Managing Falcon LTR Repositories

Falcon LTR (Long Term Repository) offers a way to analyze your existing Falcon data easily. Your FDR data is set to flow into a dedicated repository, which comes pre-installed with an FDR parser and relevant dashboards through the official crowdstrike/fdr package.

Falcon Repository

Figure 29. Falcon Repository


As you can see in the screenshot above, the Falcon repository is labeled Managed in the list of repositories. This means that some of its settings are locked and managed externally.

Restrictions

As a Managed repository, Falcon LTR has a few restrictions:

  • You're prevented from changing the dataspace type, FDR settings, retention settings, and parsers.

  • You won't be able to configure ingest tokens — your Falcon data will only be ingested automatically.

  • You can create views of your Managed repository without the above limitations. However, you can't enrich the data from this repository during parsing.

  • The organization owner cannot change the Falcon LTR from Managed to Default in the repository list.

Despite these restrictions, you are able to create dashboards, alerts, scheduled searches and manage permissions for a Managed repository.

Authentication & Adding Collaborators

If you're using Falcon LTR, you'll be able to access it through Falcon SSO. You can add collaborators by creating additional Falcon users for the company account. The LogScale organization owner can add additional users with the right permissions and eventually share the sign-up URL — a company-specific subdomain (e.g., https://mycompany.us.humio.com/) — with them.

You could also set alternative authentication methods (see Configuring Security). In which case, you'll need to login from your identity provider (e.g., through Okta).