Getting started with Capsule8 Detections

What are Detections?

Capsule8 Detections are a collection of drop-in configurations to enable you to instantly gain visibility into security incidents in your environment. This coverage is curated by the Capsule8 research team and informed by real-world attacker data to provide accurate insights into attacker activity - without impacting the performance of your systems.

What coverage is provided by Capsule8 Detections?

Coverage is broken up into two key categories: Core and Enhanced.

Core Detection Coverage maximizes usability and performance, offering a range of detections that work independent of environment characteristics and incur a minimal performance impact regardless of workload. You can think of Core detections like burglar alarms on windows, doors, air vents, and other things that are very likely to indicate something unwanted is happening in your home.

Enhanced Detection Coverage provides much deeper insight into system activity. This enables Capsule8 to more intelligently determine the security relevance of this activity and provide more context for incident analysts. However, this increased depth does require more processing power, and not all of the detections exclusive to Enhanced detection are suitable for each workload type. 

Installing Capsule8 Detections

Getting set up with the curated Capsule8 Detections is straightforward, but does vary depending on your Capsule8 deployment. 

Console Users

If you are using the Capsule8 Console 4.6.0 or greater to manage your sensors, good news! Your console installation includes Capsule8 detections and provides a friendly interface to manage the detections. More information about using the console to manage detections, visit Deploy Detections from the Console.

Standalone Sensor Users

Non-console deployments require installation of the capsule8-content package alongside your sensor. Instructions for acquiring and applying default detections for your environment and sensor version can be found in the guide to Installing the Sensor.

Testing that Capsule8 Detections are deployed

Once the sensor and content are installed, test to ensure that the content is properly deployed and that the generated alerts are going to the right place. The quickest way to test this is to cause an alert for a suspicious interactive shell:

1. Ensure the sensor is started on the host that you wish to test.
   • If on a node: systemctl status capsule8-sensor
   • If using Kubernetes: kubectl get pods --all-namespaces | grep capsule8-sensor
   • If managing sensors via the console, browse to the Resources page and verify that the target host shows as active.
2. Start a new interactive shell on the test host. This could be via SSH or a kubectl exec. If you are using the default detection set, this shell should not create an alert, as SSH and kubectl are not suspicious methods for starting an interactive shell.
3. In your new shell, create a new shell with the command: sh -i
   • Specifying interactivity with the -i flag is common for illegitimate interactive shells, and one of the ways that Capsule8 detects unauthorized shell access.
4. Look for a Suspicious Interactive Shell alert.
   • Console users should see an alert on the Activity page of their console
   • Standalone sensor users should see an alert in their configured alert output. For more detail on alert outputs, see Exporting Alerts.

Keeping Capsule8 Detections Up to Date

Console Users

When using the Capsule8 console to manage detections, the console itself needs the latest content packages. This is covered in the Deploy Detections from the Console guide.

Standalone Sensor Users

If you have installed Capsule8 content using a standard package manager, updates will be made available in the Capsule8 package repository, much the same as the sensor - and will adhere to the system update management programs you have in place (e.g. weekly apt updates), as covered in Upgrading the Capsule8 Sensor.

Kubernetes Users

Kubernetes deployments with content should be updated with the associated content version for the image name (e.g. capsule8-content:4.7.0)

Updates to Detection Content

Capsule8 Detections are designed to allow you to regularly update them with new content from Capsule8, while retaining any tweaks you made to adjust detection content for your environment. The updates allow for “constrained” customizations, such as changing the alert priority or adding items to allowlists for your environment.