What if you could easily extend the retention of your CrowdStrike Falcon® detection data for a year or longer? Would that help with compliance? Investigations? Threat hunts?
In Part 1 of this series, we covered the basics of Falcon Long Term Repository (Falcon LTR). To recap, Falcon LTR is an option available to Falcon customers. It offers a simple and cost-effective way to retain your Falcon detection data long term, which has historically been a costly and complex endeavor for security teams.
This post will share how Falcon LTR can be used to search your long-term Falcon detection data for potential threats.
The Falcon LTR Maturity Journey
Falcon LTR is a versatile piece of technology that follows a maturity journey. Early in the journey, customers can benefit from long-term, cost-effective data storage of their Falcon detection data for compliance purposes. Regulations are tightening across most industries. Today, companies must store data for longer, while the volume and complexity is also on the rise. Workstation events. Browser telemetry. User behavior. A growing network of containers. It takes more effort than ever to wrangle and store the data needed for compliance. Built using the index-free architecture and advanced compression technology of Falcon LogScale, Falcon LTR offers a better, faster, cheaper way to store your Falcon detection data for compliance purposes. This is a popular introductory use of the technology. Next in the maturity journey — and the focus of this post — is threat hunting. Falcon telemetry is a rich source of information for threat hunts. Having long-term Falcon detection data at your fingertips can help you investigate potential breaches and determine how they can be prevented in the future. With Falcon LTR, CrowdStrike makes the process of exporting and storing Falcon detection data faster, easier and more cost-effective. So what can threat hunters do with this long-term telemetry? Let’s get into it.Historical Threat Hunts with Falcon LTR
Here are three common threat hunts you can do with your long-term Falcon detection data.-
Newly installed applications
-
IP to process mapping
-
File entropy
Sub-Second Searches at Petabyte Scale
As we’ve seen, Falcon LTR is a valuable tool for searching your long-term Falcon detection data. But CrowdStrike Falcon® platform customers also realize tremendous speed-to-value when implementing Falcon LTR because of our groundbreaking smart agent and cloud-native architecture. Falcon platform customers can simply add Falcon LTR to their license and turn the capability on immediately. Falcon LTR also makes searching data much faster than traditional setups. The reality today is that most security professionals are frustrated with having to open numerous apps to investigate potential threats. Falcon LTR gives users a single interface to search their Falcon detection data at petabyte scale with sub-second latency. In this post, we examined the benefits of using Falcon LTR for historical threat hunts. In the third post in the series, we’ll explore the final step of the maturity journey: correlating your Falcon detection data with other data sources for even more powerful threat hunting.Additional Resources
- Read Part 1 and Part 3 in this Falcon LTR blog series.
- Visit the Falcon Long Term Repository product page to learn the benefits of storing and analyzing your long-term Falcon platform detection data.
- Watch The Readout: Falcon Long Term Repository, featuring CrowdStrike executives George Kurtz and Michael Sentonas.
- Learn how CrowdStrike is driving the convergence of security and observability with the introduction of Falcon LogScale and Falcon Complete LogScale.