Ingesting CrowdStrike Falcon® Platform Data into Falcon Long Term Repository
Threat hunters and security teams need more data about the IT environment to add context to their investigations. To add that additional information to your Falcon environment, Falcon Data Replicator (FDR) gives you a way to pull raw event data from the CrowdStrike Falcon® platform. Now, customers can ingest, transform and analyze the data as part of their standard process. Most organizations will ingest the data into their own data warehouse, perform custom analytics and investigations, and define an event-retention policy based on the storage available.
By ingesting Falcon data into Falcon Long Term Repository (Falcon LTR), it instantly becomes searchable alongside other data sources. Customers can then create correlation searches across their Falcon data and other data sets to get new insights and a clearer understanding of their environment.
By having security detections use analysis of multiple log sources, customers can better define and narrow the scope of detections to match exact adversary techniques and behaviors, resulting in fewer false positives. Detections and findings from one log source can trigger associated searches across other log sources — allowing threat hunting and investigations to pivot easily across the environment.
Ingesting FDR Data into Falcon LTR
You can ingest FDR data into Falcon LTR without needing to configure log shippers. Ingesting FDR data can be used with self-hosted LogScale clusters. For cloud customers, please contact the LogScale Support team. Note: Non-FDR data should not be ingested into an FDR repository.
By Arfan Sharif, LogScale Lead Technical Marketing Engineer, CrowdStrike
To configure FDR ingest:
Contact LogScale Support to enable FDR ingest for your organization
Getting Insights From Your FDR Data
Once you have FDR data ingested into Falcon LTR, you can use the LogScale query language and other assorted features to get a deeper insight into your data.
In addition to containing the FDR parser, the crowdstrike/fdr package contains various queries, dashboards and alerts to help you get insights from your FDR data.