Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender

___ BLOG Featured Recent Video Category Start Free Trial Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender Falcon Next-Gen SIEM is expanding to support third-party EDR solutions, starting with Microsoft Defender, so organizations can extend the AI-native SOC across their ecosystem. March 23, 2026 | Paola Miranda | Next-Gen SIEM & Log Management CrowdStrike is expanding CrowdStrike Falcon® Next-Gen SIEM to support third-party endpoint detection and response (EDR) solutions — beginning with Microsoft Defender — with no Falcon sensor required. This evolution will enable organizations to modernize their SOC without replacing existing endpoint agents. Adversaries are moving faster than ever, exploiting cross-domain gaps across endpoint, identity, network, and cloud. As attacks span tools and environments, security teams are forced to investigate across fragmented systems that were never designed to operate as one.  This challenge is compounded by growing architectural complexity and data visibility tradeoffs. Legacy SIEMs impose a massive “data tax” for full ingestion, while siloed tools create blind spots and disconnected workflows. The result is slower detection, delayed response, and a SOC struggling to keep pace with modern threats. Falcon Next-Gen SIEM combines index-free, petabyte-scale search performance, AI-native threat detection and investigation, elite frontline adversary intelligence, and agentic automation and orchestration across heterogeneous environments, to deliver a data-agnostic path to agentic SOC transformation — eliminating the data tax while accelerating security outcomes. Operationalize Microsoft Defender telemetry inside Falcon Next-Gen SIEM to unify detection, investigation, and response — without changing endpoint deployments. Beyond expanding support for third-party EDR, CrowdStrike is redefining how security data is managed, activated, and operationalized across the SOC. Our latest innovations remove the structural tradeoffs of legacy SIEMs — reducing onboarding friction, eliminating costly duplication, accelerating migrations, and unifying first- and third-party intelligence in a single high-speed console. What’s New in Falcon Next-Gen SIEM Recent Falcon Next-Gen SIEM enhancements focus on one critical priority: ecosystem integration without compromise. From intelligent data routing and federated search to third-party intelligence management and AI-powered query translation, these capabilities give security teams the flexibility to use the tools they rely on, while centralizing operations inside the unified CrowdStrike Falcon® platform. Falcon Onum: Real-Time Data Control at the Edge Data is the fuel of AI-driven security operations. But duplicated, noisy, or poorly structured data weakens detection and accuracy, inflates storage costs, and slows investigations. The agentic SOC doesn’t need more data — it needs better control over how telemetry flows before it reaches analytics and response systems. CrowdStrike Falcon® Onum is now natively embedded within the Falcon platform to deliver a unified, in-product experience for real-time data pipelines. Falcon Onum ingests, filters, enriches, and routes data in motion to reduce noise before it reaches downstream systems.  By transforming data at the point of ingestion, Falcon Onum filters noise in real time, delivering up to 5x faster streaming performance and reducing storage costs by up to 50%.1 By intelligently routing and optimizing telemetry before it reaches downstream systems, Falcon Onum improves data fidelity, lowers infrastructure costs, and helps ensure AI models and detection workflows operations on high-signal, context rich telemetry. The result is faster detection, more efficient investigations, and a stronger foundation for AI-driven security operations across the entire ecosystem. Streamline data onboarding and reduce storage costs with intelligent, real-time data transformation built directly into Falcon. Federated Search: Investigate Everywhere, Ingest What Matters  Falcon Onum introduces a new paradigm for data management by allowing teams to intelligently prioritize and route high-signal data to Falcon Next-Gen SIEM for active investigations while efficiently archiving the remainder to cost-effective external data stores. With federated search, teams can access this data later for compliance, forensics, or ad-hoc use cases. Falcon Next-Gen SIEM is now expanding federated search capabilities to include Falcon LogScale, ExtraHop, and low-cost cloud archives such as Amazon S3 via Athena. Analysts can query network and security telemetry in place without re-ingesting or moving data. This approach bridges real-time detection with long-term observability. Teams gain immediate access to high-performance Falcon LogScale storage, deep network telemetry from ExtraHop, and archived cloud data — all from a single console. The result is lower storage overhead, preserved investments, and faster investigations without architectural tradeoffs. Investigate across live, network, and archived data sources in place — without costly re-ingestion or duplication. Third-Party Indicator Management Operationalizes Threat Intelligence at Scale Security teams invest heavily in external threat intelligence, yet operationalizing that intelligence at scale is often difficult. Third-Party Indicator Management enables ingestion, enrichment, scoring, deduplication, and lifecycle management of external indicators of compromise through APIs and document uploads. With 82% of attacks now malware-free and evading isolated defenses, organizations must rely on behavioral signals and real-time intelligence to stay ahead of adversaries. Third-Party Indicator Management correlates curated indicators with endpoint telemetry, log data, and CrowdStrike’s premier adversary intelligence within Falcon Next-Gen SIEM. This ensures high-quality, actionable intelligence is applied continuously to reduce noise, improve prioritization, and accelerate confident response. Figure 1. Turn external threat intelligence into curated, automation-ready indicators that drive faster, higher-confidence detection. Query Translation Agent Accelerates Migration SIEM migrations often stall because teams must manually rewrite years of legacy searches and workflows. The Query Translation Agent removes that barrier. Delivered as an in-product CrowdStrike® Charlotte AI™ experience, it automatically translates one-to-one Splunk queries, or even plain-language investigation requests, into CrowdStrike Query Language (CQL). Analysts can run, refine, and operationalize translated queries instantly within Falcon Next-Gen SIEM, preserving familiar logic while accelerating time-to-value. Organizations can transition from legacy platforms without retraining teams or rebuilding workflows from scratch. Figure 2. Instantly convert Splunk searches into Falcon-native queries and accelerate migration without rewriting workflows. The Open, Unified, AI-Native Foundation for the Agentic SOC AI is changing the speed and scale of modern adversaries. The agentic SOC cannot be siloed or constrained by rigid architectures. It must be unified across domains, extensible across ecosystems, and AI-native by design. Falcon Next-Gen SIEM brings first- and third-party data and intelligence together under a single data model, powered by real-time pipelines, index-free petabyte-scale search, federated query capabilities, elite frontline adversary intelligence, and agentic automation and orchestration. By unifying endpoint, log, network, and intelligence data within one high-speed platform, CrowdStrike is eliminating the tradeoffs that have defined SIEM for decades. Organizations no longer need to choose between cost, visibility, and flexibility. They can unify first- and third-party data, reduce the data tax, and modernize their SOC on their own terms. Learn how Falcon Next-Gen SIEM for Third-Party EDR can help you unify heterogeneous environments, eliminate unnecessary data costs, and move at machine speed under one AI-native foundation — without rip-and-replace. Forward-Looking Statements  This blog may include discussion of unreleased services or features. Any unreleased services or features referenced here are still in development and subject to change. Customers should make their purchase decisions based upon features that are currently available. Additional Resources Want to learn more about Falcon Next-Gen SIEM for Third-Party EDR? Visit the Falcon Next-Gen SIEM for the Third-Party EDR product page. Establish real-time telemetry control to streamline onboarding and route high-fidelity data across SIEM, AI, storage, and analytics with Falcon Onum. 1 These numbers are projected estimates of average benefit based on internal analysis and recorded metrics provided by customers during pre-sale motions that compare the value of Falcon Onum with the customer’s incumbent solution. Actual realized value will depend on the customer's module deployment and environment. Tweet Share CrowdStrike 2026 Global Threat Report AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape. Download report Related Content Falcon Next-Gen SIEM Simplifies Onboarding with Sensor-Native Log Collection Exposing Insider Threats through Data Protection, Identity, and HR Context How to Scale SOC Automation with Falcon Fusion SOAR CATEGORIES Agentic SOC 48 Cloud & Application Security 139 Data Protection 21 Endpoint Security & XDR 351 Engineering & Tech 86 Executive Viewpoint 177 Exposure Management 116 From The Front Lines 200 Next-Gen Identity Security 67 Next-Gen SIEM & Log Management 112 Public Sector 42 Securing AI 27 Threat Hunting & Intel 211 CONNECT WITH US FEATURED ARTICLES October 01, 2024 CrowdStrike Named a Leader in 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms September 25, 2024 Recognizing the Resilience of the CrowdStrike Community September 25, 2024 CrowdStrike Drives Cybersecurity Forward with New Innovations Spanning AI, Cloud, Next-Gen SIEM and Identity Protection September 18, 2024 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up Falcon Next-Gen SIEM Simplifies Onboarding with Sensor-Native Log Collection Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility ABOUT COOKIES ON THIS SITE In order to provide you with the most relevant content and best browser experience, we use cookies to remember and store information about how you use our website. See how we use this information in our Privacy Notice and more information about cookies in our Cookie Notice. Privacy Preference Center Privacy Preference Center Your Privacy Strictly Necessary Cookies Performance Cookies Functional Cookies Targeting Cookies Your Privacy When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They may be set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies may process limited personal information, such as technical or device identifiers, where necessary to ensure the security, functionality, and integrity of the website or web portal. Such processing is strictly limited to what is required for these purposes and is not used for advertising or marketing. Cookies Details Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore does not identify you. If you do not allow these cookies, your visit to our website will not be included in our analytics, and our ability to monitor website performance and make improvements will be reduced. Cookies Details Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details Targeting Cookies Targeting Cookies These cookies may be set on our site by our advertising partners. They assign a unique identifier to your browser or device and may track your activity across sites to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will still see ads, but they may be less relevant to you. Cookies Details Cookie List Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All