Once you’re familiar with Capsule8’s Detections and have successfully added default detections to your environment, you can consider adjusting Capsule8’s default detections to suit your environment. This guide will help you understand the adjustment “levers” you can use to do so.
Capsule8 detections are grouped to support high-level management of coverage. The two primary content groups are Detection Analytics and Smart Policy - more information on these is available in the article Categories of Detections.
Managing content groups with the console
Console users can take advantage of a graphical view for tweaking content group coverage:
Each category or subcategory may be expanded or collapsed by clicking on any empty portion of the section. The blue switch () indicates whether a category, subcategory, or policy is enabled or disabled. The "partially-enabled" state () indicates that a category or subcategory contains some enabled and some disabled policies.
Managing content groups in YAML
Content groups can also be enabled and disabled with the
enabled_content_groups configuration directive can be used in the host’s configuration file (
The default configuration for
enabled_content_groups is shown below:
enabled_content_groups: - Detection Analytics - Smart Policy
The above configuration enabled all Core Detection Coverage associated with the Detection Analytics and Smart Policy content groups.
The grouping of detections is hierarchical, so that all or a subset of detections can be enabled. In the example configuration below, all Smart Policy detections are marked enabled, but only “System Exploitation” is enabled for Detection Analytics:
enabled_content_groups: - Detection Analytics.System Exploitation - Smart Policy
Applying the above configuration would effectively disable all Detection Analytics detections that were not related to System Exploitation.
Note: By default, Enhanced Detection Coverage items may be disabled at the individual detection level, as not all coverage is suitable for every workload.
As one example, the New File Executed in Container Enhanced detection is included in Capsule8 content packages, but is disabled by default. The tracking of the file telemetry that supports this detection can have an adverse effect on performance for some systems, hence you must opt-in to using it.
To enable this detection, the following override snippet should be added to the sensor configuration file (
New File Executed in Container: enabled: true
The above snippet overrides the
enabled attribute of the New File Executed in Container detection. Restarting the sensor after having applied the above snippet will enable the New File Executed in Container detection.
Advanced users looking for more information on tweaking individual detections can find tips in the Tweaking Individual Detections article.