CrowdStrike Falcon® Onum
Supercharge your agentic SOC with high-quality, real-time data
Eliminate noise, cut costs, and stop breaches at machine speed.
Latest Innovations
Adversaries hide in your data noise
With overwhelming data and latency, AI-powered attackers move faster than defenders can respond.
1. 62% of alerts ignored amid overwhelming noise2
2. More time spent managing data than analyzing it
3. 51s fastest breakout time: adversaries outpace your data1
4. Blind spots are exploited by adversaries at scale
Accelerate your agentic SOC transformation with real-time data
Power agentic security operations with seamless onboarding, autonomous detection, and faster response.
70%
Faster incident response with in-pipeline detection3
50%
Lower storage costs with smart filtering3
40%
Less ingestion overhead, fueling better SOC outcomes3
Cut the noise. Keep the signal.
Turn fragmented telemetry into structured, enriched data that matters. By cutting noise and amplifying context, Falcon Onum ensures CrowdStrike Falcon® Next-Gen SIEM and SOC teams act on high-fidelity insights, not clutter.
×
![]()
×
![]()
Speed for the agentic era
Falcon Onum delivers up to 5x more events per second than its nearest competitor, processing data in real-time versus legacy batch and store methods.3 SOCs detect and respond faster to outpace AI-powered adversaries.
Spend less. Defend more.
Don’t pay for data you don’t need. Falcon Onum intelligently filters and routes telemetry, cutting storage costs by up to 50% while freeing budget for what matters most: defending your business.3
×
![]()
×
![]()
Stop threats in the data stream
Falcon Onum moves detection upstream into the pipeline, autonomously spotting malicious activity as data flows. By surfacing high-value signals instantly, security teams gain the speed to outpace AI-powered adversaries instead of reacting after the breach.
Pipeline control made simple
Traditional pipelines require heavy scripting and deep engineering. Falcon Onum’s intuitive drag-and-drop UI empowers SOC analysts at every level to shape, enrich, and route data themselves — unlocking agility without complexity.
×
![]()
Validated by analysts. Trusted by customers.
See why organizations trust Falcon Next-Gen SIEM
Adversary-informed intelligence. Delivered at scale. Trusted when it matters most.
Consolidating security on the Falcon platform allows us to address our unique security needs from a single, centralized interface. We can create custom dashboards, conduct tailored analyses, and quickly determine appropriate responses to incidents.”
Mathias Espeloer, Director of IT, HEUKING
We don't have the time or energy to go search into millions of logs. So having AI layered on top of CrowdStrike’s SIEM product is where we want to be.”
Wayne Cross, Director, Cybersecurity and Infrastructure Operations, BLG
With Falcon Next-Gen SIEM, we were writing custom detections and getting results on day one.…We're super excited about Falcon Fusion. It's intuitive, and having that type of automation within the Falcon platform is huge for us."
Nathan Kelly, Senior Information Security Engineer, TaylorMade Golf
Featured Resources
FAQs
No. Falcon Onum can be deployed independently to modernize telemetry pipelines, reduce data volume, improve signal quality, and optimize the broader security stack.
When used with Falcon Next-Gen-SIEM, Onum accelerates onboarding, enhances data control, enables intelligent data routing, and makes it easier to enrich data in motion.
As an independent solution, Falcon Onum operates as a high-performance, real-time data pipeline that collects, structures, enriches, and routes telemetry across your security and IT ecosystem. Onum provides:
- Real-time parsing and enrichment of logs in motion
- Noise reduction, filtering, masking, enrichment, and data shaping at the source
- Intelligent, multi-destination routing to SIEMs, data lakes, analytics tools, and storage
- Support for in-pipeline detections and transformations for non Falcon Next-Gen-SIEM destinations
In this mode, Falcon Onum gives teams fine-grained control over how telemetry moves across their environment, helping reduce cost, improve data quality, and accelerate downstream tools.
Falcon Onum works alongside both Falcon Next-Gen SIEM and Falcon Complete as a data control and routing layer, but the level of transformation allowed depends on the destination.
Falcon Next-Gen SIEM
- Falcon Onum handles the data control plane, with routing and PII masking into Falcon Next-Gen SIEM
- Falcon Onum sends raw, CrowdStrike Parsing Standard (CPS)-aligned events directly into Falcon Next-Gen SIEM for indexing and detection
- Falcon Onum enriches, filters, and reshapes telemetry before delivering optimized copies to secondary destinations such as data lakes, analytics tools, and third-party systems
Falcon Complete Next-Gen MDR
- Falcon Complete ingests sensor-native telemetry directly, and Onum does not modify or influence this ingest path
- Falcon Onum may process and route copies of telemetry to secondary destinations (storage, analytics, third-party SIEMs), applying masking, filtering, or enrichment only on those branches while preserving Falcon Complete’s full visibility and MDR efficacy
This joint architecture ensures fast onboarding, control over data flow, and full SIEM detection accuracy.
Falcon Onum can apply transformations for secondary destinations, including:
- Field-level masking and tokenization
- Enrichment (GeoIP, asset data, threat intelligence, tags)
- Filtering, suppression, and shaping
- Format normalization (JSON, KV, CSV, XML, and more)
For data flowing into Falcon Next-Gen SIEM, Onum supports:
- PII masking
- Selective routing and copying to cold storage
- Data hygiene actions that do not alter Falcon Next-Gen SIEM required CPS structure
This ensures customers gain upstream control while preserving Falcon Next-Gen SIEM detection logic.
Yes. Falcon Onum supports inline detections such as Sigma rule evaluation, IOC matching, and pattern-based triggers when routing to third-party destinations like data lakes, SOAR, observability tools, and external SIEMs.
When used with Falcon Next-Gen SIEM:
- Inline detections are supported only for non-Next-Gen SIEM routes, not for the Next-Gen SIEM ingestion path
- All Next-Gen SIEM detections are performed within Falcon Next-Gen SIEM using CPS-structured raw telemetry
- Falcon Onum can still route the detection results (tags, flags, metadata) to alternate destinations, while keeping Next-Gen SIEM data intact
This gives customers flexibility without impacting Falcon Next-Gen SIEM’s native detection pipeline.
1 CrowdStrike 2025 Global Threat Report
2 “SOC Teams: Threat Detection Tools are Stifling Us”, Dark Reading
3 These numbers are projected estimates of average benefit based on company’s own internal analysis and recorded metrics provided by customers during pre-sale motions that compare the value of CrowdStrike with the customer’s incumbent solution. Actual realized value will depend on the customer's module deployment and environment.
4 Results are from a customer case study. Individual results may vary.
*As of June 2, 2025, CrowdStrike has an Overall Rating of 4.7 out of 5 and the most reviews in a 12 month period in the Security Information and Event Management, based on 184 reviews on Gartner Peer Insights™
