[Internal]: Analyzer support for 3rd party EDRs

[raqueltabuyo]

Description

The Analyzer feature in Elastic Security currently supports analyzing alerts from third-party EDR sources like CrowdStrike and SentinelOne, but this support is not documented.
Backport this documentation update to all supported versions starting from 8.18 through 9.1. Additionally, support for Microsoft Defender for Endpoint (MDE) is planned for the 9.2 release.
This is supported for Crowdstrike FDR integration and SentinelOne Cloud Funnel.
We can say that it supports Sysmon (which is part of the windows integration), considering that 'winlogbeat with event.module set to sysmon'

Resources

Analyzer integrations tracking for 8.18: https://github.com/elastic/security-team/issues/11335

Crowdstrike: https://github.com/elastic/security-team/issues/8369
S1: https://github.com/elastic/security-team/issues/8180 https://github.com/elastic/security-team/issues/8181 https://github.com/elastic/security-team/issues/8050
MDE: https://github.com/elastic/security-team/issues/11591

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

N/A

What release is this request related to?

8.18

Serverless release

Week of 1st of July 2025

Collaboration model

The documentation team

Point of contact.

Main contact: @raqueltabuyo @dasansol92

Stakeholders: @cpascale43 @tomsonpl @caitlinbetz

[bmorelli25]

Hi @raqueltabuyo. Thanks for opening this issue. Our team is at capacity in our current sprint and we will not be able to help with this request by the Serverless go live date. In general, we need at least two weeks of notice and more preferably three to ensure we can help with documentation requests on time.

If you'd like to take a shot at opening a PR, we can help with reviews. Otherwise this is on our project board and we'll get to it as soon as we're able.