Sensor grouping tags in CrowdStrike Falcon allow you to dynamically organize hosts and automate policy assignment. By tagging sensors during deployment, you can create Host Groups that automatically include hosts based on their tags, eliminating manual host management.
Understanding Grouping Tags
Grouping tags are metadata labels that:
- Classify hosts by environment, location, function, or any custom criteria
- Enable dynamic grouping in the Falcon Console
- Automate policy assignment through Host Group rules
- Simplify fleet management at scale
Common Tag Use Cases
| Category | Example Tags |
|---|---|
| Environment | prod, staging, dev, test |
| Location | us-east, eu-west, datacenter-1 |
| Function | webserver, database, api, worker |
| Team | engineering, finance, marketing |
| Compliance | pci, hipaa, sox |
Setting Tags During Installation
Configure tags when deploying the sensor for the first time:
Step 1: Install the Sensor Package
Ubuntu/Debian
sudo dpkg -i falcon-sensor__amd64.deb RHEL/CentOS/Amazon Linux
sudo yum install falcon-sensor-.rpm SUSE/SLES
sudo zypper install falcon-sensor-.rpm Step 2: Configure CID and Tags
sudo /opt/CrowdStrike/falconctl -s --cid= --tags="tag1,tag2,tag3" Example with environment and function tags
sudo /opt/CrowdStrike/falconctl -s \
--cid=ABCD1234EFGH5678IJKL9012MNOP3456-78 \
--tags="prod,webserver,us-east-1"Step 3: Start the Sensor
sudo systemctl start falcon-sensorThe host will register with the CrowdStrike cloud and appear with the configured tags.
Managing Tags on Existing Sensors
View Current Tags
sudo /opt/CrowdStrike/falconctl -g --tagsAdd or Change Tags
Setting tags overwrites any existing tags:
sudo /opt/CrowdStrike/falconctl -s --tags="new-tag1,new-tag2"Restart the sensor for changes to take effect:
sudo systemctl restart falcon-sensorRemove All Tags
sudo /opt/CrowdStrike/falconctl -d -f --tags
sudo systemctl restart falcon-sensorUsing Tags in Host Groups
Create dynamic Host Groups that automatically include hosts based on tags:
-
- **Navigate to Host Groups**
-
In Falcon Console, go to Host Setup and Management > Groups > Host Groups
-
Create or Edit a Host Group
-
Click Create Host Group or select an existing group
-
Choose Dynamic assignment type
-
Add a Tag-Based Rule
-
In the rules section, add a new rule
-
Set Field to Sensor grouping tags
-
Set Operator (equals, contains, etc.)
-
Enter the tag value
-
Save the Host Group
-
Hosts matching the tag criteria are automatically added
Example Host Group Rules
| Purpose | Rule Configuration |
|---|---|
| All production servers | Sensor grouping tags contains "prod" |
| Web servers in US East | Sensor grouping tags contains "webserver" AND contains "us-east" |
| PCI-compliant systems | Sensor grouping tags equals "pci" |
Tags in Master Images
When creating master images for VM cloning, decide on a tagging strategy:
Option 1: Set Base Tags in Image
Include common tags that apply to all clones:
sudo /opt/CrowdStrike/falconctl -s --cid= --tags="linux,clone-base"
sudo /opt/CrowdStrike/falconctl -d -f --aid
sudo shutdown -h now Clones inherit these tags and can be updated post-deployment.
Option 2: Set Tags Post-Deployment
Leave tags unconfigured in the master image and set them during or after clone deployment using automation tools.
Tag Naming Best Practices
- Use lowercase: Tags are case-insensitive, but lowercase is cleaner
- Be consistent: Establish naming conventions (prod vs production)
- Keep it simple: Use short, descriptive tags
- Use hyphens: Separate words with hyphens (us-east-1, web-server)
- Document tags: Maintain a tag registry for your organization
- Limit tag count: Use only necessary tags to avoid complexity
Automation with Tags
Tags integrate well with automation and configuration management tools:
Ansible Example
- name: Configure CrowdStrike Falcon Sensor
command: /opt/CrowdStrike/falconctl -s --cid={{ crowdstrike_cid }} --tags="{{ sensor_tags | join(',') }}"
vars:
sensor_tags:
- "{{ environment }}"
- "{{ role }}"
- "{{ region }}"Cloud-Init Example
runcmd:
- /opt/CrowdStrike/falconctl -s --cid=YOUR_CID --tags="cloud,auto-scaled,${ENVIRONMENT}"
- systemctl start falcon-sensorTroubleshooting
Tags not appearing in Console
- Restart the sensor after setting tags
- Verify tags are set:
sudo /opt/CrowdStrike/falconctl -g --tags - Allow time for the host to sync with CrowdStrike cloud
Host not matching Host Group rules
- Check exact tag spelling and case
- Verify the Host Group rule operator (equals vs contains)
- Confirm the host has synced recent tag changes
Invalid tag format
- Tags should contain only alphanumeric characters, hyphens, and underscores
- Avoid spaces and special characters
- Multiple tags must be comma-separated without spaces