Microsoft Defender XDR Primary Use Case
Microsoft 365 Defender has many use cases. It includes four different services: Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Microsoft Defender for Cloud Apps.
Microsoft Defender for Identity protects on-premises identities and synchronized identities from on-premises to the cloud. It ensures that identities are not compromised and that domain controllers are protected. This service is especially helpful for large enterprise customers who cannot move to the cloud entirely.
Microsoft Defender for Endpoint ensures that endpoints, such as laptops and mobile phones, are managed and protected. It is important that all four Microsoft 365 Defender services are integrated and share signals with each other. This allows for more comprehensive security and threat detection.
Microsoft Defender for Cloud Apps focuses on application-related issues. It allows us to sanction or unsanctioned applications, manage shadow IT and prevent users from uploading documents to external cloud storage or sending emails with unapproved documents.
Microsoft 365 Defender Portal integrates all four Microsoft 365 Defender services into a single portal. This makes it easier for security engineers to view logs, events, and incidents from all four services in one place.
In addition to Microsoft 365 Defender, it is recommended to have a Security Orchestration, Automation, and Response solution. Microsoft's cloud-native SOAR solution is called Sentinel. Sentinel is a powerful tool that can be customized to meet the specific needs of our organization. It is also cost-effective because we only pay for the features we use.
KQL is a powerful tool that can be used to create custom queries for Microsoft 365 Defender. CQL is similar to the PowerShell language, so it is easy to learn for IT professionals who are already familiar with PowerShell.
View full review »My company operates as a service provider, so we use Microsoft Defender XDR in our office to provide our customers with security services.
We are a security consulting company that assists clients with their Microsoft 365 and Azure security and workloads. We can help optimize the use of their purchased feature sets and licensing, ensuring they get the most out of their investment for security and other workloads and features within the 365 and Azure environments. As information flows between their 365 and Azure environments, we offer expertise to ensure clients are utilizing all available resources effectively.
The majority of our deployments follow a hybrid model, which is currently the norm. Although there have been instances where organizations have fully migrated to the cloud, many larger enterprise solutions in the industry are still in the process of transitioning from on-premise to cloud-based infrastructure. Consequently, most of these solutions are currently in a hybrid state.
View full review »Buyer's Guide
Microsoft Defender XDR
March 2024
Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.
MM
Matthew Madigan
Cybersecurity Manager at Dow
I'm managing the SIEM, but the SIEM is heavily integrated with 365 Defender and all the other components. Defender is a natural extension of Sentinel, and our entire SOC team leverages the solution. We utilize it daily for everything related to incident response from an advanced threat-hunting perspective.
We do some KQL-based threat hunting and have set up some custom detections built into the platform, so we can raise an alert about a threat when we see it. Right now, we're onboarding our server environment to push Defender for server agents to see what that looks like.
Defender is used widely by our SOC for everyday investigations. Our attack surface reduction teams use it for vulnerability information. Other teams at the company use the telemetry data, but it's primarily our SOC using it for incident response.
View full review »I am a trainee in an IT support company, and I am using the solution to advise clients of our company.
View full review »PV
reviewer2186769
Architect Security + Modern Workplace at a manufacturing company with 501-1,000 employees
We use the standard Microsoft services and solutions for our entire IT infrastructure, so we leverage most 365 Defender services, including Sentinel, Defender for Identity, Defender for Endpoint, Defender for Cloud, Defender for Cloud Apps, and Defender for O365. We use all those solutions to secure our IT infrastructure and environments.
We deliver Microsoft services to users worldwide, including SharePoint and Exchange Online. Gmail is the one minor exception where we do something slightly different. 365 Defender currently covers 5,000 endpoints and between 10,000 to 15,000 identities. There are more identities than endpoints because we don't give everyone a company laptop.
View full review »CB
Cory Berghaus
Infrastructure architect at Energizer Holdings, Inc.
It addresses various use cases, including monitoring and securing file storage like OneDrive and SharePoint. It has recently incorporated Teams integration to safeguard against malware. Additionally, it serves as a replacement for on-premises Advanced Threat Protection, offering enhanced capabilities. It has proven valuable in highlighting critical scenarios related to credential use and legacy Active Directory, providing substantial assistance in these areas.
View full review »In our organization, we are mainly using it for email security and SharePoint security.
I work for a managed security service provider, where a dedicated team at our Security Operations Center manages the entire 365 Security Stack for our clients. This means we're constantly monitoring alerts, prioritizing incidents, and responding actively, leveraging automation features where possible. We also play a crucial role in the onboarding process, setting up and integrating security solutions with our platforms for efficient alert management and incident response. Furthermore, we handle policy configuration and hardening, ensuring effective security controls are in place. We actively maintain these policies, fine-tune them as needed, and adapt them to new features and updates, collaborating closely with clients throughout the process. In essence, we own and manage the security platform for our clients, providing them with comprehensive protection and peace of mind.
View full review »We use it for endpoint protection, monitoring network traffic, and enabling automation of issues, we utilize Microsoft Defender XDR. If we are specifically referring to Defender for Endpoint, it is a perfect solution to monitor user behavior and activities across all of our web portals. This provides an easy way to analyze and generate reports about user online activities.
Microsoft 365 Defender is used for our threat policies, configuration, and security protection.
View full review »SF
Shaik Firoz
Network & Security Manager at SNP Technologies, Inc.
We use 365 Defender with Outlook, Teams, and SharePoint. Our organization extensively uses these products as do the clients we serve. Our goal is to secure those email, SharePoint, and Teams environments.
View full review »MM
Mike Moore
SysAdmin Engineer at FileVine, LLC
At FileVine, we provide case management software for attorneys, so we have considerable SOC 2 compliance requirements. We need more than a firewall; we also need a solution that helps us upkeep and manage devices, laptops, etc. 365 Defender fulfills these requirements, and SOC 2 compliance is our primary use case.
We're a hybrid company using both Macs and Dells, deployed across multiple regions.
View full review »PD
Purav Desai
M365 Incident Responder at a financial services firm with 201-500 employees
I've mainly used the EDR component within 365 Defender, which is Microsoft Defender for Endpoint. It does a good job of bringing the whole attack story together, so you can see email activity, endpoint activity, cloud app activity, and some sort of sign-in activity as well relating to Azure AD, but I've mainly dealt with it from the EDR aspect.
View full review »BS
reviewer2186649
Senior Cybersecurity Specialist at a tech services company with 10,001+ employees
My company mostly uses Microsoft Office products, so we use 365 Defender for our security. 365 Defender is deployed globally, and it works the same whether you are in Europe, China, or India. It currently covers around 4,000 people worldwide.
View full review »We use Microsoft 365 Defender to protect our privacy.
We mainly use this solution for security reasons. We use it for the complete stack of email security so we don't have to use a third-party tool, and we use the extended security features that are included in M365, like sandboxing.
The solution is deployed on the Azure cloud. We're a cloud-only company, so we only deploy cloud workloads, but we also have customers with legacy systems. If we're not able to migrate them to Azure, Defender for the server can be deployed on-premise.
The solution is deployed across Germany in four regions: Munich, Cologne, Bremen, and Hamburg. However, most people work from home.
There are about 50 endpoint users, but we have customers with thousands of users. We focus on customers with a thousand seats or more.
We use the entire M365 E5 license for everything that's going on in the M365 world. We try to accomplish everything we need with Microsoft products.
It was very easy to integrate the solutions. We integrated them so we could have an overall good view of our assets. The installation was fully automated via Intune.
View full review »I am a consultant responsible for deploying and providing customer support for Microsoft products. We use Defender XDR for endpoint protection. It helps them secure endpoints with an advanced XDR solution that conducts behavior analysis and things like that.
View full review »DO
reviewer2187066
Tech Support Engineer at a tech services company with 5,001-10,000 employees
Microsoft 365 Defender works together with Exchange Online is my area of specialty.
Microsoft 365 Defender incorporates a capability to identify potentially malicious emails or emails originating from suspicious senders.
IP
Ibru PP
Group IT Manager at Civcns
We use Microsoft Defender XDR to protect our endpoints, computers, mobile devices, and emails.
View full review »AM
reviewer2313252
Senior Infrastructure Engineer at a manufacturing company with 51-200 employees
We use Microsoft Defender XDR for antivirus, threat intelligence, and email blocking.
View full review »I'm a Security and Compliance consultant providing 365 Defender as a security solution for my clients.
View full review »JR
Joaquín Rodriguez
Deputy Director of Infrastructures and IT Services at a government with 10,001+ employees
I am the head of IT of the police force in the Madrid municipality. I have deployed the product to all 6,000 policemen and police women here and we are trying to protect all our devices with it.
View full review »It is a universal security tool across our organization, catering to staff members using standard laptops and PCs. Currently, we employ an in-house solution built upon a smaller product from a Finnish company.
Although it integrates with Microsoft AD, our solution remains somewhat proprietary as we've independently implemented and tailored it to our specific needs.
We do not leverage the multi-tenant management capabilities of the solution. In our scenario, we operate as a single organization, allowing us to utilize a straightforward, single-setup approach.
We provide MXDR services. Initially, they are professional services such as setup and deployment, and then after that, we provide Day 2 services, which include working on the incidents and alerts the products generate, determining which one is a true positive and which one is a false positive, taking response actions, and maintaining a steady state.
We are expanding use cases with Defender for IoT integration. Now that the E5 license includes the enterprise IoT sensors, we are getting more of that telemetry to our SOC. Because most SOCs do not have that telemetry, it is something that we have had a couple of clients invest in.
In terms of our in-house usage of this solution, there is not a lot of in-house infrastructure when it comes to workstations and things like that. As a security company, we are pretty infrastructure-light.
View full review »DM
Doggi Mitel
Manager IT Services, Admin at asTech
We provide services to medium-sized businesses in the banking and administrative sectors. We are also using Microsoft Sentinel and Defender for 365.
View full review »Our main use cases include securing critical university services and establishing a research tenant for researchers to store and manage their findings across both everyday machines and dedicated research spaces. It involves dealing with malware and managing server security through tags. Additionally, a significant portion of our work involves exploring and investigating emails using the Explorer tool. It is well-suited for addressing these scenarios and ensuring robust security measures.
View full review »NY
reviewer2245425
Cyber Security Admin at a insurance company with 1,001-5,000 employees
My role is to monitor Microsoft 365 Defender. We investigate various alerts and incidents that occur there. We utilize the solution to block any malicious domains, URLs, or other harmful elements that could affect our environment. Microsoft 365 Defender is our tool of choice for this purpose, and it helps improve our secure score. We assess the available remediation options to determine if they are suitable for our enrollment. Additionally, we use it for email analysis and make use of all the features provided by Microsoft 365 Defender.
We manage around 5,000 computers inside and outside our company. I use Defender to work on our security score by deploying security policies. We apply all the security recommendations to our computers and patch all third-party applications. We check every day for malware to alert our security teams.
View full review »SP
reviewer2243202
Cyber security team lead at a non-tech company with 11-50 employees
We mainly use it to defend endpoints.
View full review »I've been using it for endpoints and for Microsoft 365, along with Microsoft Defender for Identity. I use it to create policies for anti-spam, anti-malware, anti-phishing, as well as safe links.
I also use it for the security score, making sure that our company achieves a good security score across the organization.
View full review »Almost every use case is about security layers for messaging in Teams and for email. It especially used for phishing filters, spam filters, and composite authentication, as well as Zero-day advanced protection, and for protection within already received emails. Clients are also looking for link protection in Teams and in SharePoint.
View full review »VM
Vivek M.
IT Consultant
We use 365 Defender to manage organization-level devices and vendor security compliance. We are a retail-focused organization that offers cloud services through Azure, GCP, and AWS, but we manage all the security through 365 Defender. Some of our users are based in other countries, and everything is centralized. We operate in multiple regions.
View full review »We are a Microsoft partner and we have clients who are Microsoft 365 administrators in several companies. They are looking for ways to secure their tenants and make sure that their security is top-notch. That's where Microsoft Defender comes in. We use Microsoft 365 Defender for security and compliance to secure tenants from malicious attacks, including spam and phishing attacks. And when it comes to compliance, it is used for data privacy and data protection to ensure that very sensitive data doesn't go out to the wrong location.
BB
reviewer2292465
Security Architect
We use Microsoft Defender XDR in our multi-tenant environment comprising Windows, Linux, and the Cloud.
We have Microsoft Defender deployed in a hybrid environment across AWS, Azure, and GCP.
View full review »We're using it for our email filtering to check incoming emails and URLs. We're also using it for vulnerability management to see the status of our assets that are registered on the system. We also check it to see what kinds of threats and campaigns are currently being launched via emails.
MP
reviewer2024007
OT Security Architect at a tech services company with 10,001+ employees
The main use case has been for threat hunting, not in the sense of actively looking for the threat, but in terms of analyzing the ongoing process within clients' machines. I was looking into what kind of changes happen when you install any new software and it asks for so many permissions. I wanted to analyze the criticality of the permissions being asked and so on. Usually, when we install any software, we just click next, next, and next. We don't look at the details. So, my role was to check how it behaves within a system. For that reason, I used Microsoft Defender.
I used the query language to do advanced threat hunting. I ran different queries to collect the data. The data was then brought into Power BI. We had data coming from different channels. So, we used Power BI to collect it at a single point.
View full review »We are a managed security service provider, and we use Microsoft 365 Defender to provide EDR and endpoint, and email protection to our customers.
We are using Microsoft Defender XDR for our endpoint, desktop, and laptop protection.
View full review »CD
reviewer2315802
Manager of IT Services at a government with 51-200 employees
We primarily use it for endpoint security. Specifically, it serves as our solution for antivirus detection, malware detection, and related aspects focused on safeguarding individual devices.
View full review »DM
reviewer2315745
It security manager at a construction company with 1,001-5,000 employees
We implemented Defender two and a half years ago, utilizing it in a passive mode with only the sensor active for data collection and basic EDR results. Although it has been running on all devices, we are currently in the process of making the final transition from the existing setup to fully leverage Defender as our EDR solution.
View full review »PJ
reviewer2301657
Works
It is, of course, an antivirus tool. I work as a lead for a SOC team, and it's our job to monitor all the endpoints in our organization. We are looking for any unusual activity happening on the devices, and Defender monitors them.
If there are any changes or unusual activities, it triggers an alert. An analyst will pick up the alert from the Microsoft 365 Defender and go through the timeline to understand what triggered that alert and whether to categorize it as a security incident or not. Some of them turn out to be false positives, and some turn out to be true positives.
We use it for other tasks like IOC management. In the cyber world, different applications have different vulnerabilities. If an application is used in our organization, we make sure all the IOCs, whether hash values, malicious IP addresses, or malicious domains, are blocked in the Microsoft 365 Defender.
View full review »DL
Dennis
Sitecore Team Lead at a retailer with 11-50 employees
One of my largest customers deployed Defender for Endpoint, but they also wanted Defender XDR to get a specific feature. Defender XDR is included in the E5 license, but it's a bit too expensive. Our customer wanted Defender XDR's file integrity monitor tools for compliance. My client is using Defender with Sentinel, but I'm unsure how much they use it.
View full review »AF
reviewer2246598
Cybersecurity Intern
I use 365 Defender to protect against phishing attacks and filter out our email to pick up certain vulnerabilities. For example, if someone sends out their credentials, it triggers an alarm.
We primarily use the solution for email protection to scan incoming emails and attack simulation. Attack simulation allows our users to practice detecting phishing emails without any risk. The product also gives us an overview of our security situation.
We operate a hybrid environment with a wide variety of users around the world.
We use multiple Microsoft security products, including Defender for Endpoint, Sentinel, and Defender for Cloud Apps.
We have integrated all our Microsoft security solutions, and the integration is easy and seamless, though an Azure account is required to connect Sentinel with other products.
The solutions work natively together to deliver coordinated detection and response across our environment.
The multiple Microsoft security products provide comprehensive threat protection, especially by combining 365 Defender and Defender for Cloud Apps, Endpoint, and Identity.
View full review »We make use of Microsoft Defender for Office 365 for endpoint security and email and we use Defender umbrella for impersonation and sales. Under Defender umbrella, we use a lot of products depending on the customer requirements. As a company, we use Defender for email as well as for endpoint security.
View full review »EA
Eyad Abounada.
Infrastructure Lead at a government with 1-10 employees
Defender XDR is a solution that protects your enterprise systems and devices.
View full review »TE
reviewer2315670
Systems Manager at a energy/utilities company with 1,001-5,000 employees
It is an integral part of our security infrastructure, primarily serving to monitor both our server and client environments comprehensively.
Microsoft 365 Defender is one of the first layers to our security. It's our first layer security product, e.g. we use it, then we also use Exchange Online Protection for email, Safelink, etc.
We always recommend these products to our customers, e.g. if the customer is using another third-party product. We are always recommending these compliance and security products, e.g. Microsoft 365 Defender, Cloud App Security, etc.
We usually recommend cloud security because it connects all of these security and compliance products in one center to take logs and make them meaningful, plus you can also create alerts. We are also recommending it because of Microsoft Teams usage, especially because in Microsoft Teams, users sometimes do mass deletion, mass download, etc. We always say: "Let's connect your Cloud App security with your Azure Information Protection, with Microsoft 365 Defender and your Microsoft Teams, your Engula, etc. We find cloud security to be very useful.
View full review »We typically use Defender's default settings and are implementing MITRE ATT&CK use cases on Microsoft Defender this year. We do manual threat hunting and check to see if there is a trending attack. We have the latest IOCs and sweep across the organization looking for them.
When implementing Defender, we usually use its advanced hunting features to determine particular techniques used across the whole environment. We use multiple Microsoft security products, including Defender for Endpoint, Defender for Cloud Apps, Sentinel, email and collaboration, data loss prevention, and Microsoft Purview.
HB
reviewer1945362
Consultant at a tech services company with 1,001-5,000 employees
Microsoft 365 Defender is an extension of Windows Defender. Windows Defender is an AV that is integrated with Windows OS, and with this extension, you also get the EDR functionality for security purposes. Microsoft 365 Defender gets more access to the device and provides more insights and control over that. Apart from the Windows platform, it also includes other OSs, such as Linux and macOS.
We do have multiple options for deployment. We did deploy it on the cloud. We got the on-cloud license, and we onboarded our devices to the portal. The portal is deployed on the Azure cloud.
View full review »I'm a deployment engineer for Microsoft products, and we work with multiple SMEs. Customers adopting Microsoft products want the same features they had in their third-party solutions. We look at their requirements and the types of features they need. We determine the security mechanism that best addresses their vulnerabilities. We might suggest Defender for Identity, Defender for Endpoint, 365 Defender, and Defender for Cloud Apps. In addition to those security solutions, we offer device management. We provide everything.
View full review »It's the main tool that we use for the customer that we support. We don't use any other tools to monitor the environment.
View full review »We use Microsoft Defender XDR to secure data.
View full review »I primarily use the solution as an engineer. I use the product to protect the endpoint and I use it to protect my customer's environment.
View full review »DJ
reviewer2282451
SecOps Engineer at a computer software company with 11-50 employees
We are using it for incidents and alerts. It is helpful for threat hunting.
We have tied it to Azure AD or Microsoft Entra, and we are trying to implement it for Linux.
View full review »We use Microsoft Defender XDR for endpoint protection.
View full review »We use Microsoft Defender XDR for malware detection and browser protection. We have around 500 devices to protect. We use it to get reports for each of these devices.
View full review »We have many clients that have large companies in the south region of Mexico. They use the solution for security.
View full review »NP
reviewer990312
Security Solutions Architect at a computer software company with 10,001+ employees
We have very strong DLP policies. The product will inspect each and every outgoing email and what kind of attachments they have, including if any have business-sensitive information such as outgoing email going to some public domain such as Gmail or Yahoo. If the solution detects this, it'll raise an alarm and notify the required teams. On top of that, the incoming email will scan attachments for any potential malware tech or any phishing link.
View full review »PB
reviewer2189508
Security Analyst at a tech vendor with 5,001-10,000 employees
We rely on Microsoft 365 Defender for workstation detection across a number of categories, including virus detection, potential unknown application detection, and monitoring for suspicious website interactions, including clicks and access attempts.
I have used Microsoft 365 Defender in the cloud.
View full review »I work at a SOC, and we use Microsoft XDR to provide 24/7 monitoring for our clients. We use it to monitor all types of incidents, including attacks on endpoints and email-related threats. It's integrated with other Microsoft solutions.
View full review »MY
reviewer909678
Systems Engineer at a consultancy with 201-500 employees
We use Microsoft Defender XDR to centralize our security solutions.
View full review »WG
William Grashoff
IT System Administrator at European Space Agency (ESA)
We use Microsoft 365 Defender to help secure threats of the Office package, such as Word, Excel, and PowerPoint. Additionally, it can fix issues.
View full review »GV
Gowtham Vignesh
Senior IT Executive and Operation at a tech services company with 51-200 employees
The primary use case for Defender is to control the endpoint systems at the user level. On the networking level, we use it to analyze spam and see if any antivirus services are required or if there's a ransomware attack. As of now, I am just using it for monitoring.
View full review »PT
reviewer1007844
Product Manager at a comms service provider with 501-1,000 employees
We primarily use the solution as security for our endpoints. It covers everything.
View full review »IO
reviewer1048440
Desktop Architecture and Design at a tech services company with 1-10 employees
We primarily use the solution for security. We removed all other antivirus products such as McAfee. We removed everything and now use Defender as Defender covers everything all third-party products used to cover.
View full review »PD
Piyachon Dabsomdaj
Senior Cloud Architects at Metro Systems Corporation Public Company Limited
I use the solution for security against system threats.
View full review »We use the solution to back up our data frequently.
View full review »Buyer's Guide
Microsoft Defender XDR
March 2024
Learn what your peers think about Microsoft Defender XDR. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.