enabled us to discontinue the Qualys solution. It has many capabilities related to vulnerability management. They are available out of the box, but patching is something that is missing. For patching, you need to use Intune, whereas, in Qualys, you can also do patching, so patching is something that is missing in Microsoft Defender. However, Microsoft Defender is very good for the assessment of vulnerabilities.

You also get visibility of the devices that are still not onboarded to Microsoft Defender. You have something called Device Discovery in Microsoft Defender. Once enabled, you can get details of all the machines that still do not have Defender, whereas, in Qualys, you have to create customized or scheduled scans of your network. They then run on a periodic basis, but that is not the case with Microsoft Defender. It is on a real-time basis. The Microsoft Defender client continuously does the scanning, and you get visibility into all the machines on your network that still do not have Microsoft Defender onboarded. However, you cannot do patching with Microsoft Defender.

Microsoft Defender can save costs. Qualys is pretty expensive. Microsoft Defender does vulnerability management out of the box, so if you do not want to do patching and you have another solution for patching, you can save costs. It also has out-of-the-box functionality for identity protection.

It is deployed on a public cloud. If you do not have people in your team who know about this product, Microsoft can give you a vendor to help with deployment, creating the policies, etc.

Overall, it is pretty straightforward because Microsoft Defender is enabled on all Windows machines. All you need to do is to activate the sensor that is already installed. The installation process is not much, but if you want somebody to help you, Microsoft can help you with a list of vendors at a particular location. The vendor can help you with configuring the policies and activating different licenses.

Documentation is available on the Microsoft portal to help you create policies and go forward as per your environment.

We took help from somebody for implementation.

It does not require a lot of people because it is a cloud solution and the sensor is already available in the machine itself. It does not require a lot of manpower to get started with Microsoft Defender and do a migration. However, it also depends on how big your organization is. If it is an MNC with a presence in multiple countries, you might need at least one person per region. If any hands-on support is required on a client machine, you can do troubleshooting remotely or provide on-site support. If you have only one site, you do not need much manpower. A single person can do it.

Its maintenance is similar to any other solution. If you are changing any policy, you have to test them before putting them into production. Apart from that, it does not require anything. The Defender updates are automatically available. You can push them through your patching solution. Its maintenance is not hard.

Every organization has different requirements. In my previous organization, we opted for Palo Alto even though we had Defender and CrowdStrike. CrowdStrike is also a best-in-class solution, but we opted for Palo Alto because it was giving something that was a requirement. In that organization, we also wanted to do some management. We wanted to run some scripts through our XDR solution. CrowdStrike had some limitations. We also wanted to do a console login for a particular machine. CrowdStrike gave that functionality, but it was pretty limited, whereas, in Palo Alto, it was limitless. We could straightaway see the files present on a machine by using the console view. We could run a different set of queries. It did not matter whether we were running a PowerShell script, a Python script, or any other language script because the compiler was embedded in the sensor. Palo Alto met the needs of that company. For the use cases, it was the best fit.

In my current organization, the use cases are different. We only wanted an EDR solution. Also, because most of the products in our environment are from Microsoft, the integration with them was pretty easy. That is why we opted for Microsoft Defender. An organization should look at its use cases and then decide on an EDR/XDR solution.

Comparing Microsoft Defender's EDR capabilities with other solutions, I would recommend going for another solution available in the market. I would rate it a 6 out of 10 because there are a lot of things that are available in other solutions, such as doing a remote of a particular machine and running other language scripts. Other solutions are also better in terms of the isolation of a particular device, removal from the isolation, and granularity of security control. I am not comparing it with others for vulnerability management because Palo Alto or CrowdStrike do not do that. If there are any vulnerabilities and you want to fix them, you have to do all the work.