Falcon LogScale Reviews

I primarily use CrowdStrike, along with some other solutions. I have been using Falcon LogScale for approximately a year now.

I like Falcon LogScale for threat hunting primarily. I use it to make queries to see what is in my environment. I am curious about what a user is running and what websites are being accessed. I may have some websites I expect users not to visit, so I use it to query such websites. If I find one, I also correlate across the board to see who is accessing that website. I also use it for executables and threat hunting. I look for certain executables in my environment to see if my customers, users, or staff are making use of certain applications. I can run correlations across the board, and then analyze processes.

You can use it to customize your monitoring. You can have a schedule for your queries such that you can write a query to do certain actions when an event occurs. You can also use it together with Falcon Workflow. Falcon Workflow can help you correlate or find data on your mail server, for instance. What you identify on your mail server could be a trigger for many more operations that the SOC analyst would usually do.

Falcon LogScale's search and visualization features are useful for anomalous detection.

The biggest advantages of Falcon LogScale are the speed at which the queries return to you and the ease of use. The dashboard is simple, and when I write my queries, I can see how to make use of some quick queries. I can search for some queries and use Charlotte AI to help me. With Charlotte AI, you can get Falcon AI to give you a query. You can describe what you want to do in English, and it converts it to a query language for you to use.

Integration is seamless. Even if you do not have a product already on the marketplace, there are many products available. You have easy integration if you are using a product on the marketplace. However, if you have a product that is not on the marketplace, you can easily create a parser for it.

You can use it to customize your monitoring. You can have a schedule for your queries such that you can write a query to do certain actions when an event occurs. You can also use it together with Falcon Workflow. Falcon Workflow can help you correlate or find data on your mail server, for instance. What you identify on your mail server could be a trigger for many more operations that the SOC analyst would usually do.

CrowdStrike is ahead of the game. If I may say anything about Falcon LogScale to improve the services, I would talk about the way you develop parsers. The documentation should be more straightforward. It is not easy to quickly find the documentation, especially if you are using CrowdStrike. Most customers use Falcon LogScale because of CrowdStrike. The documentation of Falcon LogScale is not on the CrowdStrike portal just like the rest of Falcon documentation. I usually find that the main Falcon LogScale documentation is found on the Falcon LogScale website itself. I think there should be a link or direct documentation within the CrowdStrike pages. It is not necessarily a fault. If you find where the documentation resides, you can trace it to what they are doing. However, for the ease of use for Falcon administrators, the same documentation on the Falcon LogScale portal should be on the CrowdStrike dashboard.

I have been using Falcon LogScale for approximately a year now.

I have never had a downtime.

Everything that powers Falcon LogScale platform is run by CrowdStrike itself, so they have enough resources. Falcon LogScale is scalable. You can easily integrate several cloud assets to the platform. You could integrate as many endpoints as you want within a fraction of seconds, and it accommodates the number of resources that you integrate with it while maintaining the same response time. The overhead is very affordable and very scalable.

CrowdStrike support is not good. There are times when I am close to an expert in using the platform. I know what I am doing, so when I have done my due diligence and research and put it in the support ticket with my findings, they should not come back asking for the same questions. What they need to do is take it from there. If they need to verify it, they need to connect with me on a call and see it. However, after waiting for about two days or a day at the minimum to reply, they respond by asking the same questions you have already given them. It seems like there is a script. They only give you support engineer one, and the person is always following a script instead of reading everything you are asking. I am currently handling a case that demonstrates this issue. I would rate the support as two out of ten. I would say four for the eventual response when the engineers come on board, as they flow well. However, for the support generally, two still outweighs the four.

I no longer use CyberArk.

The setup is on cloud.

I am a partner, but I also use the partnership to work with customers. I deploy for customers and encourage them to use Falcon LogScale.

The speed at which your queries return results is astonishing. It saves several hours of waiting for queries to come back. You save man hours, and man hours convert to business time and money time as well. For Falcon LogScale, I would say the return on investment is between 20 to 40 percent.

For Falcon LogScale, I think the pricing is moderate. It is an enterprise defense solution, so on its scale, I think it is moderate. Customers do not really complain, especially if you are matured enough as an enterprise with that maturity. CrowdStrike is what you should be using. For what CrowdStrike gives to you, it is moderate for its price.

I do not consider alternate solutions.

I am also involved with Airlock and sometimes use Airlock application control too. One of the requirements is to have a SIEM. For you to be able to have visibility into everything going on in your environment, I think it pretty much meets compliance. I provided this review a rating of eight out of ten.

Public Cloud

Other

I work as a security consultant for customers. I am currently working on multiple solutions including Trend Micro, CrowdStrike, and Microsoft. I have over 14 years of overall experience, but I would reduce around four years from that period since I was working in a BPO. After those four years, I have been working with a different company as a consultant, so I would say I have 10 plus years of experience in this field.

From Falcon LogScale, NG SIM is very useful. Apart from that, exposure management is very useful. I have been working a lot with identity protection, which is also very useful. SQL is also very efficient and fast as a query language. The dashboard is customizable, which is a very good feature they have provided, and we have a single portal that gives all the features together.

I have not worked on that particular part, but regarding improvement, KQL seems to be quite complicated and we have to brush up on that if we want to become an expert on it. KQL is a bit challenging for us. When we talk about Microsoft, KQL is simpler when compared to SQL. However, SQL is faster and quite efficient, but the language is a bit tough, maybe because it is new. I have just been working with it for the past two years. If I have more exposure in the coming years, it will become an easier option for me.

KQL should be simplified, which would be a better thing. The documentation should not only be private but should be made public. Though we are partners and have access to those documents, sometimes I conduct testing on my own and have to log into a partner account or customer account to access those documents. That has to be improved. SQL has to be improved as well. When it comes to the overall Falcon LogScale console, it could be easier if it were made more attractive. For example, if something is shown on the dashboard with simplified icons and text, it would be a great option if there were some colors or larger icons. One drawback I have seen with Falcon LogScale is that there is something that cannot be customized. There is an account detection that seems to be a systematic account, and if we want to change it from a systematic account to a user account when it is detecting a system account, that seems to be a problem for us.

I have been using this solution for two years.

Falcon LogScale gives a clear view of what exactly has happened from the beginning. When we compare those with different log sources, we conclude that we know exactly what has to be done and what has happened. That is a bright option that Falcon LogScale has granted us.

The plus point with Falcon LogScale is that we do not have to decide what exactly we need since all has been decided and defined in Falcon LogScale. It picks up everything and all the aggregates from different sources. If there is a critical incident with an associated IP, associated user, endpoints, or whatever factor it is supposed to associate, it associates it by default and makes our life easier, making the SOC life easier.

We have an email system and a support link in Falcon LogScale console itself. This is the same as it goes with other solutions like Microsoft, Trend Micro, and Splunk. It is easier and the same for all the services. I have raised multiple queries, and we have been using Falcon Complete and Falcon Admin as well. In both cases, I have not seen any delay or any issues when it comes to supporting us. Recently I came across a particular log source that was not getting ingested using the event hub for Microsoft. We had three to four calls, and finally we got it sorted. We have been getting updates on a regular basis. There was no such day that we have not seen an update. We got into two or three sessions and we were able to fix it. I would rate customer service as 8.5 out of 10.

Positive

The initial setup is quite good. I have compared multiple solutions like Microsoft and Trend Micro. Falcon LogScale seems to be a better option with better visibility when it comes to the dashboard and the kill chain process, including the attack surface. I would not say it is quite easier, but we have complete documentation available. If we follow that documentation quite carefully, it is very straightforward. They have clearly explained how to proceed and deploy it, so I would not say it is easier, but it is very well-defined.

Pricing is good because we have everything. When we talk about the logs that we are ingesting in Falcon LogScale, it is ingesting only the logs that are required, not the unnecessary logs. The index feature is inbuilt, the parser is inbuilt, and everything is inbuilt. I believe when it comes to log ingestion, it is comparatively low compared to any other services like Microsoft, Trend Micro, or Splunk.

As far as I know, I have been working only with Falcon LogScale and I have not had the opportunity to explore some other log scales. But currently, in the market and in the business, Falcon LogScale seems to be a better option than any other workspace or any other log source for log management.

When it comes to Falcon LogScale, it is better compared to Microsoft. When we talk about scaling it from one to ten, I would give it somewhere around nine, especially in terms of retention. It is completely aligned with compliance and audit, so I do not see any trouble there. I would note that not only Falcon LogScale but also Microsoft and Trend Micro are okay with compliance and audit. I would rate everyone on the same scale for compliance. Overall, I would rate this solution an 8 out of 10.

I am working with both Falcon LogScale and CrowdStrike Endpoint for log management. The primary use cases are related to firewall, proxy, endpoint, and Okta, with the final use case being the email gateway.

The most valuable features include the correlation rules, as I receive inbuilt correlation rules for all the technologies separately, and I do not need to work on the algorithms for that. The workflows which are inbuilt, having inbuilt templates to utilize and automate the use cases, is the most useful part.

I also utilize the query language, SQL, CQL, and the dashboards, which are very good features to get the details on the dashboard. The dashboards and query language have helped me customize my monitoring and required results. If I want to filter out things as per the requirement and as per the logs required by the management, I can do so and utilize those filters in the dashboard as well. This is a very good feature, and searching is very fast, taking very little time compared to other SOC services or other SOC software like QRadar, IBM, and Splunk.

The insights from Falcon LogScale show me all the metadata that a user had, even if they clicked somewhere or sent a request outside the organization to collect data. These insights include the applications installed on the machines, workstations, and the time when the user logged in. These insights are very helpful.

There should be some tagging in Falcon LogScale. As I am tagging the endpoints for different domains and locations, the firewall should be tagged as well so that in the detections I can get the firewall name or the source name and source host name from which I am getting the information. If I have multiple sources in the correlation detections, I need those details of the multiple sources. It should be prescribed and very effective to understand Level 1s and share those details with the concerned team so that they can fastly proceed with the triage on the detection and take action.

The price is, without question, very costly for any organization that has more than 1,000 or 2,000 users. It is still costly because for more than 10,000 users, one can go with Falcon LogScale, but for less than 10,000 users and more than 2,000 users, it is very costly.

The product is scalable, but the support needs to be updated. The support team should be fast because there is a very slow response. Support should be faster because if a ticket has been raised, it should not go to the support engineers who are sitting abroad or outside India. It should be segregated and sent to the IST support team who is managing support in India. Once anybody gets into it and answers it, if they are not available in that particular shift according to IST, that can delay the response on the case and might have a bigger impact on the environment.

The support team is pretty slow. They should improve first-level support quality. They usually avoid coming on a remote session to understand the exact scenario because there are issues related to different scenarios. Writing a few things on the case would not make them understand the exact situation I am facing. They should come on a remote session at least once on an immediate basis so that I can make them understand things, which will help in providing a resolution as soon as possible.

I have been using Falcon LogScale for around two years.

The initial setup for Falcon LogScale was not straightforward. It took a little time to understand the scenario, such as what exactly the management required, because there is a multiple domain environment. It is not easy to get remote access to all the servers and update or upgrade the agents. Falcon LogScale team helped me to create a separate agent and understand that it should be done remotely in all environments and all domains to install Falcon LogScale, and then it worked. It took some time, but other than that, it is fine.

For the deployment, I needed two or three persons. I did the deployment with not more than that, and I do not require a whole team for that.

I have not seen a return on investment.

Falcon LogScale is used in my company, where I am working. The approximate number of users is around more than 50,000 users, nearly 50,000 to 70,000 users, so it is a big company.

There are still lots of technologies. One security product is not allowing integration, and I think if I want to integrate some other security products, that is not easy. There should be some easy way to integrate the security products as well, including cloud security or other things. I know that Fortinet is working fine, and I am getting logs from Fortinet, Check Point, and Palo Alto, but if I come with the Oracle security or the cloud security part, everything is custom. I have to create a custom connector and a custom parser, and then the PS team comes into the picture. I understand this is for a business perspective, as companies include the PS teams, and there should be some value for money they want to earn, but the basic integration for security solutions should be there.

Falcon LogScale is meeting my organization's compliance and audit requirements completely, with no issues.

I would rate this product an 8 out of 10.

Hybrid Cloud

Other

Falcon LogScale is our SIEM solution. We collect a lot of logs to this solution, and then we can analyze them there.

We are using Falcon LogScale to obtain a lot of information that is interesting for us. Beyond the things that CrowdStrike has alerts for, we would like to know special things, such as if something special is happening. It was very easy to go to Falcon LogScale and create dashboards and queries that are based on special reports that we need. For example, we would like to know if there is any admin that is actually logged in during the night. If so, we would like to know when, why, where, and what they have done. This is something that is not so common with other companies, but for us, it is very important to know. We have built our own customized solutions and we are using the product to help us see things that are focused on our needs.

We are using Falcon LogScale many times to be able to identify anomalies. We try to see if something is happening now that never happened before at this time. This does help us, and this is one of our main reasons to use this solution.

The first thing is that we are using CrowdStrike for other usage. We do have IDP, EDR, and XDR. For us, the integration with Falcon LogScale was seamless. It was very simple to deploy. CrowdStrike gave us a lot of flexibility and abilities based on their solutions. When we are using Falcon LogScale, it is very easy for us to contain all of the logs and then investigate them. The integration was seamless for us, and the ability to get information from our data was very easy.

Falcon LogScale's insights give you a lot of information that an expert already thought would be valuable for you. For us, it is an expert telling us to look at A, B, C, as those might be relevant to you. We think this has improved us very well. We like this kind of solution. We do have other solutions that give us similar insights, and we think it is very valuable.

One area of Falcon LogScale that I think could be improved is that it is a bit complex. Whatever is easy to use and has a lot of automation and ability to query the product is very easy, but if you want to do something that is not built into the product, if you want to query something special, it becomes a regular SIEM, which is not so easy to query. What they have done now is added what is called Charlotte AI, which is their new AI capabilities that can help with this. If you had asked me a few weeks ago, I would have said that the AI integration was not easy, but now it is built-in, so it has become easy. They solved this problem.

Falcon LogScale's data retention capabilities are one of the things that we are currently not covering completely. We do have the ability to retain the data with Falcon LogScale. We do have the requirements for that. However, we are not one hundred percent there yet. For us, it is a good solution, but we are not sure in terms of the cost. We do have the requirements to retain the data for two years, and we are not retaining the data for two years in Falcon LogScale. We have not decided yet to do that. Currently, we are using other types of backups like traditional backup to keep the data outside and then to store it in very cheap locations. We are thinking about it.

Falcon LogScale was declared about one year ago. Since it was declared, we started using it immediately. We were using CrowdStrike before, but Falcon LogScale has been declared for about a year, and then we started using it right away.

We did not have any problems with Falcon LogScale in terms of stability and reliability.

Falcon LogScale is cloud-based, so it is scalable. We do not have any limits with that.

We use the documentation, official guides, and manuals provided by CrowdStrike for Falcon LogScale.

The information contained in Falcon LogScale's documentation is very clear. As I said, we managed to deploy the product, and we did not have any problems with that. I would say that this is one hundred percent satisfactory.

Positive

We do use other solutions as well. For us, for example, we use other SIEM solutions. We have QRadar and we have other solutions that are basically doing the same thing. We still use QRadar. We want to cover ourselves from different angles.

For us, QRadar is a more traditional solution, while CrowdStrike and their insights are something more of a next-generation solution. They provide us with insights that we do not usually get from other solutions. We use both methods for us. This is why I did not say that we saved money because we still own the other solutions as well.

For us, the initial setup and deployment of Falcon LogScale was pretty straightforward. It just worked because we were already using CrowdStrike. The only thing was to push the data from other types of data to it, which is very straightforward and simple. We did it internally, and it was straightforward.

We did not use anyone's help for technical support, integrator, reseller, or consultant. We just did it ourselves. Basically, on most of the things that we do with CrowdStrike, about ninety-nine percent of the things, we do it by ourselves.

I have definitely seen ROI with Falcon LogScale so far.

The thing with pricing and licenses for Falcon LogScale is that we are under a national tender. I am not sure that the pricing that we pay is actually the pricing that others are paying. For us, it is a very cost-effective solution. I am not sure that CrowdStrike is considered to be a cost-effective solution, but for us, because of the national tender, it is a cost-effective solution.

We do use other solutions as well. For us, for example, we use other SIEM solutions. We have QRadar and we have other solutions that are basically doing the same thing. We still use QRadar. We want to cover ourselves from different angles.

For us, QRadar is a more traditional solution, while CrowdStrike and their insights are something more of a next-generation solution. They provide us with insights that we do not usually get from other solutions. We use both methods for us. This is why I did not say that we saved money because we still own the other solutions as well.

We do use Falcon LogScale's query language and dashboards.

We do use Falcon LogScale's search and visualization features.

Falcon LogScale's insights give you a lot of information that an expert already thought would be valuable for you. For us, it is an expert telling us to look at A, B, C, as those might be relevant to you. We think this has improved us very well. We this kind of solution. We do have other solutions that give us similar insights, and we think it is very valuable.

My overall rating for Falcon LogScale is a ten out of ten.

Public Cloud

Amazon Web Services (AWS)

Falcon LogScale is used for detection and many investigation tasks, as provided by a client. Falcon LogScale is used for log management, particularly the Falcon LogScale platform.

Falcon LogScale works by collecting huge amounts of logs from different sources and processing them in real-time, with the flow including log collection, ingestion, parsing, and normalization.

Falcon LogScale improves our organization by giving centralized visibility across endpoints and logs, enabling faster threat detection, real-time monitoring, automated alerts, and efficient incident response for the SOC team.

Falcon LogScale enhances our security operations by improving threat visibility, reducing response time, and streamlining log analysis.

The best features in Falcon LogScale include searches of billions of logs in seconds, near-real-time ingestion and alerting, and index-free architecture, which makes queries faster and cheaper.

In the future, I hope Falcon LogScale can include more AI-driven threat detection, advanced anomaly analytics, automated response workflow, deeper cloud security monitoring, and UEBA features.

I have been working for the last 1.5 years in software technology, and we also use Splunk and SentinelOne.

I am not facing any issues with stability such as crashes or performance problems.

The scalability features of Falcon LogScale are highly scalable because it is cloud-native and easily supports thousands of endpoints and servers across multiple locations without heavy infrastructure.

We rate 10 out of 10 for customer support as any queries from our side receive a prompt response from the CrowdStrike support team.

We previously used SentinelOne, Wazuh, and Splunk along with CrowdStrike.

The setup process involves creating a CrowdStrike Falcon account, configuring policies and user accesses, downloading the Falcon sensor agent, and installing it on various operating systems.

I found the setup process of CrowdStrike straightforward, with our L2 team handling the integration.

I have seen a positive return on investment.

CrowdStrike offered different types of packages based on endpoint count, with Falcon going around $60 per device per year and Falcon Pro around $100 per device per year.

I find the pricing very reasonable.

The difference between CrowdStrike and other products is mainly its cloud-native architecture, lightweight agent, strong EDR capabilities, and faster real-time threat detection.

For compliance purposes, CrowdStrike helps organizations meet requirements such as ISO 27001, PCI DSS, HIPAA, and SOC 2 by providing centralized logging, endpoint monitoring, and detailed security reporting.

My advice to others considering Falcon LogScale is to properly plan deployment, configure alerts carefully, and regularly tune detection rules for better results.

I provide this review with a rating of 9 out of 10.

Public Cloud

Other

Falcon LogScale has significantly improved our security monitoring and investigation workflow.

Before implementing Falcon LogScale and XDR integration, manual log analysis was time-consuming and difficult because security teams had to review raw logs individually. With automated ingestion and analysis, we now receive faster insights into suspicious activities and security anomalies.

The solution has reduced investigation time, improved visibility into firewall activity, and helped us create better security policies based on centralized log analysis.

Falcon LogScale has positively impacted our organization by improving centralized log visibility, accelerating security investigations, and reducing the manual effort required for log analysis.

Before implementing Falcon LogScale, reviewing raw firewall and infrastructure logs manually was time-consuming and difficult to manage at scale. After integrating Falcon LogScale with our rsyslog and CrowdStrike XDR pipeline, we gained near real-time visibility into firewall activity, suspicious traffic, and potential security incidents.

The platform helped us improve incident response time, strengthen security monitoring, simplify forensic investigations, and build better security policies based on centralized log analysis and automated insights.

One of the best features of Falcon LogScale is its straightforward setup process. Deployment requires only minimal configuration, such as defining the ingestion URL, authentication token, and log source locations within the YAML configuration.

Another major advantage is automated log investigation and analysis. Instead of manually reviewing thousands of raw log entries, Falcon LogScale and CrowdStrike XDR help identify important events, correlate security activity, and provide meaningful insights about potential issues in the environment.

This automation has saved considerable operational time and improved the efficiency of our security monitoring process.

One area that needs improvement is performance during heavy log ingestion workloads.

In our environment, there are situations where Falcon LogScale experiences delays while forwarding large amounts of data to CrowdStrike XDR. During peak usage, ingestion can slow down and logs may take additional time to appear on the XDR dashboard.

Improved scalability, better worker management, and faster real-time ingestion handling would enhance the overall experience, especially for environments processing large log volumes continuously.

Our primary use case for Falcon LogScale is centralized log ingestion and security analysis using CrowdStrike XDR and MDR capabilities.

In our environment, firewall devices send logs to a centralized rsyslog server, and Falcon LogScale collects those logs and forwards them to CrowdStrike XDR for monitoring and investigation. This helps us identify abnormal activity, suspicious traffic patterns, and potential security incidents in near real time.

The solution also simplifies historical log investigations and improves overall visibility across our firewall infrastructure.

Overall, Falcon LogScale has been stable in our environment. Aside from occasional ingestion delays during high workloads, the platform operates reliably for daily log collection and forwarding.

Falcon LogScale has been easy to scale in our environment and has handled growing log volumes effectively.

Our experience with customer support has been positive.

Whenever we encountered ingestion issues or product-related problems, the support team responded quickly and provided helpful assistance. In one case involving large-scale data ingestion, the issue was acknowledged and later addressed through a newer product release, which improved overall stability and performance.

We did not use another centralized log ingestion solution before Falcon LogScale. It was the first solution we implemented for this use case, and it successfully addressed our requirements.

The initial setup was straightforward.

Configuration mainly involved defining the ingestion URL, authentication token, and source log paths within the Falcon LogScale configuration files. Once configured, the platform was able to collect logs from our rsyslog servers and forward them to CrowdStrike XDR with minimal operational overhead.

No, we implemented and managed the deployment internally without using an external integrator or consultant.

Yes, we have seen operational benefits from Falcon LogScale.

The platform significantly reduces the manual effort required for log collection and investigation. Instead of manually reviewing raw logs, our teams can focus on analyzing prioritized security events and improving policies based on centralized visibility and automated insights.

Our setup experience was positive because the deployment was relatively simple and the infrastructure was hosted on-premises.

The licensing model is also flexible for our use case. We currently operate within the included log ingestion limits, and additional costs apply only if ingestion exceeds the allocated volume.

We did not find many suitable alternatives for our specific workflow because our firewall infrastructure does not support direct integration with CrowdStrike XDR.

Using rsyslog as an intermediate log collector together with Falcon LogScale provided the most practical and reliable solution for centralized log forwarding and security analysis

I would rate Falcon LogScale 9 out of 10.

I recommend it for organizations looking for centralized log ingestion, integration with CrowdStrike XDR, and automated security analysis workflows.

On-premises

Other

I primarily use Falcon LogScale for heavy-duty threat hunting where I need sub-second results, particularly when working deep in tickets that we use for SIEM purposes. I do not want to wait for a SIEM to process through massive queries, so I use Falcon LogScale to process and investigate the data I need.

What I appreciate most about Falcon LogScale is that it functions as a supercharger in our stack, as we use Splunk and FortiSIEM for long-term correlation and alerting. It is far more reactive than a standard indexing tool. While a typical SIEM might take a few seconds to pass through massive data sets, Falcon LogScale feels considerably easier to use compared to other indexing tools.

The main area for improvement in Falcon LogScale is the learning curve for the query language. Since I am heavily accustomed to SPL from my work in Splunk, adjusting to the syntax in Falcon LogScale took me some time to master. The tool is powerful, but it requires a totally different approach to writing queries.

I have been using Falcon LogScale for one month.

Falcon LogScale has been rock solid in terms of stability. In the month I have been using it, I have not experienced a single crash or performance lag, even when we are processing heavy bursts of logs. Because it uses an index-free architecture, it does not suffer from index corruption or the complications that other legacy tools face.

Falcon LogScale has scaled seamlessly. The biggest difference I noticed is that when we add new log sources or suddenly increase our ingestion volume, the performance does not dip. With our other tools, scaling up usually means I have to worry about performance lag or query latency. However, with Falcon LogScale, I do not have to wait for things to index or catch up.

I have never had to contact technical support for Falcon LogScale.

Deployment of Falcon LogScale is quite smooth compared to what I am accustomed to with my other SIEM tools. It does not involve deep back-end infrastructure. My daily work involves adding new data sources or deploying log collectors, which is straightforward.

Regarding pricing, I do not handle the contract as I am L1 and responsible for monitoring. From what I have gathered internally, Falcon LogScale uses a volume-based model, so we pay based on daily ingestion rate and retention period. I would say that it is competitive.

I have not used alternatives to Falcon LogScale. We use Splunk for query purposes only, and we recently started using this product.

Falcon LogScale does require some maintenance. Compared to other tools, its maintenance is low. However, I have noticed that managing a SIEM environment in our infrastructure means conducting health checks and configuring log collectors, along with adjusting retention policies as our data needs shift based on demand from our clients. My overall rating for this product is 8.

Other

We are a customer with Falcon LogScale. It is designed for real-time log ingestion, such as threat hunting and SOC operations. The features that make it special is the absence of indexing. Traditional SIEM tools index logs, which is slow and expensive. Falcon LogScale stores logs without heavy indexing and searches directly, making it very fast. Real-time streaming search is very easy because when we run a query, we can watch the logs live. This is very helpful for real-time incident monitoring and attack detection in progress. We have a powerful query language, which combines grep-style filtering and structured queries. It integrates across everything, including Falcon EDR, cloud logs, and network logs, giving us centralized visibility.

I use the query language extensively. For example, when I see an alert, I write queries. If I have seen any threats or indicators of compromise, particularly if I identified a malicious actor from a certain IP, I would write a query to search for what logs are coming from that IP. In Falcon LogScale, I get results much faster than with other security tools or log ingestion tools that I work with. The search for logs is very easy. I use the query language for searching and many things, such as searching for failed logins. After multiple failed logins, if there is a successful login, that would indicate a brute force attack. I would be monitoring for that, keeping the live monitoring on.

Falcon LogScale is designed for real-time log ingestion, such as threat hunting and SOC operations. The features that make it special is the absence of indexing. Traditional SIEM tools index logs, which is slow and expensive. Falcon LogScale stores logs without heavy indexing and searches directly, making it very fast. Real-time streaming search is very easy because when we run a query, we can watch the logs live. This is very helpful for real-time incident monitoring and attack detection in progress. We have a powerful query language, which combines grep-style filtering and structured queries. It integrates across everything, including Falcon EDR, cloud logs, and network logs, giving us centralized visibility.

I use the query language extensively. For example, when I see an alert, I write queries. If I have seen any threats or indicators of compromise, particularly if I identified a malicious actor from a certain IP, I would write a query to search for what logs are coming from that IP. In Falcon LogScale, I get results much faster than with other security tools or log ingestion tools that I work with. The search for logs is very easy. I use the query language for searching and many things, such as searching for failed logins. After multiple failed logins, if there is a successful login, that would indicate a brute force attack. I would be monitoring for that, keeping the live monitoring on.

There are areas for improvement. I cannot point out specific areas that should be improved because it is a well-functioning security tool. We have not deployed it in many aspects; we have deployed it for one client. The log ingestion, search, and everything else is good. The UI aspect is also fantastic. I did not find anything faulty with the tool that I used. It was very good for me.

One more point about areas for improvement is the visualization depth. Splunk, which I used, has very good visualization compared to Falcon LogScale. It is very good for speed, but not for deep visualization. Falcon LogScale is a very good product. It has room for improvement, and I would say it is very fast if you want something for threat hunting that is very quick. They should improve on the visibility, the visualization, and their visualization depth, because compared to Splunk, Splunk has more visibility. I can tell you that you can bet on this product. If they improve, it will be a good thing because it works at a very high speed. Compared to other tools, it is at a very high speed. I would recommend this product to others.

The visibility is somewhat of a drawback for them. If they improve on that, it would be great.

I have been using this for almost two years.

Updates will be based on the patches that will be released. Updates will be happening. We have not faced any downtime due to the updates or anything else. Falcon LogScale is very strong in real-time log search, but the maintenance window has not affected me.

Up to twenty or more users use it. Everybody has access to all the tools in our organization.

Deployment is easy. It was deployed before I joined the organization. The further deployments that were involved with more data sources, more EC2 instances, or new servers that we installed were all easy. We use Terraform. Obviously, everything is automation now. It was not as complex as other tools like IBM QRadar or any old-school SIEMs. It was very easy to deploy.

Other vendors provide competition to IBM QRadar and Splunk. Splunk has something called Search Processing Language, and Falcon LogScale has a powerful query language. Splunk has advanced visualization with line charts, heat maps, and all. It is mainly for enterprise SIEM and deep analysis. Falcon LogScale is for threat hunting and high-volume logs. Those two have different use cases.

Search and visualization features are there, but based on my knowledge of the tool, I have not done much search and visualization there. I have explored the dashboard and how it works, though.

Visualization is very important because with what is happening on the back side, if you have a visualization dashboard or similar platform, then we can understand what is occurring. That is the very core of every SOC team or a SIEM tool. It gives live queries, such as time charts or event trends, showing what is happening live. It is very helpful for threat hunting. With the visualization, we can see the ingested logs or data very quickly. On the dashboards and charts, we can see the timelines. We could see the data. We could create a graph for that, such as how many requests are coming. We can customize the dashboards. We can customize the visualization dashboard to see what we want to see.

I work with the GRC team, and those team members will be asking us multiple questions about which tool is better and how it is going. If I have a say in that, it is very good for GRC. Falcon LogScale meets some frameworks that we follow, such as ISO or GDPR. All the CrowdStrike tools are very useful because it stores logs for audit purposes. As for integration with GRC tools, I do not have deep knowledge about it. However, for audit purposes, it is very useful, as per my knowledge. I would rate this product eight out of ten.

Public Cloud

Amazon Web Services (AWS)

My main use case for Falcon LogScale is using it as a SIEM to collect logs. I collect all firewall logs and Active Directory logs through Falcon LogScale as a SIEM for collecting logs.

Falcon LogScale offers excellent features, with scalability being the most notable. The search speed stands out to me as particularly good. Falcon LogScale has positively impacted my organization by providing visibility of the logs, making it easier for us to troubleshoot any issues. The visibility makes troubleshooting easier overall because you can see the logs.

I do not see any improvements needed for Falcon LogScale at this time.

I have been using Falcon LogScale for one year.

Falcon LogScale is stable.

Falcon LogScale's scalability is straightforward; you simply connect it to different log resources and that is all that is required.

Falcon LogScale's customer support is great. I would describe my experience with their customer support as responsive and helpful. I would rate the customer support a 10 on a scale of one to 10.

Positive

I did not previously use a different solution before Falcon LogScale.

My experience with pricing, setup cost, and licensing is that it is straightforward, and the cost is quite low.

Before choosing Falcon LogScale, I did not evaluate other options.

My advice to others looking into using Falcon LogScale is that it is easy to use and very efficient. I would rate this review a 9 out of 10.

Hybrid Cloud

Amazon Web Services (AWS)

I am familiar with Falcon LogScale from CrowdStrike because I have heard about it, and we also have a special department with colleagues whose expertise is CrowdStrike and the products.

I cannot answer whether Falcon LogScale is a reasonable price as I do not know.

I would have to check with the projects to determine the typical use cases of Falcon LogScale.

My job is to bring the specialists and the customer together regarding Falcon LogScale, and most of the time, I am not involved in those meetings. However, I know that my colleagues always involve CrowdStrike in these projects, so we do not do it alone. We do it together with the vendor.

My customers also use the search and visualization features of Falcon LogScale. I am an account manager, so I have an overall view of my customers, but I do not know every product and every project in detail because it is impossible.

I do not know if I use Falcon LogScale's query language and dashboards personally, but my customers use it. However, I do not know what exactly they are using.

Regarding security, I work with many different vendors, and my customers are mostly banks and insurances.

That is a difficult question regarding Falcon LogScale. That is really a question for the professionals, and I am not a professional, so I do not know.

I have been working with Falcon LogScale for about five years.

I have only heard the best about CrowdStrike's support. My customer never complains, so I am happy if the customer does not complain.

Positive

I am using vendor assistance during implementation.

The implementation path is always very long. My customers are all very regulated, and in Germany, we have very strict regulations. That is always an obstacle because there is so much paperwork that needs to be filled out. The path from discussing security to implementing something is always a very long process.

I am referring to the documentation part, and with DORA, the Digital Operational Resilience Act, customers have many questions regarding vendors. They ask if it is an American company, if it is a European company, and where their data is located. It is always a very long process.

Hybrid Cloud

Microsoft Azure