X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

Introduction to the Falcon Data Replicator

Introduction

In this guide we’ll go over the Falcon Data Replicator at a high level and how it can be used within your organization. The support guide provides heavier technical details related to implementation and can be found in the Falcon Console in the Support App:
https://falcon.crowdstrike.com/support/documentation/9/falcon-data-replicator-feature-guide

 

What is the Falcon Data Replicator?

The Falcon Data Replicator is a means to pull your raw event data from Threat Graph (aka the Falcon Platform). Once the data is pulled it can be ingested, transformed, and analyzed as your organization requires. Most organizations will ingest the data into their own data warehouse, perform custom analytics & investigations, and define an event retention policy based on the storage available.

Below is a high level overview of the Falcon Data Replicator data flow. In essence, endpoints generate raw event data which is ingested into ThreatGraph, we hand off your raw event data by placing it in a AWS S3 bucket, you can then pull your data, and manage it from there.

 

Who needs the Falcon Data Replicator?

The Falcon Data Replicator is most used by teams who have data warehousing capabilities, in-house analytics tools, and a need to retain raw event data beyond their “Falcon Platform” retention period.

 

How does it work?

Support Creates S3 Bucket

To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket. This S3 bucket has a 7 day retention policy by default, because data is intended to be pulled out of it for longer term retention.

You Pull & Process Event Data

Once the raw event data is flowing, you are responsible for pulling the data from the S3 bucket. The Simple Queue Service (SQS) simplifies this process by publishing any file changes to the S3 bucket. You can leverage a script to monitor the SQS account for published changes, thus removing the tedious need to scan for directory and files changes.

Important: Review the sample script given in the Falcon Data Replicator Feature Guide.

 

How do I enable it?

Before enabling the Falcon Data Replicator be sure to review the technical support feature guide to gain a fuller understanding of the requirements. Once you have the fuller understanding, work with CrowdStrike support as mentioned above to enable the Falcon Data Replicator for your organization.

 

More resources

 

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial