While Content Groups provide an easy way to enable or disable a group of detections, sometimes a finer-grained approach is needed. Capsule8 supports tuning the attributes of individual detection mechanisms in order to provide granular enable/disable controls, altering the priority of an alert, changing the response action, and more. Common attribute overrides and examples are included below.
Enabling a default-disabled detection
For a list of default-disabled detections, please refer to the List of Detection Categories and their Individual Detections. As one example, the New File Executed in Container detection is included in Capsule8 content packages, but is disabled by default. The tracking of the file telemetry that supports this detection can have an adverse effect on performance for some systems, hence you must opt-in to using it.
To enable this detection, the following snippet should be added to the host’s configuration file (/etc/capsule8/capsule8-sensor.yaml):
New File Executed in Container: enabled: true
The above snippet overrides the enabled attribute of the New File Executed in Container detection. Restarting the sensor after having applied the above snippet will enable the New File Executed in Container detection.
Setting a detection to have a “kill” response
All detections provided by Capsule8 are configured to alert by default, but most detections support additional response actions. A common use case for Capsule8 is to set certain detections to an “enforcing” mode that will kill any processes that violate the detection rules.
For example, the Kernel Exploit detection is a good candidate for enforcement, as the detection has a very strong degree of certainty (i.e. very low false positive rate). To enable the “enforcing” mode for Kernel Exploit and kill offending processes in their tracks, override the responseActions attribute for this detection by placing the following override snippet in the host’s configuration file:
Kernel Exploit:
responseActions:
- kill
Restarting the sensor with the above configuration will ensure that any processes that violate the Kernel Exploit detection will be killed if the process generating the detection is still present.
Customizable Attributes
Note that not all properties are customizable, as modification of some attributes would fundamentally change the nature of a detection. If the attributes in this list are insufficient for configuring detections, Configuring Custom Policies describes how to create customized detections for your environment. Custom policy creation and management is a Capsule8 Enterprise feature.
| Detection Attribute | Customizable? | Comments |
|---|---|---|
| policy | no | Fundamentally changes the type of detection |
| enabled | yes | |
| alertMessage | yes | |
| comments | yes | |
| priority | yes | |
| responseActions | yes | |
| dryRun | yes | |
| rules | no | Fundamentally changes detection operation and could result in unexpected behavior |
| alertLabels | yes | |
| additionalCategories | yes | |
| alertDetail | yes | |
| contentGroups | yes |
| List Attribute | Customizable? | Comments |
|---|---|---|
| type | no | Fundamentally changes the type of list |
| description | yes | |
| list | yes |
Where are detections located?
The Capsule8 packaged content is installed in /var/lib/capsule8/content/capsule8-content.yaml, a single content file containing all detections with their default configurations. All of the detections and lists within this file can be overridden with customizations in the host’s configuration file - /etc/capsule8/capsule8-sensor.yaml. While the content file will be updated whenever the Capsule8 content package is upgraded, the host’s configuration file will not be modified by a Capsule8 package and will retain any overrides and customizations across Capsule8 content releases.
The location of the content file is controlled with the content_path configuration directive, which can be applied in the host’s configuration file. By default, the value of content_path is set to /var/lib/capsule8/content/capsule8-content.yaml. Setting a custom content_path will direct the sensor to read content from the specified location.
When a sensor starts up, reads the packed content, and then applies any overrides, the sensor writes a “reference” copy of the merger of the capsule8-content.yaml with the capsule8-sensor.yaml to this location: /var/run/capsule8/cache_analytics.yaml. This cache yaml file represents the result of the merger, which you can inspect or save for debugging or auditing purposes.
If you are running a sensor version before version 4.1, Capsule8 strongly recommends that you adopt the model outlined above. You will get regularly updated Detections from Capsule8 that you can decide to enable in your environment. Capsule8 will do the work for you to break apart your existing policies from the single capsule8-analytics.yaml into the two file approach detailed above. If you would rather not take this step, the 4.1 and later sensor is backward compatible with your existing capsule8-analytics.yaml policies.
Comments
0 comments
Article is closed for comments.