A New Chapter in an Old Rivalry
In a move that would have seemed unthinkable just a few years ago, CrowdStrike has formally integrated Microsoft Defender for Endpoint into its Falcon Next-Gen SIEM platform. Announced last week, this makes Microsoft Defender for Endpoint the first endpoint detection and response (EDR) solution to be integrated with Falcon Next-Gen SIEM, with Defender data now supporting third-party EDR workflows inside CrowdStrike's environment.
The integration gives customers the ability to use Defender telemetry and controls directly within CrowdStrike's platform — a significant capability extension for organizations running heterogeneous endpoint environments.
What the Integration Actually Does
According to CrowdStrike CTO Elia Zaitsev, the platform now ingests Defender data directly rather than through intermediary processes, which accelerates threat detection inside Falcon and enables more sophisticated data management. "We'll tap into that and provide comprehensive security in our platform, even if they're using other endpoint technology," Zaitsev said.
The direct ingestion model also introduces intelligent filtering capabilities. "We can perform intelligent filtering to more efficiently manage which data is being ingested into our platform," Zaitsev explained, pointing to real-time analytics as a core benefit of the new architecture.
Alongside the Defender integration, CrowdStrike launched Falcon Onum, a log data management tool built specifically for Falcon Next-Gen SIEM. Onum is the technology the company acquired last year from a firm of the same name, known for its real-time data pipeline capabilities. The Onum platform enables Microsoft Defender telemetry to be processed at scale within CrowdStrike's environment.
CrowdStrike Enters the Microsoft Marketplace
In a parallel development, CrowdStrike's product portfolio is now available through the Microsoft Marketplace — formerly known as the Azure Marketplace — for the first time. This is notable because, until last month, CrowdStrike was the only major cybersecurity platform provider whose offerings were absent from that marketplace.
The Microsoft Marketplace listing is particularly meaningful for large enterprise customers who have signed cloud usage agreements with Microsoft under the Microsoft Azure Consumption Commitment (MACC) program. Those customers can now apply their committed MACC funds toward CrowdStrike products, reducing friction in procurement.
CrowdStrike has been a listed vendor in the AWS Marketplace since 2017, a partnership that generated $1 billion in annual revenue in 2024. CrowdStrike chief business officer Daniel Bernard described the Microsoft Marketplace entry as opening up an entirely new ecosystem. "It's a whole new ecosystem for us to partner with inside of the world of Azure and Microsoft," Bernard told Dark Reading.
George Kurtz: From Fierce Critic to Partner
The backdrop to this partnership is a history of sharp public criticism from CrowdStrike co-founder and CEO George Kurtz directed squarely at Microsoft. The animosity had deep roots in high-profile security incidents.
Just two years ago, Kurtz was a vocal and pointed critic of Microsoft in the aftermath of intrusions by Midnight Blizzard — also tracked as APT29, Cozy Bear, and Dukes — a threat group affiliated with Russia's foreign intelligence service, the SVR. Midnight Blizzard's most prominent operation came in 2020, when the group injected the Sunburst backdoor malware into the SolarWinds Orion software update pipeline.
Kurtz testified before the US Senate's Select Committee on Intelligence, the congressional body investigating that breach, and described Microsoft's software as "antiquated." He argued that "the threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network," and that the attackers were able to bypass Microsoft's authentication schemes entirely.
In March 2024, Kurtz escalated his rhetoric in an appearance on CNBC, arguing that the SolarWinds incident "really should be called the Microsoft hack because they were a big part of that compromise in terms of having their infrastructure and credentials being compromised."
Kurtz had also publicly criticized Microsoft following a separate breach by a group known as Storm-0558, which exploited vulnerabilities in Microsoft Azure Active Directory — now rebranded as Microsoft Entra. In that incident, hackers used stolen cryptographic keys to forge authentication credentials and gain access to the email accounts of senior US government officials, including then-Secretary of Commerce Gina Raimondo.
Formula 1 as an Unlikely Bridge
The unexpected catalyst for détente between the two companies appears to have been a shared interest in Formula 1 racing. George Kurtz serves as a board member and co-owner of the Mercedes-AMG Petronas F1 team. When Microsoft began exploring a sponsorship arrangement with the team, conversations between the two companies naturally followed — and apparently grew into something more strategic.
"In an interesting way, Formula One sort of brought us together on a more strategic level," Daniel Bernard told Dark Reading. He framed the partnership in pragmatic terms: "The certainties in life are threefold — death, taxes, and Microsoft. So rather than fight, let's find ways that customers can use all of our products, and customers want to do that."
What This Means for Enterprise Security Teams
For security operations teams, the practical implications of this partnership are significant. Organizations that have deployed Microsoft Defender for Endpoint across their environment but use CrowdStrike for SIEM and broader threat detection can now unify their telemetry streams without requiring full platform migration. The ability to apply intelligent filtering to that data before it reaches the SIEM also addresses one of the perennial pain points in security operations: ingestion cost and noise management.
- Microsoft Defender for Endpoint becomes the first EDR integrated with Falcon Next-Gen SIEM
- Falcon Onum enables large-scale log management and real-time pipeline processing of Defender data
- CrowdStrike is now listed in the Microsoft Marketplace, accessible via MACC committed spend
- The AWS Marketplace partnership, active since 2017, brought in $1 billion in annual revenue in 2024
Whether this marks a lasting realignment or a pragmatic commercial arrangement remains to be seen, but the integration removes a significant gap in CrowdStrike's multi-vendor interoperability story — and signals that even the most entrenched competitive rivalries can shift when customer demand and business incentives align.
Source: Dark Reading