Skip to content
This repository has been archived by the owner on Jan 17, 2024. It is now read-only.

Taxonomies

Evan Burns edited this page May 25, 2016 · 5 revisions

Taxonomies allows you to group assets and associated detections in a meaningful way. This provides the foundation for reporting on threats by specific groups whether that be based on geography, business function or more. It also provides a utility to categorize high priority assets such as executive accounts, privileges service accounts or mission critical systems. Taxonomies can be based on one of the four following attributes:

Hostname Provide a regular expression pattern to match devices and detection based on the computer hostname. This is useful if you have a common nomenclature used as part of the naming conventions for your endpoints. For example if your Domain Controllers use a naming convention of SRV-DC-1, SRV-DC-2, etc. You could provide a pattern of ^SRV-DC-\d
Username Provide a regular expression pattern to match account names. Perhaps all service accounts start with svc-. In this case you can provide a pattern of ^svc- to look for any detections that involve a service account
Active Directory OU This is a more scalable approach to classifying assets as it can dynamically pull this data from AD rather than maintaining the mapping within the application. Provide a full Distinguished Name (DN) path to the Active Directory OU. For example, all your executive staff accounts may be located in a dedicated Organizational Unit
Active Directory Group Falcon Orchestrator also pulls group membership of user accounts. With this information you can define a taxonomy rule to monitor activity related to specific AD groups such as those with privileged access.

Creating A Rule

Taxonomies Creating

Editing A Rule

When editing a taxonomy rule only the description field can be modified. If you need to change the value, type or set as a critical rule, you should delete the rule and create a new one.

Deleting A Rule

Deletion of a rule will result in the removal of taxonomies applied to detections. However if the rule was created with the critical flag, the affected detections will not be reverted to a previous severity and will remain as critical events.

Clone this wiki locally