operation

• Log retention issues
  There were complaints that CrowdStrike 's log storage period was short, at just one week, and several requests for operational improvements were made for long-term audits and investigations.
  *Macnica 's note: The storage period for raw logs can be extended by contract. There is also a module that outputs raw logs externally.
• Server deployment and support for affiliated companies
  Concerns were shared, such as the implementation status of server terminals, management based on different modes, and the extent to which operations should be properly handled across the entire group and affiliated companies.
  * Macnica Note: By using the paid Health Check MTG service, our staff can also provide advice on management and operations.
• App conflicts and resource shortages
  - Operational challenges include dealing with on-site issues such as conflicts with applications, installation errors, and performance degradation.
  - Discussions were held on contact points, procedures for isolating issues, and how manufacturers and distributors should support manufacturers in the event of an incident.
• Actual state of policy operation/tuning
  There are examples of gradual implementation, such as "testing the latest policy in a select group and then applying it to production if there are no problems," and there are also voices saying that "active tuning is being done."
• Techniques for catching up on functions and maintaining skills
  - Information on the utilization of study groups hosted by manufacturers, Macnica health checks, various seminars, etc. was shared.
  - We also heard the opinion that "Falcon University training, which requires a fee, is too expensive to use in the field."

Incident response

• Available 24 hours a day, 365 days a year
  The participants shared information about the differences in each company's systems and initial response rules, such as how they have established a constant response system, reporting flows at night and in emergencies, and initial incident triggers (CS alerts /SOC notifications, etc.).
• Alert analysis and investigation
  ・Response styles vary. Differences were seen among companies, such as "stopping once blocked, and whitelisting if overdetection has an impact," "digging deeper into only a few devices such as USB-connected devices," and "only a few detections per month, and analyzing them in detail."
  * Macnica note: Although blocked detections are given a lower priority, from an incident response perspective, we believe that the detected content needs to be investigated.
  - Other topics discussed included "I feel like there are more alerts being triggered by things other than EDR recently," "I'm not familiar with alert investigation, so depending on the alert, it's difficult to dig deep into the reason for detection, which is frustrating," and "I'd like a collection of standard queries and know-how for alert investigation."
• Alert management and investigation scope
  The balance between security and operational costs was once again a hot topic, including methods for managing and recording alerts and how deep to dig and investigate.

Interest in module utilization and new functions

• Additional Modules
  Some participants expressed their views on the future, saying things like, "I'd like to know if there are any effective ways to utilize Discover," and "We're very interested in the ITDR, DLP, and cloud areas going forward."
• Charlotte AI
  There was a lot of excitement and questions about the implementation of AI technology in the field, such as "Is there a fee?" and "Can it be used for CTF problems (automated answering)?"
• Expectations for the know-how and query collection
  Following the trend of recommending NG-SIEM as the manufacturer's standard, there was a strong demand for Macnica to provide its own collection of standard investigation queries and operational know-how.

Common issues in deployment and operation systems

• Company-wide/group deployment rate barrier
  On-site difficulties were shared, such as "We still have legacy operating systems, such as old Linux, so we can't apply CrowdStrike​ ​100 % across the company," and "Even if we want to use it, it's difficult in special environments."
• Requests for support system
  Some comments included, "It's reassuring how quickly manufacturers respond to inquiries via management console chat. I hope Macnica will also offer chat support in Japanese," and "I wasn't aware that manufacturers' chat services existed."
• Education and skill development issues
  Common needs were also seen in the use of seminars and events, and in support measures for obtaining qualifications (CrowdStrike certification).

What is Falcomi?

Falcomi is a community exclusively for companies that have introduced CrowdStrike Falcon. Macnica was created as a place where users can use Falcon more efficiently and effectively through the exchange of information and sharing of operational know-how that is unique to users.

<Characteristics of Falcomi>

• You can feel free to ask any questions you have.
  For example, users can solve everyday questions such as "How do other companies do this setting?" or "What should I do when this kind of alert appears?"
• Plenty of community-only events
  We regularly plan study sessions and seminars for community members, such as the Meetup held this time, and "FalconTech," where participants learn how to use Falcon in a CTF format.
• There is also a wealth of content for beginners, such as how to set up the system immediately after installation.
  After installing Falcon, we have prepared videos and documents to resolve any initial configuration questions you may have, allowing you to get off to a hassle-free start.

＜Next event announcement!＞

December 5, 2025, “Falcomi Meetup Vol.2" is scheduled to be held!
We will let you know as soon as the application site opens, so please block off your schedule and wait!
What Vol.1 was like This article Please see.

The biggest appeal of Falcomi is that it allows user companies to exchange real-world operational knowledge and tips with each other. You can find colleagues who you can immediately consult with about any questions you have, and you can also gain opportunities for in-depth learning at events.
If you would like to make more use of Falcon or would like to learn about other companies' case studies, why not join Falcomi?

*Limited to CrowdStrike user companies and companies purchasing through Macnica.
*If you are not sure whether you purchased from Macnica, please apply first (^^)/