Defender for Identity Equivalent

We don't have a direct equivalent to Defender for Identity, though Intercept X w/XDR does provide some coverage of AD and your Azure AD and MS365 environments. For example, Intercept X w/XDR can ingest MS365 audit logs and generate detections based on suspicious activity. An example is someone creating suspicious mailbox rules in a user's account (after phishing the user, for example). Said mailbox rules are frequently seen for hiding and forwarding malicious email. Another example is detecting "impossible travel," such as the same user having sessions logged in from Russia and the US at the same time. These detections generate "Cases" in the XDR UI and are assigned a priority determined by Sophos X-Ops. Similar detections may be grouped together in a single case.

Even if you were to adopt the full P2 or E5 stack, Sophos can add value atop it via XDR or MDR. For example, the detections from Microsoft tend to be very noisy. Not every case of multiple user sessions, for example, is malicious. Our detection logic can correlate Microsoft's detections with additional telemetry (from Microsoft or our own tools) and only surface the ones that appear to be a real threat. In the case of MDR, our SOC analysts will investigate and, if needed, remediate threats.

Microsoft does have an impressive security stack, but we find that many customers still prefer to use Sophos for some or all of their endpoint security and XDR needs. Even for seasoned experts, the complexity of Microsoft's solutions can make it challenging to maximize the technology and achieve the desired security outcomes. Some customers also question the wisdom of leveraging the infrastructure itself (Windows, MS365, etc.) to monitor and perform security for the infrastructure. As I mentioned above, it doesn't necessarily have to be all or nothing. Sophos XDR and MDR can complement and add value to Defender for Endpoint (P1 or P2). But, in our (admittedly biased) view, customers get the best experience, and the best security outcomes, using our platform for protection, detection, and response, and coupling that with secure configuration of the underlying Microsoft platforms.

We don't have a direct equivalent to Defender for Identity, though Intercept X w/XDR does provide some coverage of AD and your Azure AD and MS365 environments. For example, Intercept X w/XDR can ingest MS365 audit logs and generate detections based on suspicious activity. An example is someone creating suspicious mailbox rules in a user's account (after phishing the user, for example). Said mailbox rules are frequently seen for hiding and forwarding malicious email. Another example is detecting "impossible travel," such as the same user having sessions logged in from Russia and the US at the same time. These detections generate "Cases" in the XDR UI and are assigned a priority determined by Sophos X-Ops. Similar detections may be grouped together in a single case.

Even if you were to adopt the full P2 or E5 stack, Sophos can add value atop it via XDR or MDR. For example, the detections from Microsoft tend to be very noisy. Not every case of multiple user sessions, for example, is malicious. Our detection logic can correlate Microsoft's detections with additional telemetry (from Microsoft or our own tools) and only surface the ones that appear to be a real threat. In the case of MDR, our SOC analysts will investigate and, if needed, remediate threats.

Microsoft does have an impressive security stack, but we find that many customers still prefer to use Sophos for some or all of their endpoint security and XDR needs. Even for seasoned experts, the complexity of Microsoft's solutions can make it challenging to maximize the technology and achieve the desired security outcomes. Some customers also question the wisdom of leveraging the infrastructure itself (Windows, MS365, etc.) to monitor and perform security for the infrastructure. As I mentioned above, it doesn't necessarily have to be all or nothing. Sophos XDR and MDR can complement and add value to Defender for Endpoint (P1 or P2). But, in our (admittedly biased) view, customers get the best experience, and the best security outcomes, using our platform for protection, detection, and response, and coupling that with secure configuration of the underlying Microsoft platforms.