CrowdStrike is expanding CrowdStrike Falcon® Next-Gen SIEM to support third-party endpoint detection and response (EDR) solutions — beginning with Microsoft Defender — with no Falcon sensor required. This evolution will enable organizations to modernize their SOC without replacing existing endpoint agents.
Adversaries are moving faster than ever, exploiting cross-domain gaps across endpoint, identity, network, and cloud. As attacks span tools and environments, security teams are forced to investigate across fragmented systems that were never designed to operate as one.
This challenge is compounded by growing architectural complexity and data visibility tradeoffs. Legacy SIEMs impose a massive “data tax” for full ingestion, while siloed tools create blind spots and disconnected workflows. The result is slower detection, delayed response, and a SOC struggling to keep pace with modern threats.
Falcon Next-Gen SIEM combines index-free, petabyte-scale search performance, AI-native threat detection and investigation, elite frontline adversary intelligence, and agentic automation and orchestration across heterogeneous environments, to deliver a data-agnostic path to agentic SOC transformation — eliminating the data tax while accelerating security outcomes.
Operationalize Microsoft Defender telemetry inside Falcon Next-Gen SIEM to unify detection, investigation, and response — without changing endpoint deployments.
Beyond expanding support for third-party EDR, CrowdStrike is redefining how security data is managed, activated, and operationalized across the SOC. Our latest innovations remove the structural tradeoffs of legacy SIEMs — reducing onboarding friction, eliminating costly duplication, accelerating migrations, and unifying first- and third-party intelligence in a single high-speed console.
What’s New in Falcon Next-Gen SIEM
Recent Falcon Next-Gen SIEM enhancements focus on one critical priority: ecosystem integration without compromise. From intelligent data routing and federated search to third-party intelligence management and AI-powered query translation, these capabilities give security teams the flexibility to use the tools they rely on, while centralizing operations inside the unified CrowdStrike Falcon® platform.
Falcon Onum: Real-Time Data Control at the Edge
Data is the fuel of AI-driven security operations. But duplicated, noisy, or poorly structured data weakens detection and accuracy, inflates storage costs, and slows investigations. The agentic SOC doesn’t need more data — it needs better control over how telemetry flows before it reaches analytics and response systems.
CrowdStrike Falcon® Onum is now natively embedded within the Falcon platform to deliver a unified, in-product experience for real-time data pipelines. Falcon Onum ingests, filters, enriches, and routes data in motion to reduce noise before it reaches downstream systems.
By transforming data at the point of ingestion, Falcon Onum filters noise in real time, delivering up to 5x faster streaming performance and reducing storage costs by up to 50%.1 By intelligently routing and optimizing telemetry before it reaches downstream systems, Falcon Onum improves data fidelity, lowers infrastructure costs, and helps ensure AI models and detection workflows operations on high-signal, context rich telemetry. The result is faster detection, more efficient investigations, and a stronger foundation for AI-driven security operations across the entire ecosystem.
Streamline data onboarding and reduce storage costs with intelligent, real-time data transformation built directly into Falcon.
Federated Search: Investigate Everywhere, Ingest What Matters
Falcon Onum introduces a new paradigm for data management by allowing teams to intelligently prioritize and route high-signal data to Falcon Next-Gen SIEM for active investigations while efficiently archiving the remainder to cost-effective external data stores. With federated search, teams can access this data later for compliance, forensics, or ad-hoc use cases. Falcon Next-Gen SIEM is now expanding federated search capabilities to include Falcon LogScale, ExtraHop, and low-cost cloud archives such as Amazon S3 via Athena. Analysts can query network and security telemetry in place without re-ingesting or moving data.
This approach bridges real-time detection with long-term observability. Teams gain immediate access to high-performance Falcon LogScale storage, deep network telemetry from ExtraHop, and archived cloud data — all from a single console. The result is lower storage overhead, preserved investments, and faster investigations without architectural tradeoffs.
Investigate across live, network, and archived data sources in place — without costly re-ingestion or duplication.
Third-Party Indicator Management Operationalizes Threat Intelligence at Scale
Security teams invest heavily in external threat intelligence, yet operationalizing that intelligence at scale is often difficult. Third-Party Indicator Management enables ingestion, enrichment, scoring, deduplication, and lifecycle management of external indicators of compromise through APIs and document uploads.
With 82% of attacks now malware-free and evading isolated defenses, organizations must rely on behavioral signals and real-time intelligence to stay ahead of adversaries. Third-Party Indicator Management correlates curated indicators with endpoint telemetry, log data, and CrowdStrike’s premier adversary intelligence within Falcon Next-Gen SIEM. This ensures high-quality, actionable intelligence is applied continuously to reduce noise, improve prioritization, and accelerate confident response.
