Top FAQs about CrowdStrike Falcon Next-Gen SIEM

CrowdStrike Falcon® Next-Gen SIEM enhances security operations by integrating data, AI, workflow automation and threat intelligence into a single platform with a unified console and a lightweight endpoint agent. We continue to innovate in next-gen SIEM to power SOC operations, most recently with a series of product updates announced at Fal.Con 2024.

But we’re not stopping there. To further accelerate SOC transformation, CrowdStrike Falcon® Insight XDR customers can now ingest up to 10GB of third-party data per day at no additional cost, experiencing the full power and performance of Falcon Next-Gen SIEM. This 10GB/day offering is available to all Falcon Insight XDR customers.

We recently launched a series of webinars to help customers learn more about utilizing this free 10GB offering. During these sessions, attendees asked a range of questions about how they can best use Falcon Next-Gen SIEM. Here, we share some of their most common questions and how we answered them.

1. Product-Specific Inquiries

These questions cover the general capabilities of Falcon Next-Gen SIEM and how it integrates with other CrowdStrike solutions.

Q: How do we get started with Falcon Next-Gen SIEM?
A: Getting started with Falcon Next-Gen SIEM is easy. We recommend checking out the following resources to help you dive deeper into the platform's features and capabilities:

For additional guidance, explore our technical documentation, which offers in-depth information on setup, configuration and advanced features.

Q: We are a Falcon Complete Next-Gen MDR customer and have managed detection and response from CrowdStrike. What does Falcon Next-Gen SIEM do for us beyond making SOC detections easier?
A:
Falcon Next-Gen SIEM adds an additional layer of visibility by collecting, correlating and analyzing logs from various sources, including third-party tools. While Falcon Complete Next-Gen MDR handles endpoint incidents, Falcon Next-Gen SIEM addresses broader security threats across your entire IT environment, enabling a more comprehensive security posture. Falcon Complete Next-Gen MDR enables customers to stay ahead of modern attacks and secure critical assets by offering faster detection, accelerated response and full remediation capabilities.

Q: Can Falcon Complete Next-Gen MDR investigate logs ingested into Falcon Next-Gen SIEM?
A:
Yes, if customers purchase Falcon Complete Next-Gen MDR with coverage across third-party data sources, the Falcon Complete team are able to analyze third-party logs and correlate incidents across your entire environment. With third-party data from Next-Gen SIEM, Falcon Complete Next-Gen MDR can detect advanced threats across critical data sources, enhancing investigation, response and remediation to stop breaches earlier in the kill chain. Leveraging unified threat data, Falcon Complete Next-Gen MDR delivers rapid mean-time-to-detect (MTTD) in just four minutes, according to MITRE. Additionally, CrowdStrike analysts provide hands-on remediation to fully eradicate threats from customer environments.

Q: Can Falcon Next-Gen SIEM kick off remediation processes?
A:
Yes, Falcon Next-Gen SIEM provides security orchestration, automation and response (SOAR) capabilities through Falcon Fusion SOAR at no additional cost. You can easily build workflow with a no-code workflow builder that enables powerful workflow automation across the Falcon platform and third-party tools. It includes readily available out-of-the-box content, such as integrations and playbooks, available through the newly unveiled content library that allows for quicker use case deployment.

2. Pricing and Licensing

Pricing and licensing concerns frequently arise, especially regarding free tiers and data limits.

Q: Is the 10GB free tier available to all Falcon Insight XDR customers?
A:
Yes, the 10GB per day free tier is available for all Falcon Insight XDR customers with a dedicated CID. You can ingest up to 10GB of third-party data each day at no additional cost.

Q: What happens if the 10GB daily ingest limit is exceeded?
A:
If you surpass the 10GB daily limit, the additional data will not be ingested unless you have an extended subscription. This setup ensures you stay within your data limits without incurring unexpected costs.

Q: How is Falcon Next-Gen SIEM licensed?
A:
Falcon Next-Gen SIEM’s licensing is based on data ingestion volume and the length of retention. You can scale your license according to your needs and purchase additional data capacity when required. 

3. Integration and Connector Queries

Many customers inquire about Falcon Next-Gen SIEM’s ability to integrate with other tools and data sources.

Q: Does Falcon Next-Gen SIEM support data connectors for cloud platforms like AWS and Google Workspace?
A:
Yes, Falcon Next-Gen SIEM continually expands its library of data connectors. Currently, it supports connectors for many third-party services such as AWS and Google Workspace, with more integrations planned.

Q: Can you onboard on-premises network devices like firewalls, switches and routers?
A:
Yes, Falcon Next-Gen SIEM includes data connectors specifically designed for network devices, allowing seamless ingestion and analysis of data. Additionally, Falcon Next-Gen SIEM can ingest syslog data using the Falcon Log Collector.

Q: Can Falcon Next-Gen SIEM ingest Windows event logs?
A:
Yes, Falcon Next-Gen SIEM supports the ingestion of Windows event logs. You can use the Falcon Log Collector or other methods to send these logs to Falcon Next-Gen SIEM for analysis.

Q: Can Falcon Next-Gen SIEM be used in operational technology (OT) environments like transportation?
A:
Yes, Falcon Next-Gen SIEM is versatile enough to be deployed in OT environments. Its robust log ingestion and analytics capabilities make it ideal for detecting security incidents in industries like transportation, healthcare and energy.

Q: Which log sources are supported by Falcon Next-Gen SIEM?
A:
Falcon Next-Gen SIEM supports a wide range of log sources, including Windows event logs, AWS CloudTrail, Palo Alto Networks and Microsoft Office 365, among others. The full list of supported integrations is available on the CrowdStrike Marketplace. In addition to data connectors, Falcon Next-Gen SIEM offers out-of-the-box parsers for many additional log sources.

4. Data Storage, Retention and Security Compliance

Questions related to long-term log storage and compliance frequently arise.

Q: Can Falcon Next-Gen SIEM handle long-term log storage for compliance purposes?
A:
Yes, Falcon Next-Gen SIEM provides options for long-term storage and secure retention of logs, meeting various compliance requirements. You can configure retention periods based on your organization's regulatory needs.

Q: Is it possible to increase the data retention period beyond 7 days?
A:
Yes, Falcon Next-Gen SIEM offers extended data retention packages. While the default retention is 7 days, you can extend it up to 36 months with the appropriate licensing.

5. Query Language and Search Capabilities

Falcon Next-Gen SIEM’s search and query capabilities are a frequent topic of inquiry.

Q: What query languages does Falcon Next-Gen SIEM use to extract, analyze and visualize data?
A:
Falcon Next-Gen SIEM uses the CrowdStrike Query Language (CQL) to conduct advanced searches, extract data and create visualizations. CQL is intuitive yet powerful, enabling users to build complex queries efficiently.

Q: Is there a guide for learning the CrowdStrike Query Language (CQL)?
A:
Yes, the CrowdStrike support portal offers detailed documentation on CQL, including tutorials and examples. The language is based on Falcon LogScale Query Language. Additional resources can be found here.

6. Features and Functionality Comparisons

Customers often compare Falcon Next-Gen SIEM to other SIEM platforms.

Q: How does Falcon Next-Gen SIEM compare to other SIEM solutions?
A:
Falcon Next-Gen SIEM offers exceptional performance, scalability and user-friendly interfaces, with deeper integration into other CrowdStrike products such as Falcon Adversary Intelligence, Falcon Insight XDR and Falcon Fusion SOAR. Plus, all of these capabilities are available on one platform and accessible from one user console. This seamless integration is an advantage for organizations already using CrowdStrike solutions. Innovative features such as AI-generated parsers and Investigate with Charlotte AI simplify all aspects of SIEM management, from data onboarding to incident reporting and analysis.

Q: How does Falcon Next-Gen SIEM integrate with Falcon Insight XDR?
A:
Falcon Next-Gen SIEM can correlate third-party data with Falcon Insight XDR endpoint data, offering a unified view of security events across the organization. While Falcon Insight XDR focuses on endpoint detection and response, Falcon Next-Gen SIEM extends to all data sources for full visibility. Falcon Next-Gen SIEM also integrates with other Falcon modules, including Falcon Identity Protection and Falcon Cloud Security, offering customers a complete picture of their environment, including identity and cloud activity.

7. Support and Documentation Requests

Customers frequently seek additional resources or support for Falcon Next-Gen SIEM.

Q: Where can I find documentation for setting up connectors in Falcon Next-Gen SIEM?
A:
Detailed documentation for setting up data connectors is available on the CrowdStrike support portal, which includes step-by-step guides for various third-party integrations.

Q: Can I get a recording of the recent Falcon Next-Gen SIEM webinar?
A:
Yes, webinar recordings are available on the CrowdStrike support portal. After each session, links to recordings are shared for future reference.

8. Log Ingestion and Processing

Log ingestion and processing are critical aspects of Falcon Next-Gen SIEM.

Q: Will there be a way to track how much data we are ingesting?
A:
Yes, this information is available on the Data Onboarding page.

Q: What log collection methods does Falcon Next-Gen SIEM support?
A:
Falcon Next-Gen SIEM supports log collection via data connectors, as well as the Falcon Log Collector, which supports Windows, Mac and Linux operating systems for collecting files and events.

9. Logging and Monitoring Needs

Some customers inquire whether Falcon Next-Gen SIEM can also handle infrastructure logging and monitoring requirements.

Q: Can Falcon Next-Gen SIEM meet both security monitoring and logging needs for organizations?
A:
Yes, while Falcon Next-Gen SIEM is primarily designed for security monitoring, it also includes log management capabilities for infrastructure and application logs.

10. Essential Considerations for 10GB Free Ingest

Customers want to understand the limitations of the free tier.

Q: What are the limitations of the 10GB free ingest?
A:
The main limitations include exceeding the daily 10GB data ingest limit, the 7-day data retention period, and access to premium features like correlation rule templates and third-party Falcon Fusion SOAR actions.

Q: Is Falcon Fusion SOAR included in the 10GB free ingest?
A:
Falcon Fusion SOAR is available at no additional cost for all Falcon platform customers, but limited to first-party data automation and orchestration. This is also applicable to the 10GB free ingest offer. For third-party orchestration and response, you will need to purchase Falcon Next-Gen SIEM. 

CrowdStrike Falcon Next-Gen SIEM addresses the security needs of modern organizations by offering data ingestion, retention, and automated detection and response. As more customers adopt Falcon Next-Gen SIEM, these frequently asked questions help clarify its capabilities, integrations and licensing options.

For further assistance or questions, please visit the CrowdStrike support portal, or contact a CrowdStrike representative for more information.

Additional Resources

Breaches Stop Here