Endpoint Security, CrowdStrike, Sensor Tagging

Systems

CrowdStrike

Affected Customers

University of Illinois IT Pros leveraging Technology Services CrowdStrike

Actions

• General Information
• Windows Sensor Tagging
• macOS Sensor Tagging
• Linux Sensor Tagging

General Information

CrowdStrike has the ability to apply one or more "tags" to a given host during or after installation. These tags can be used to filter endpoints in the CrowdStrike console and even assign them to a dynamic group.

Tags are supported for:

• Windows sensor 5.13.9404 and higher
• Mac sensor 5.29.11003 and higher
• Linux sensor 5.27.9101 and higher

Tags must meet the following requirements:

• Tags can include alphanumeric characters, hyphens (-), underscores (_), and forward slashes (/).
• To use multiple tags, separate each tag with commas.
• Tags cannot include spaces ( ) or commas (,).
• All tags for a host, including any comma separators, cannot exceed 256 characters.

Windows Sensor Tagging

Assigning Sensor Tags During Installation

The GROUPING_TAGS command-line option can be used during sensor installation to assign one or more "tags" to a Windows endpoint within CrowdStrike. This tag can be used to filter Windows endpoints in the CrowdStrike console and even assign them to a dynamic group.

Example: WindowsSensor.exe /install /norestart CID=<your CID> GROUPING_TAGS="Admin,Production"

• In this example, two tags would be set for the endpoint: Admin and Production

Assigning Sensor Tags Post-installation Via Registry Key

1. Locate the following registry key in the Windows Registry Editor:
• HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default
2. Determine if the GroupingTags value name is present.
• If so, proceed to the next step.
• If not, create a new string value: GroupingTags
3. Add or edit the tags for this host in the GroupingTags value data field.
4. Reboot. If a restart is not feasible, the tags will be updated when the sensor is next upgraded or downgraded.

As an example, the screenshot below shows the GroupingTags value data that will set two tags: “Admin” and “Production”.

Assigning or Modifying Sensor Tags Via Command-line

You can use the reg set command to set or modify the Windows registry key described above.

Examples:

• Assigning or modifying sensor tags: reg set HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default GroupingTags -ValueType=REG_SZ -Value=Admin,Production
• In this example, two tags would be set for the endpoint: Admin and Production
• Removing sensor tags: reg delete HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default GroupingTags

Assigning or Modifying Sensor Tags Via CrowdStrike Console

The CrowdStrike console may be used to add or remove tags for Windows hosts. Within the CrowdStrike console, navigate to the Host Management screen, locate a computer record, and click the + button next to Grouping Tags on the computer record.

Note: Any change of the GroupingTags requires a sensor restart for the change to take effect. If a restart is not feasible, the tags will be updated when the sensor is next upgraded or downgraded.

macOS Sensor Tagging

Assigning Sensor Tags Via Command-line

The grouping-tags command-line option can be used post-installation to assign one or more "tags" to a macOS endpoint within CrowdStrike. This tag can be used to filter macOS endpoints in the CrowdStrike console and even assign them to a dynamic group.

Examples:

• Assigning sensor tags post-installation: sudo /Applications/Falcon.app/Contents/Resources/falconctl grouping-tags set "Admin,Production"
• In this example, two tags would be set for the endpoint: Admin and Production
• Listing assigned sensor tags: sudo /Applications/Falcon.app/Contents/Resources/falconctl grouping-tags get
• Removing sensor tags: sudo /Applications/Falcon.app/Contents/Resources/falconctl grouping-tags clear Admin,Production
• In this example, two tags would be removed from the endpoint: Admin and Production

Assigning or Modifying Sensor Tags Via CrowdStrike Console

The CrowdStrike console may be used to add or remove tags for macOS hosts. Within the CrowdStrike console, navigate to the Host Management screen, locate a computer record, and click the + button next to Grouping Tags on the computer record.

Note: Any change of the tags value done with falconctl requires a sensor restart for the change to take effect.

Linux Sensor Tagging

Assigning Sensor Tags Via Command-line

The --tags command-line option can be used to assign one or more "tags" to a Linux endpoint within CrowdStrike. This tag can be used to filter Linux endpoints in the CrowdStrike console and even assign them to a dynamic group.

Examples:

• Assigning sensor tags during installation: sudo /opt/CrowdStrike/falconctl -s --tags="Admin,Production" --cid=<your CID>
• In this example, two tags would be set for the endpoint: Admin and Production
• Assigning sensor tags post-installation: sudo /opt/CrowdStrike/falconctl -s --tags="Admin,Production"
• In this example, two tags would be set for the endpoint: Admin and Production
• Listing assigned sensor tags: sudo /opt/CrowdStrike/falconctl -g --tags
• Removing sensor tags: sudo /opt/CrowdStrike/falconctl -d -f --tags
• Note that deleting / overwriting tags requires the force option

Assigning or Modifying Sensor Tags Via CrowdStrike Console

The CrowdStrike console may be used to add or remove tags for Linux hosts. Within the CrowdStrike console, navigate to the Host Management screen, locate a computer record, and click the + button next to Grouping Tags on the computer record.

Note: Any change of the tags value done with falconctl requires a sensor restart for the change to take effect.