I'm looking into migrating from CrowdStrike to Microsoft Defender for Endpoint as part of our new Microsoft subscription. I've been impressed with the telemetry and visualization capabilities of Defender, but I'd love to hear from anyone who has made this switch recently. Specifically, how has the threat detection rate compared to what you experienced with CrowdStrike? What has your experience been like with usability, adding exceptions, threat hunting, and containment? Are there any standout features you love or dislike? Lastly, do you trust Defender for Endpoint to protect your systems like you did with CrowdStrike?
5 Answers
In our setup, we use CrowdStrike for VIPs and servers, while rolling out DFE for the rest. This mix seems to balance cost and risk pretty well. Still, I’ve heard people say they trust CrowdStrike more for sensitive environments, which makes sense given their reputation.
You can operate Defender for Endpoint (DFE) in passive mode to gather telemetry while still keeping CrowdStrike active. However, I’ve found that DFE requires a lot more tuning to reduce false positives compared to CrowdStrike. It's like fine-tuning a musical instrument, while CrowdStrike seemed more ready to go right out of the box.
I’ve heard that while in passive mode, DFE doesn’t surface all logging details, especially with ASR rules. Have you seen that too?
When switching, I’d recommend using Intune to uninstall CrowdStrike and deploy DFE. But like you mentioned, I’m more interested in overall experiences too. How are you finding threat detection and usability compared to CrowdStrike?
We're really aiming to understand if DFE's accuracy and usability hold up against CrowdStrike, especially since support from Microsoft can be hit or miss.
We opted for CrowdStrike Falcon Complete for our small team and it has been a game-changer. Even with the budget constraints and management decisions leaning us towards Defender, I feel secure having CrowdStrike's capabilities backing us up.
I’ve been impressed with CrowdStrike's ability to isolate hosts on the fly. DFE has similar capabilities, but I appreciate the flexibility it offers during incidents.
I’ve worked with both for a few years. CrowdStrike is still leading in my opinion, but DFE has made some impressive strides. In some cases, DFE has flagged more items, and the context it provides makes it easier to address issues. However, managing exclusions seems a bit trickier with DFE than with CrowdStrike.
I agree! It seems like we think higher costs equate to better protection, but that's not always the case. I've been considering giving everyone DFE in passive mode for better logging.