Taxonomies
Taxonomies allows you to group assets and associated detections in a meaningful way. This provides the foundation for reporting on threats by specific groups whether that be based on geography, business function or more. It also provides a utility to categorize high priority assets such as executive accounts, privileges service accounts or mission critical systems. Taxonomies can be based on one of the four following attributes:
| Hostname | Provide a regular expression pattern to match devices and detection based on the computer hostname. This is useful if you have a common nomenclature used as part of the naming conventions for your endpoints. For example if your Domain Controllers use a naming convention of SRV-DC-1, SRV-DC-2, etc. You could provide a pattern of ^SRV-DC-\d |
| Username | Provide a regular expression pattern to match account names. Perhaps all service accounts start with svc-. In this case you can provide a pattern of ^svc- to look for any detections that involve a service account |
| Active Directory OU | This is a more scalable approach to classifying assets as it can dynamically pull this data from AD rather than maintaining the mapping within the application. Provide a full Distinguished Name (DN) path to the Active Directory OU. For example, all your executive staff accounts may be located in a dedicated Organizational Unit |
| Active Directory Group | Falcon Orchestrator also pulls group membership of user accounts. With this information you can define a taxonomy rule to monitor activity related to specific AD groups such as those with privileged access. |
When editing a taxonomy rule only the description field can be modified. If you need to change the value, type or set as a critical rule, you should delete the rule and create a new one.
Deletion of a rule will result in the removal of taxonomies applied to detections. However if the rule was created with the critical flag, the affected detections will not be reverted to a previous severity and will remain as critical events.