Site Search
Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
Event/Seminar
video on demand

CrowdStrike

CrowdStrike

What is incident response really like? [Falcomi Meetup Report]

Introduction

hello everyone!
Macnica operates "Falcomi," a community where CrowdStrike users gather!
This time, we will be bringing you a report on Falcomi Meetup Vol.1, a user event held in Shinagawa, Tokyo on May 30, 2025. This event was held exclusively for CrowdStrike Falcon user companies, and was attended by a full 40 people, filling the venue with excitement!

The theme of the first meetup was "Incident Response, What is it really like?"

In this article, we will introduce what happened on the day and key points of incident response.

Examples of initiatives by Sega Sammy Holdings, Sansan, and Akatsuki

On the day, each company introduced actual examples of how they are using Falcon, including "How are they actually using Falcon?" and "The difficulties and ideas they came up with when responding to incidents."

  • Sega Sammy Holdings: Specific systems and examples for rapid incident response, how to involve management, and a roadmap for future security measures.
  • Sansan: Sansan's organizational structure for security operations, the flow from detection to incident response, features that were truly useful, automation efforts, future roadmap, etc.
  • Akatsuki: Specific examples of modules used and countermeasures, dashboard examples, how to detect EOS and RFM (Reduced Functionality Mode) using workflows, future roadmap, etc.

Each session is packed with exclusive, specific stories that can only be heard here, thanks to the efforts of those who are working hard in the field.
It was impressive to see everyone in the venue enthusiastically taking notes!

Table Talk: Honest discussion between users

In the second half, the participants were divided into tables of 4-5 people and used sticky notes and whiteboards to hold discussions on the themes of "Lessons learned and realizations about incident response," "Concerns and challenges," "Our company's efforts," and "Future practical actions."

  • What specific policies do you have in place?
  • What is the actual response and system after detection?
  • How do you handle emergency contact and internal coordination if an incident occurs at night?
  • Can forensics be automated?

At each table, specific concerns and insights that are not usually heard were exchanged.

During the presentation time, participants shared their perspectives on the field, such as "This is what we do at our company!", "I'm having trouble figuring out XX", "I'd like to try making a script right away!", "The talk on RFM detection was very helpful!", and "I'd like to see some sample scripts for Falcon Py and workflow!", providing an opportunity for participants to discover many new things.

What is important in incident response?

We have summarized the key points that impressed the Secretariat during your heated discussions.

<Point 1> Daily "preparation" determines incident response

  • Critical breaches are likely to occur late at night! Organize the flow of reporting to your superiors!
  • Confirm emergency contact information, including at overseas bases, and be aware of the need to be able to contact each other at any time (be ready to act immediately if you receive a high alert from Falcon OverWatch).
  • It is important to practice incidents on a regular basis!

<Point 1> Daily "preparation" determines incident response

  • Critical breaches are likely to occur late at night! Organize the flow of reporting to your superiors!
  • Confirm emergency contact information, including at overseas bases, and be aware of the need to be able to contact each other at any time (be ready to act immediately if you receive a high alert from Falcon OverWatch).
  • It is important to practice incidents on a regular basis!

<Point 2> Reduce human error by automating and systematizing operations

  • Consider ways to improve efficiency, such as automatic notifications via Slack, API integration via FalconPy (free to use), and automated device isolation.
  • Terminal logs can be obtained using RTR (Real Time Response)

<Point 3> It is obvious that EDR alone cannot prevent 100% of incidents.

  • Make sure to deal with critical vulnerabilities appropriately on a daily basis!
    * Falcon Spotlight is effective for vulnerability management!
  • Check that EDR is installed on the required hosts, that its functionality is working properly, and that it is not out of support.

What is important in incident response?

What is important in incident response?

<Request from Macnica > Don't forget to set your Overwatch notification preferences...!

OverWatch's alerts have a proven track record of causing serious incidents. In particular, there has been an increase in attacks targeting overseas bases late at night (Japan time), and there is a high risk of information leaks due to delayed response.
And, there are some companies that have introduced OverWatch but have forgotten to configure the alert notification settings. Take this opportunity to check that your company's settings are correct.
How to set it up

*It is posted on Macnica 's support site. An ID is required to view it.

*What is OverWatch?
Learn more

CrowdStrike's Falcon OverWatch is a threat hunting function that detects threats by human eyes and directly contacts customers if critical information is found, allowing us to respond to new threats that cannot be addressed by traditional SoC services.

Assuming that there are advanced threats that have slipped through the functional detection of NGAV and EDR, it supports multi-layered defense by proactively detecting threats from normal logs.

What is Falcomi? & Preview of upcoming events!

What is Falcomi?

Falcomi is a community exclusively for companies that have introduced CrowdStrike Falcon. Macnica was created as a place where users can use Falcon more efficiently and effectively through the exchange of information and sharing of operational know-how that is unique to users.

<Characteristics of Falcomi>

  • You can feel free to ask any questions you have.
    For example, users can solve everyday questions such as "How do other companies do this setting?" or "What should I do when this kind of alert appears?"
  • Plenty of community-only events
    We regularly plan study sessions and seminars for community members, such as the Meetup held this time, and "FalconTech," where participants learn how to use Falcon in a CTF format.
  • There is also a wealth of content for beginners, such as how to set up the system immediately after installation.
    After installing Falcon, we have prepared videos and documents to resolve any initial configuration questions you may have, allowing you to get off to a hassle-free start.

▼This is what Falcomi's actual screen image looks like!

<Characteristics of Falcomi>

<Next event announcement!>

  • 7/4 (Fri) Falcomi User Meeting Module Introduction "Falcon Discover & Spotlight"
    We will take a deeper look at the modules that were also featured in the case study presentation!
    If you are interested in vulnerability management and IT asset management, please join us (^^)/
    *Applications are limited to Falcomi users.
  • August to September: FalconTech Tokyo & Osaka
    FalconTech solves problems in CTF format!
    The event is scheduled to be held in Osaka on August 6th and in Tokyo on September 5th. We will let you know as soon as the application website opens, so please block it off in your schedule!
    You can see last year's event on Sansan's website. Check out our blog
    The biggest attraction of Falcomi is that user companies can exchange real operational knowledge and tips with each other. You can find colleagues who you can consult with immediately about your current questions, and you can also have the opportunity to learn in depth at events.
    If you would like to make more use of Falcon or would like to learn about other companies' case studies, why not join Falcomi?
Click here to apply for registration

*Limited to CrowdStrike user companies and companies purchasing through Macnica.
*If you are not sure whether you purchased from Macnica, please apply first (^^)/

Inquiry/Document request

In charge of Macnica CrowdStrike Co., Ltd.

inquiry Document request

Weekdays: 9:00-17:00