Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender

CrowdStrike is expanding CrowdStrike Falcon® Next-Gen SIEM to support third-party endpoint detection and response (EDR) solutions — beginning with Microsoft Defender — with no Falcon sensor required. This evolution will enable organizations to modernize their SOC without replacing existing endpoint agents.

Adversaries are moving faster than ever, exploiting cross-domain gaps across endpoint, identity, network, and cloud. As attacks span tools and environments, security teams are forced to investigate across fragmented systems that were never designed to operate as one. 

This challenge is compounded by growing architectural complexity and data visibility tradeoffs. Legacy SIEMs impose a massive “data tax” for full ingestion, while siloed tools create blind spots and disconnected workflows. The result is slower detection, delayed response, and a SOC struggling to keep pace with modern threats.

Falcon Next-Gen SIEM combines index-free, petabyte-scale search performance, AI-native threat detection and investigation, elite frontline adversary intelligence, and agentic automation and orchestration across heterogeneous environments, to deliver a data-agnostic path to agentic SOC transformation — eliminating the data tax while accelerating security outcomes.

Operationalize Microsoft Defender telemetry inside Falcon Next-Gen SIEM to unify detection, investigation, and response — without changing endpoint deployments.

Beyond expanding support for third-party EDR, CrowdStrike is redefining how security data is managed, activated, and operationalized across the SOC. Our latest innovations remove the structural tradeoffs of legacy SIEMs — reducing onboarding friction, eliminating costly duplication, accelerating migrations, and unifying first- and third-party intelligence in a single high-speed console.

What’s New in Falcon Next-Gen SIEM

Recent Falcon Next-Gen SIEM enhancements focus on one critical priority: ecosystem integration without compromise. From intelligent data routing and federated search to third-party intelligence management and AI-powered query translation, these capabilities give security teams the flexibility to use the tools they rely on, while centralizing operations inside the unified CrowdStrike Falcon® platform.

Falcon Onum: Real-Time Data Control at the Edge

Data is the fuel of AI-driven security operations. But duplicated, noisy, or poorly structured data weakens detection and accuracy, inflates storage costs, and slows investigations. The agentic SOC doesn’t need more data — it needs better control over how telemetry flows before it reaches analytics and response systems.

CrowdStrike Falcon® Onum is now natively embedded within the Falcon platform to deliver a unified, in-product experience for real-time data pipelines. Falcon Onum ingests, filters, enriches, and routes data in motion to reduce noise before it reaches downstream systems. 

By transforming data at the point of ingestion, Falcon Onum filters noise in real time, delivering up to 5x faster streaming performance and reducing storage costs by up to 50%.¹ By intelligently routing and optimizing telemetry before it reaches downstream systems, Falcon Onum improves data fidelity, lowers infrastructure costs, and helps ensure AI models and detection workflows operations on high-signal, context rich telemetry. The result is faster detection, more efficient investigations, and a stronger foundation for AI-driven security operations across the entire ecosystem.

Streamline data onboarding and reduce storage costs with intelligent, real-time data transformation built directly into Falcon.

Federated Search: Investigate Everywhere, Ingest What Matters 

Falcon Onum introduces a new paradigm for data management by allowing teams to intelligently prioritize and route high-signal data to Falcon Next-Gen SIEM for active investigations while efficiently archiving the remainder to cost-effective external data stores. With federated search, teams can access this data later for compliance, forensics, or ad-hoc use cases. Falcon Next-Gen SIEM is now expanding federated search capabilities to include Falcon LogScale, ExtraHop, and low-cost cloud archives such as Amazon S3 via Athena. Analysts can query network and security telemetry in place without re-ingesting or moving data.

This approach bridges real-time detection with long-term observability. Teams gain immediate access to high-performance Falcon LogScale storage, deep network telemetry from ExtraHop, and archived cloud data — all from a single console. The result is lower storage overhead, preserved investments, and faster investigations without architectural tradeoffs.

Investigate across live, network, and archived data sources in place — without costly re-ingestion or duplication.

Third-Party Indicator Management Operationalizes Threat Intelligence at Scale

Security teams invest heavily in external threat intelligence, yet operationalizing that intelligence at scale is often difficult. Third-Party Indicator Management enables ingestion, enrichment, scoring, deduplication, and lifecycle management of external indicators of compromise through APIs and document uploads.

With 82% of attacks now malware-free and evading isolated defenses, organizations must rely on behavioral signals and real-time intelligence to stay ahead of adversaries. Third-Party Indicator Management correlates curated indicators with endpoint telemetry, log data, and CrowdStrike’s premier adversary intelligence within Falcon Next-Gen SIEM. This ensures high-quality, actionable intelligence is applied continuously to reduce noise, improve prioritization, and accelerate confident response.

Query Translation Agent Accelerates Migration

SIEM migrations often stall because teams must manually rewrite years of legacy searches and workflows. The Query Translation Agent removes that barrier. Delivered as an in-product CrowdStrike® Charlotte AI™ experience, it automatically translates one-to-one Splunk queries, or even plain-language investigation requests, into CrowdStrike Query Language (CQL).

Analysts can run, refine, and operationalize translated queries instantly within Falcon Next-Gen SIEM, preserving familiar logic while accelerating time-to-value. Organizations can transition from legacy platforms without retraining teams or rebuilding workflows from scratch.

The Open, Unified, AI-Native Foundation for the Agentic SOC

AI is changing the speed and scale of modern adversaries. The agentic SOC cannot be siloed or constrained by rigid architectures. It must be unified across domains, extensible across ecosystems, and AI-native by design.

Falcon Next-Gen SIEM brings first- and third-party data and intelligence together under a single data model, powered by real-time pipelines, index-free petabyte-scale search, federated query capabilities, elite frontline adversary intelligence, and agentic automation and orchestration. By unifying endpoint, log, network, and intelligence data within one high-speed platform, CrowdStrike is eliminating the tradeoffs that have defined SIEM for decades.

Organizations no longer need to choose between cost, visibility, and flexibility. They can unify first- and third-party data, reduce the data tax, and modernize their SOC on their own terms. Learn how Falcon Next-Gen SIEM for Third-Party EDR can help you unify heterogeneous environments, eliminate unnecessary data costs, and move at machine speed under one AI-native foundation — without rip-and-replace.

Forward-Looking Statements 

This blog may include discussion of unreleased services or features. Any unreleased services or features referenced here are still in development and subject to change. Customers should make their purchase decisions based upon features that are currently available.

Additional Resources

• Want to learn more about Falcon Next-Gen SIEM for Third-Party EDR? Visit the Falcon Next-Gen SIEM for the Third-Party EDR product page.
• Establish real-time telemetry control to streamline onboarding and route high-fidelity data across SIEM, AI, storage, and analytics with Falcon Onum.

¹ These numbers are projected estimates of average benefit based on internal analysis and recorded metrics provided by customers during pre-sale motions that compare the value of Falcon Onum with the customer’s incumbent solution. Actual realized value will depend on the customer's module deployment and environment.