The Capsule8 Sensor has an optional feature that adds the ability to generate data that can aid in investigations of suspicious activity. The Investigations data provides historical context to alerts by allowing operators to query security-relevant telemetry from their hosts running Capsule8 Sensors.
A deployed Capsule8 sensor generates low-level telemetry about the running instance, which is then processed to construct higher-level events called Metaevents. When Investigations is enabled, the Metaevents are stored and exposed on an opt-in basis. The resulting data can be used to investigate security incidents, audit systems, or conduct further analysis. In a typical deployment, Investigations stores Metaevents in object stores (ex: AWS S3, MinIO, Azure Blob storage ...).
The Capsule8 sensor outputs Metaevents in Apache Parquet, which is a columnar storage format with support across tools such as Apache Hive, AWS Athena, and GCP BigQuery.
The amount of storage space used by investigations can vary based on the type of workload but the recommended amount of space is around 500MB per sensor per day. The average observed data size is 110.8 events per second, or 363.4MB a day once output to Parquet.
NOTE: Please reach out to Capsule8 for more information about this functionality and payment information