crowdstrike
group tag vs sensor tag
Sensor tags are done at installation.
Falcon grouping tags are done via the console or API.
CSSensorSettings.exe method:
set Modify the assigned sensor grouping tags. This command replaces the existing set of assigned tags. For example, even if you’re adding only one tag, you must specify the new tag in addition to all existing sensor grouping tags on the host. You can view current tags in the host summary panel in Hosts > Host Management.
clear Remove all assigned sensor grouping tags. Example: CsSensorSettings clear –grouping-tags
falconctl:
To assign tags to a host, you’ll use the falconctl command-line interface with the grouping-tags command, which offers the following three options:
get
set
clear
Tag changes take effect the next time the Falcon sensor — or the Mac — restarts. To restart the Falcon sensor immediately, you can again leverage the falconctl binary with the following options, in the order listed:
unload
load
==========================
WindowsSensor.exe.
| Switch | Required | Purpose |
|---|---|---|
/install | Yes | Installs the CrowdStrike Falcon Sensor. |
/passive | No | The installer shows a minimal UI with no prompts. |
/quiet | No | Suppresses UI and prompts. |
/norestart | No | Prevents the host from restarting after installation. |
/log | No | Changes the default installation log directory from %Temp% to a new location. The new location must be contained in quotation marks (“”). |
| Parameter | Value | Required | Purpose |
|---|---|---|---|
CID= | See Examples1 | Yes | Uses customer identification (CID) to associate sensor to CrowdStrike Falcon Console. |
NO_START= | 0 (Default) | No | Starts the sensor immediately after installation. |
NO_START= | 1 | No | Prevents the sensor from starting after installation. The next time the host boots, the sensor is assigned an agent ID (AID). |
VDI= | 1 | No | Configures sensor for a virtual desktop infrastructure (VDI) environment. Updates AID after system initialization. |
APP_PROXYNAME= | See Examples | No | Configures sensor to use a proxy connection. Cannot be used with PACURL. |
APP_PROXYPORT= | See Examples | No | Specifies APP_PROXYNAME port. |
PACURL= | See Examples | No | Configures a proxy connection using a PAC file. Cannot be used with either APP_PROXYNAME or APP_PROXYPORT. |
PROXYDISABLE= | 0 (Default) | No | Attempts to connect to CrowdStrike Falcon Console using any available proxy connections. |
PROXYDISABLE= | 1 | No | The parameter ignores any automatic proxy connection. |
ProvNoWait= | 0 (Default) | No | The parameter uninstalls the sensor if unable to connect to CrowdStrike Falcon Console within 10 minutes. |
ProvNoWait= | 1 | No | The parameter prevents uninstall if unable to connect to CrowdStrike Falcon Console. |
Example #1:
WindowsSensor.exe /install NO_START=1 CID=ABCDEF123GHI-J6
Example #2:
WindowsSensor.exe /install NO_START=1 /quiet /norestart ProvNoWait=1 CID=ABCDEF123GHI-J6 /log "C:\Logs"
example 3:
WindowsSensor.exe /install VDI=1 NO_START=1 APP_PROXYNAME=proxy.domain.com APP_PROXYPORT=1234 ProvNoWait=1 PROXYDISABLE=1 /quiet CID=ABCDEF123GHI-J6
Linux:
sudo yum install falcon-sensor-[VERSION].[EXT]sudo /opt/CrowdStrike/falconctl -s –cid=[CID]
Type:
- Hosts with
SysVinit:service falcon-sensor startand then press Enter. - Hosts with
Systemd:systemctl start falcon-sensorand then press Enter.
Ubuntu:
sudo dpkg -i falcon-sensor-[VERSION].[EXT]
sudo /opt/CrowdStrike/falconctl -s –cid=[CID]
- Type:
- Hosts with
SysVinit:service falcon-sensor startand then press Enter. - Hosts with
Systemd:systemctl start falcon-sensorand then press Enter.
- Hosts with
SLSE:
sudo zypper install falcon-sensor-[VERSION].[EXT]
sudo /opt/CrowdStrike/falconctl -s –cid=[CID]
- Type:
- Hosts with
SysVinit:service falcon-sensor startand then press Enter. - Hosts with
Systemd:systemctl start falcon-sensorand then press Enter.
- Hosts with