A vigilante and reliable XDR
November 17, 2023

A vigilante and reliable XDR

Yash Mudaliar | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Overall Satisfaction with Microsoft 365 Defender

We are not only managing Microsoft 365 Defender for our clients but also using it for our organization as an XDR (eXtended Detection and Response) tool for all our users. It does a fantastic job of correlating identities, network, endpoints, applications across the organization to present relevant information in incidents and reports. It very much acts as a single pane of glass providing a holistic view of security insights across the various domains.

Pros

  • I am a huge fan of Microsoft Defender for Endpoint within Microsoft 365 Defender. It is one of the most professional and reliable EDR (Endpoint Detection and Response) tool out there providing excellent features like vulnerability management, baseline assessments, device discovery etc.
  • Microsoft Defender for Office365 (Email Security) is yet another class apart product in this Microsoft 365 Defenderr stack. It is one of the easiest to use tools among all the other Microsoft security products yet at the same time offers such a wide variety of features like threat policies (anti-spam, anti-malware, anti-phishing etc.), attack simulation, message trace etc.
  • Incident Management is the main USP of Microsoft 365 Defender due to which it can actually be considered as a true XDR. The intuitive and user-friendly UI, the very useful attack story view, broad classifications, automated investigation etc. etc. etc.; the list of awesome features just goes on.

Cons

  • Threat Intelligence is definitely an area of improvement for this product. It's very hard to deduce any conclusions or merely make sense of its presence in the product.
  • The 'Reports' in Microsoft 365 Defender are appearing to be not very "presentable" over time which really questions their existence within the portal. It definitely needs to be improved.
  • Vulnerability Management, while a great feature, has some area of improvement in terms of being admin friendly by providing some remediation options like deploying patches or at least sending notifications to the impacted users etc.
  • Only negative or rather I'd say a less favorable ROI has been increase in the cost as Microsoft 365 Defender counts as a premium product from Microsoft which has significant cost associated to it.
  • Our security analysts have seen a significant increase of 30-45 mins in the triaging time for complex incidents due to the intuitive and informational UI of Microsoft 365 Defender.
  • Less hassle of switching to multiple portals to get the relevant information
Switching to different security products for getting relevant logs which impacted the triaging and investigating window. Correlation of vulnerabilities with incidents was almost impossible as both of them were high in numbers. Proactive hunting through the risk findings and threat intelligence was very difficult. Had to acquire and administer separate products for separate domains like endpoints, applications and identities etc.
Microsoft 365 Defender automatically collates data from all the various domains and present them in the incident investigation page as evidences. 'Vulnerability Management' effectively correlates vulnerabilities with incidents for a specific endpoint.
Threat Hunting through KQL is a very feasible and reliable option to proactively search for threats and vulnerabilities as per the organization's industry.
The administration of all the Defender products under Microsoft 365 Defender can be done smoothly under the 'Settings' page.
Yes, we are using the automated response in a multi-layered approach where we have set the automation level to 'Full' for all the normal users across the tenant and 'Semi - require approval for core folders' for the C-Suite level of our organization. We have recently switched to the semi from 'No automated response' after a thorough testing and obtaining satisfactory results from those tests. For users with 'Full' automated remediation, we have rarely faced any unexpected actions and it has been very effective until now.
Yes, absolutely. If any organization is not utilizing this easiest yet most effective integration, they are missing out on a lot of things. I admit that Microsoft 365 Defender has a very rich incident management and threat hunting experience but its integration with Sentinel takes it to the next level by being able to automate the responses through playbooks and automation rules. The integration is merely a click of a button to happen.
The on-boarding and initial deployment is very much automated and has less technical overheads in comparison to the above products as per my experience. Apart from that, once organizations decide to move towards even one of the Microsoft security products, it will make more sense for them to employ Microsoft 365 Defender rather than any other XDR in the market.

Do you think Microsoft Defender XDR delivers good value for the price?

Yes

Are you happy with Microsoft Defender XDR's feature set?

Yes

Did Microsoft Defender XDR live up to sales and marketing promises?

Yes

Did implementation of Microsoft Defender XDR go as expected?

Yes

Would you buy Microsoft Defender XDR again?

Yes

If you have been employing more than 2 products within the Microsoft Security stack, Microsoft 365 Defender is an ideal choice to go for. The reason being a unified and simplified integration without any technical overheads.
If you are not having an XDR solution and the above use case is applicable for you, again look none other than Microsoft 365 Defender.
Although, if you fall into the category of a small business (less than 50-60 users) maybe it is too early for you to go with this offering.

Comments

More Reviews of Microsoft Defender XDR