Endpoint Security, CrowdStrike, Sensor Tagging

How to install and uninstall CrowdStrike manually

Systems

CrowdStrike

Affected Customers

University of Illinois IT Pros leveraging Technology Services CrowdStrike

Actions

General Information
Windows Sensor Tagging
macOS Sensor Tagging
Linux Sensor Tagging

General Information

CrowdStrike has the ability to apply one or more "tags" to a given host during or after installation. These tags can be used to filter endpoints in the CrowdStrike console and even assign them to a dynamic group.

Tags are supported for:

Windows sensor 5.13.9404 and higher
Mac sensor 5.29.11003 and higher
Linux sensor 5.27.9101 and higher

Tags must meet the following requirements:

Tags can include alphanumeric characters, hyphens (-), underscores (_), and forward slashes (/).
To use multiple tags, separate each tag with commas.
Tags cannot include spaces ( ) or commas (,).
All tags for a host, including any comma separators, cannot exceed 256 characters.

Windows Sensor Tagging

Assigning Sensor Tags During Installation

The GROUPING_TAGS command-line option can be used during sensor installation to assign one or more "tags" to a Windows endpoint within CrowdStrike. This tag can be used to filter Windows endpoints in the CrowdStrike console and even assign them to a dynamic group.

Example: WindowsSensor.exe /install /norestart CID=<your CID> GROUPING_TAGS="Admin,Production"

In this example, two tags would be set for the endpoint: Admin and Production

Assigning Sensor Tags Post-installation Via Registry Key

Locate the following registry key in the Windows Registry Editor:

HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default

Determine if the GroupingTags value name is present.

If so, proceed to the next step.

If not, create a new string value: GroupingTags

Add or edit the tags for this host in the GroupingTags value data field.
Reboot. If a restart is not feasible, the tags will be updated when the sensor is next upgraded or downgraded.

As an example, the screenshot below shows the GroupingTags value data that will set two tags: “Admin” and “Production”.

Assigning or Modifying Sensor Tags Via Command-Line

You can use the reg set command to set or modify the Windows registry key described above.

Examples:

Assigning or modifying sensor tags: reg set HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default GroupingTags -ValueType=REG_SZ -Value=Admin,Production

In this example, two tags would be set for the endpoint: Admin and Production

Removing sensor tags: reg delete HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default GroupingTags

Assigning or Modifying Sensor Tags Via CrowdStrike Console

The CrowdStrike console may be used to add or remove tags for Windows hosts. Within the CrowdStrike console, navigate to the Host Management screen, locate a computer record, and click the + button next to Grouping Tags on the computer record.

Note: Any change of the GroupingTags requires a sensor restart for the change to take effect. If a restart is not feasible, the tags will be updated when the sensor is next upgraded or downgraded.

macOS Sensor Tagging

The grouping-tags command-line option can be used post-installation to assign one or more "tags" to a macOS endpoint within CrowdStrike. This tag can be used to filter macOS endpoints in the CrowdStrike console and even assign them to a dynamic group.

Examples:

Assigning sensor tags post-installation: sudo /Applications/Falcon.app/Contents/Resources/falconctl grouping-tags set "Admin,Production"

In this example, two tags would be set for the endpoint: Admin and Production

Listing assigned sensor tags: sudo /Applications/Falcon.app/Contents/Resources/falconctl grouping-tags get
Removing sensor tags: sudo /Applications/Falcon.app/Contents/Resources/falconctl grouping-tags clear Admin,Production

In this example, two tags would be removed from the endpoint: Admin and Production

Note: Any change of the tags value done with falconctl requires a sensor restart for the change to take effect.

Linux Sensor Tagging

The --tags command-line option can be used to assign one or more "tags" to a Linux endpoint within CrowdStrike. This tag can be used to filter Linux endpoints in the CrowdStrike console and even assign them to a dynamic group.

Examples:

Assigning sensor tags during installation: sudo /opt/CrowdStrike/falconctl -s --tags="Admin,Production" --cid=<your CID>

In this example, two tags would be set for the endpoint: Admin and Production

Assigning sensor tags post-installation: sudo /opt/CrowdStrike/falconctl -s --tags="Admin,Production"

In this example, two tags would be set for the endpoint: Admin and Production

Listing assigned sensor tags: sudo /opt/CrowdStrike/falconctl -g --tags
Removing sensor tags: sudo /opt/CrowdStrike/falconctl -d -f --tags

Note that deleting / overwriting tags requires the force option

Note: Any change of the tags value done with falconctl requires a sensor restart for the change to take effect.

Support

Contact the EPS team

Keywords:	CrowdStrike, antivirus, mac, tag, tagging, sensor, EPS TechS-EPS-CS Suggest keywords	Doc ID:	100806
Owner:	EPS Distribution List .	Group:	University of Illinois Technology Services
Created:	2020-04-17 14:01 CDT	Updated:	2021-06-21 10:39 CDT
Sites:	University of Illinois Technology Services
Feedback:	3 1 Comment Suggest a new document Subscribe to changes