4 Major Falcon LogScale Next-Gen SIEM Updates That Accelerate Time-to-Insights

Next-gen SIEM outshines legacy solutions with radically simple data onboarding and blazing-fast threat hunting

To unlock the speed and scalability of CrowdStrike Falcon® LogScale next-gen SIEM, you must first bring your data into the powerful, cloud-native solution. And with log sources multiplying and data volumes skyrocketing, you need an easy way to collect, parse and enrich your data.


Data onboarding can be complex and time-consuming in traditional SIEM tools. Data engineering teams must contend with countless evolving log sources, formats and ingestion methods. Painful setup processes can overwhelm even the most experienced teams and lead to deployment delays, cost overruns and employee burnout.


We’ve recently introduced an array of advancements for Falcon LogScale to help you ease setup, avoid headaches and power faster security insights. Here are the most notable new features.

1. Get Started Faster with New Marketplace Packages

The Falcon LogScale Marketplace lets you fast-track the setup of next-gen SIEM with turnkey packages that include prebuilt parsers, dashboards, alerts, actions and saved queries. Installed in just a few clicks from the Falcon LogScale user interface, packages in the Falcon LogScale Marketplace make it easier than ever to unlock the potential of your entire security ecosystem.


In the last three months, we have launched over
30 new Falcon LogScale packages to help you use new data sources faster. These packages include parsers that normalize data to a common schema based on an OpenTelemetry standard. The schema allows analysts to search data without knowing the specifics of the data format, and hunt across data sources with ease.

 


With this rapid release of new Falcon LogScale packages, our vision of delivering a comprehensive marketplace for next-gen SIEM is becoming reality. We plan to publish even more ready-to-use content this year to help ease adoption, scale your SIEM deployments and relieve overburdened staff.

 

2. Simplify Data Onboarding with CrowdStream

CrowdStream, a native capability of the CrowdStrike Falcon® XDR platform, transforms how you onboard and manage your log data by directly connecting any data source to Falcon LogScale. Sitting between data sources and their destination, CrowdStream provides an elegant and cost-effective way to route data to Falcon LogScale to accelerate the adoption of next-gen SIEM while minimizing the complexity and cost of connecting data sources.


CrowdStream not only accelerates the adoption of Falcon LogScale, it gives you visibility and control over your data. You can granularly mask or truncate sensitive data for compliance purposes. In addition, CrowdStream can enrich data with threat intelligence or geolocation information, and optionally remove extraneous fields, null values and duplicate events.


Leveraging Cribl’s observability pipeline technology, CrowdStream offers
out-of-the-box integrations to collect data from a broad set of applications and devices. It can also normalize data into a consistent format before it’s routed to Falcon LogScale, making data immediately actionable for threat hunting and investigations. With CrowdStream, Falcon LogScale provides end-to-end data pipelining and event management to address a broad set of security and compliance use cases with ease.


CrowdStream is available now. Falcon LogScale customers with cloud-native deployments receive 10GB/day of data streaming at no additional cost. Unlimited data streaming is available with the purchase of an additional CrowdStream subscription beginning in February 2024.

3. Easily Extend Detection and Response to Cloud Assets with Amazon S3 Integration

More than 80% of breaches involve data stored in the cloud. As adversaries shift their focus to the cloud, you must expand your realm of visibility and control to your cloud environment.


A perfect place to start is with Amazon Web Services (AWS) data. If your organization is like countless others, you use Amazon S3 object storage to retain your cloud data. You probably store cloud logs, such as AWS CloudTrail, Amazon CloudWatch and VPC Flow Logs, in Amazon S3 buckets. Because many cloud-delivered applications and services can write logs to S3 buckets, you can forward security-relevant logs from a variety of sources to S3 storage and then pull this data into your security and observability tools.


A new Amazon S3 log ingestion feature in Falcon LogScale lets you automatically retrieve logs from S3 buckets for analysis and visualization. Flexible configuration options let you select compression, preprocessing and parser of your choice depending on the format of your data. These
step-by-step instructions explain how to set up this powerful new feature in Falcon LogScale and start hunting for cloud threats at blazing-fast speed.

4. Remotely Manage and Monitor a Massive Fleet of Falcon LogScale Collectors

The Falcon LogScale Collector provides a robust, reliable way to forward logs from Linux, Windows and macOS hosts to Falcon LogScale. Gathering data from a variety of sources, including files, command sources, syslog and Windows events, the Falcon LogScale Collector swiftly sends events with sub-second latency between when a line is written on the host and when it is forwarded to Falcon LogScale.


We’ve introduced a number of enhancements that raise the bar for Falcon LogScale Collector management. For example, a new fleet management feature lets you manage Falcon LogScale Collector instances from the Falcon LogScale management interface. The Falcon LogScale Collector also now gathers CPU, memory and disk usage metrics, allowing administrators to identify and troubleshoot issues. Recent optimizations increase agent performance and resilience, and de-duplicate redundant log data.

Experience Next-Gen SIEM

 

As the future of log management and next-gen SIEM, Falcon LogScale lets you collect up to 1 petabyte of data per day and query data up to 150x faster than legacy SIEMs. Between the new Marketplace packages, flexible CrowdStream observability pipeline, Amazon S3 ingestion and Falcon LogScale Collector advancements, we’ve taken Falcon LogScale to the next level, enabling you to spend more time stopping threats and less time onboarding data.


We’ve also added in-product tutorials and filter alerts, and elevated the user experience with dashboard widgets, PDF reporting and table drill-down options. For a complete list of features, see the
Falcon LogScale release notes.


Our ultimate goal is to offer the world’s most effortless, automated data onboarding across all data sources, and we’re investing inordinate resources to achieve it. The innovations announced in this post are just the beginning.

Additional Resources

Breaches Stop Here