Microsoft Defender Experts for XDR is an advanced threat detection and response (XDR) service offered by Microsoft, designed to support businesses in protecting their digital environments. Integrating artificial intelligence with the expertise of specialized analysts, the service provides proactive monitoring, threat analysis, and targeted recommendations to improve security. With a comprehensive view of threats across endpoints, identities, emails, applications, and cloud infrastructures, Defender Experts for XDR helps organizations identify and respond quickly to attacks, dramatically reducing the risk of compromise. In this article we will explore the characteristics of the service and what are possible alternatives if a more personalized approach is needed.
Over the years, the growing number of cyber threats has made the work of cybersecurity experts an exhausting repartee between them and the malicious agents that infest the network.
Security teams have never been so overworked as they are now, and the growing difficulties associated with managing and maintaining corporate security infrastructures can pose a serious challenge even for professionals who have the best tools at their disposal.
Who uses Microsoft Defender XDR However, it has an ace in its sleeve: the support of Microsoft professionals, provided through the Defender Experts for XDR service.
This service currently provides coverage for Microsoft Defender XDR incidents and has been designed to provide strong support to cybersecurity teams, reducing their workload and working with them to protect their organization from malicious activities.
Microsoft Defender Experts for XDR offers end-to-end security operations capabilities to monitor, investigate and respond to security alerts and is designed for customers with limited security operations centers (SOC), overloaded with alert volume, need qualified experts, or both.
It also includes proactive threat hunting offered by Defender Experts for Hunting (a separate service that is made available in the Experts for XDR offering).
These experts can take actions based on the roles granted to them in the Microsoft Defender portal. If analysts are given the role of security reader, they can investigate and provide a managed response for the SOC team to act accordingly. If, on the other hand, they are granted the role of security operator, they can also take specific remedial actions agreed with the SOC team.
Let's find out more in the next sections.
Microsoft Defender Experts for XDR is an extended managed detection and response service that helps security operations centers (SOCs) focus and respond precisely to incidents. It provides extensive detection and response for customers using Microsoft Defender XDR services: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Entra ID.
Analysts will proactively hunt down threats on endpoints, emails, identities and cloud apps, performing the operations on our behalf.
To do this, Microsoft experts will need access to the Microsoft Defender XDR advanced hunting data we hold, and buying this service means giving these experts permission to access that data.
Defender Experts for XDR operational data, such as case tickets and analyst notes, is generated and stored in a Microsoft data center in the United States region for the duration of the service, regardless of where the Microsoft Defender XDR service is stored.
The data generated for the reporting panel is stored in the storage location of the customer's Microsoft Defender XDR service. These and the operational data will be kept for a grace period of up to 90 days after the customer's subscription expires.
If the customer terminates their subscription, the data will be deleted within 30 days. All data used for hunting from existing Defender services will continue to reside in the original storage location of the customer's Microsoft Defender XDR service.
Defender Experts for XDR expands the capabilities of its SOC, combining automation with the expertise of Microsoft security analysts. This combination helps you detect and respond to threats with precision and significantly improve your security posture.
With deep product expertise powered by threat intelligence, Redmond home professionals can help their security experts:
In addition to constantly updated research and intelligence, customized for the threats currently detected through the various Microsoft Defender XDR signals, you will also receive a response managed by security analysts and support from those responsible for delivering Microsoft's security-focused services (SDM).
Let's see the main features of the service in the table below.
To successfully implement business processes within the Microsoft 365 ecosystem, the following skills are needed:
Dev4Side Software has the vertical technical skills to provide you with a single, transversal point of contact for all the elements of your subscription.
Now that we have a better idea of this service, it's time to take a closer look at how it can help us.
Once the Defender Experts for XDR team is ready to start onboarding their organization, we'll receive a welcome email to continue with the setup and get started.
Let's select the link in the welcome email to start directly configuring the Defender Experts settings in the Microsoft Defender portal. We can also open this configuration by going to Settings > Defender Experts and selecting 'Get started'.
By default, Defender Experts for XDR requires service provider access, which allows Microsoft experts to log in to their tenant and provide services based on their assigned security roles.
Experts must be granted one or both of the following permissions:
Defender Experts for XDR allows you to exclude devices and users from remediation actions taken by experts and instead obtain remedy guidance for those entities. These exclusions are based on the device groups identified in Microsoft Defender for Endpoint and the user groups identified in Microsoft Enter ID.
The service also allows you to determine the people or groups within your organization that need to be notified in the event of critical incidents, service updates, occasional requests, and other recommendations:
Once identified, individuals or groups will receive an email notifying them that they have been designated as contacts for reporting incidents or for reviewing the service.
In addition to email and chat in the portal, you also have the option of using Microsoft Teams to receive updates on managed responses and communicate with Microsoft experts in real time.
When this setting is activated, a new team called the 'Defender Experts team' is created, where managed response notifications related to ongoing incidents are sent as new posts in the 'Managed response' channel. Defender Experts will have access to all messages posted on any channel of the Defender Experts team.
In addition to the onboarding service, the analysts' experience on the Microsoft Defender XDR product suite allows us to perform a readiness assessment and to help us make the most of the Microsoft security products we have purchased.
The readiness assessment is based on the number of devices and identities protected in your environment and on recommendations related to Defender Experts' policies. To view the evaluation, in the Microsoft Defender portal, go to Settings > Defender Experts and then select 'Service Status'.
The assessment consists of two parts:
The list shows the necessary steps that must be taken before starting the service. We prioritize actions with a status of 'Complete now' to start the Defender Experts for XDR service as soon as possible.
The data is based on Defender for Endpoint and Defender for Identity licenses; to reach the target number of protected assets, we add more devices to Defender for Endpoint or install more Defender for Identity sensors.
After completing all the required activities and achieving the onboarding objectives in your assessment, your service delivery manager (SDM) will start the monitoring phase of the Defender Experts for XDR service, during which, for a few days, the experts will begin to closely monitor the environment to identify latent threats, sources of risk and normal activity.
As a better understanding of critical assets is gained, analysts will be able to refine their answers.
Once the experts begin carrying out full response activities on behalf of our company, we will begin to receive notifications about incidents that require remedial action and targeted recommendations on critical incidents.
We will also be able to chat with our experts or with the SDMs to resolve any important concerns and to regularly review security and business posture. In addition, we will be able to view real-time reports on the number of incidents that Defender Experts have investigated and solved for us.
Okay, we know what it is and how it works. Now it only remains to clarify one last point: how to use it?
There are some prerequisites that must be respected and some information that you need to know in order not to run into usage errors or misunderstandings about the extension of the service and its functionality.
First of all, Defender Experts for XDR is a separate service from the Defender products that you can license.
To get started with this managed service, the following licensing requirements are required:
The following products are eligible for Defender Experts for XDR coverage and you must have the appropriate licenses to use the service:
The following products are not covered by this service:
To obtain native XDR coverage, it is then recommended that you deploy the entire Microsoft Defender XDR suite.
The service also covers servers, both on-premises and on hyperscale cloud service providers, as long as they have Defender for Endpoint distributed with a Microsoft Defender for Endpoint for Server license. For billing purposes, a server is considered as a user account. However, the service does not cover Microsoft Defender for Cloud workloads.
Ask Defender Experts is designed to provide an in-depth understanding of the complex threats affecting your organization. It focuses on the products included in Microsoft Defender XDR (Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity).
As part of the Microsoft Defender Experts for Hunting service, Microsoft customers are awarded 10 Ask Defender Experts credits at the beginning of each calendar quarter, which can be used to submit questions.
Credits not used in the current quarter are carried over to the next, but a maximum of 20 credits can be used per quarter. All unused credits expire at the end of the calendar year or at the end of the subscription, whichever comes first.
Defender Experts for XDR is an extremely useful service that can make a difference in emergency situations.
However, like any general solution, it may have its limitations and its own specifications and it is therefore important to evaluate if your company does not need a more personalized approach than what can be provided by Microsoft.
An excellent alternative is therefore to find a trusted partner, specialized in Microsoft products, who can help their cybersecurity teams build and maintain the digital defenses they need, providing advice and help as needed without risking critical waiting times.
With a partner, there's no need to reinvent the wheel.
The professionals at Redmond, however extremely good, may not know our infrastructure as thoroughly as someone who has taken the trouble to study it over time, or who built it with us.
So who should I turn to? Well, why not Dev4Side?
With decades of experience accumulated in the field of Microsoft technology and recognized as a certified partner by the same manufacturer, Dev4Side can be the perfect ally not only to build, but also to defend and maintain your company's IT infrastructures.
Among its divisions, each with different vertical skills, the Infrastructure & Security team deals with the management of Microsoft Azure and Microsoft 365 enterprise tenants, helping SOC teams to lighten their intense workload.
In addition to configuring and managing the tenant, Dev4Side's cybersecurity experts will be responsible for creating application deployments through DevOps pipelines, optimizing costs for maintaining the security infrastructure and will be able to lend a hand with monitoring and security processes to always ensure the highest degree of active surveillance.
Every company has its needs and a partner like Dev4Side can help any business to work efficiently, offering continuous support and an excellent consulting service to ensure the best possible security posture.
The fight against cyberthreats is not a task that is always possible to face alone and, given the impressive amount of sophisticated and dangerous malicious agents on the network, it does not have to be.
The security of digital infrastructures is a responsibility shared by everyone and small flaws can do great damage in a short time. Therefore, it is everyone's duty to adopt the best safety posture to avoid any type of accident.
Asking for expert assistance is not an admission of incompetence or inexperience, but it means actively participating in the collective effort to combat the dangers of the digital world.
Microsoft Defender Experts for XDR presents itself as a good ally, which can help your business in the constant fight for cybersecurity by making available to internal security teams the experience and knowledge accumulated over years of commitment against cyber threats that infest the network.
If you think you are at risk, don't waste any more time and seek the help of proven experts, always remembering that if your needs are not in line with Microsoft's 'standard measures', partners like Dev4Side can help build those impenetrable defenses that are needed in an increasingly complex technological landscape.
Microsoft Defender Experts for XDR is a managed extended detection and response (XDR) service designed to help enterprise security teams deal with cyber threats more effectively. The service combines artificial intelligence automation with the expertise of highly qualified human analysts, who work proactively to monitor, investigate and respond to ongoing attacks.
The operation involves an initial onboarding process during which the Microsoft team receives access to the organization's tenant. Once the necessary permissions have been assigned, experts can carry out investigative or direct remediation actions on detected incidents, depending on the assigned role. The activity of the experts is tracked through reports and dashboards, and the interaction can also take place through Microsoft Teams.
The service offers coverage for the main components of the Microsoft Defender XDR suite, including Endpoint, Office 365, Identity, Cloud Apps, and Entra ID. Defender for IoT and Defender for Cloud workloads are excluded.
In order to use the service, it is essential to have active licenses for Defender for Endpoint P2, Defender Antivirus in active mode and Enter ID P1 for all users. In addition, you must have licenses for all the products that you want to include in the managed protection perimeter.
After subscribing to the service, you receive a welcome email that guides you through the configuration. During onboarding, you configure expert permissions, select groups or devices to exclude from automatic actions, and define contacts to notify in case of incidents or critical activities. Onboarding ends when all technical requirements are met and active monitoring by analysts is initiated.
Yes, but only if they are authorized with the Security Operator role. Alternatively, with a more limited role such as Security Reader, they merely provide guidance and suggestions, leaving the final action to the internal team.
Yes, through control panels and reports in real time, it is possible to view the activities carried out by experts, receive updated statistics and analyze the impact of interventions on the company's security posture. Notifications can also arrive on Microsoft Teams, if configured.
The service directly manages incident triage, proactively hunts for threats with advanced techniques, provides access to experts through the “Ask Defender Experts” function, and includes regular sessions to review the security status and to suggest continuous improvements.
This is a package of 10 credits awarded to each Microsoft customer at the beginning of each calendar quarter. The credits are used to ask direct questions to the experts through the portal. You can accumulate up to 20 per quarter, but any unused ones expire at the end of the year or when the service ceases.
Yes, the service also covers servers, as long as they have Defender for Endpoint installed and are properly licensed. For billing purposes, each server is treated as if it were a user.
Microsoft offers an extremely effective but standardized service. For specific needs or complex infrastructures, it may be useful to work with a certified partner such as Dev4Side, able to provide continuous and personalized support based on the real needs of your organization.
The Infra & Security team focuses on the management and evolution of our customers' Microsoft Azure tenants. Besides configuring and managing these tenants, the team is responsible for creating application deployments through DevOps pipelines. It also monitors and manages all security aspects of the tenants and supports Security Operations Centers (SOC).
