This repository has been archived by the owner on Jan 17, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 54
Taxonomies
Evan Burns edited this page May 23, 2016
·
5 revisions
Taxonomies allows you to group assets and associated detections in a meaningful way. This provides the foundation for reporting on threats by specific groups whether that be based on geography, business function or more. It also provides a utility to categorize high priority assets such as executive accounts, privileges service accounts or mission critical systems. Taxonomies can be based on one of the four following attributes:
Hostname | Provide a regular expression pattern to match devices and detection based on the computer hostname. This is useful if you have a common nomenclature used as part of the naming conventions for your endpoints. For example if your Domain Controllers use a naming convention of SRV-DC-1, SRV-DC-2, etc. You could provide a pattern of ^SRV-DC-\d |
Username | Provide a regular expression pattern to match account names. Perhaps all service accounts start with svc-. In this case you can provide a pattern of ^svc- to look for any detections that involve a service account |
Active Directory OU | This is a more scalable approach to classifying assets as it can dynamically pull this data from AD rather than maintaining the mapping within the application. Provide a full Distinguished Name (DN) path to the Active Directory OU. For example, all your executive staff accounts may be located in a dedicated Organizational Unit |
Active Directory Group | Falcon Orchestrator also pulls group membership of user accounts. With this information you can define a taxonomy rule to monitor activity related to specific AD groups such as those with privileged access. |