Default Detection Updates: 14 new detections across Detection Analytics, Smart Policy, and Audit detection classes, providing greater visibility of post-exploitation attacker behavior
Ptrace detection now includes target process information in alerts and optionally includes the ability to monitor accesses to process memory via /proc
New file exec alerts now show details on the program that created the new file that was executed. This gives operators more context on the source of new file execution
Incident grouping now includes the creator program in the case of new file exec alerts and the traced program in the case of ptrace alerts
The Capsule8 sensor may now be started and stopped via the console’s hosts page when configured to retrieve detection configuration from the console
Capsule8 Investigations - not just for the cloud anymore: support for storing data to HDFS (Hadoop Distributed File System) to support a wider range of on-premises and cloud computing environments
New arbitrary kernel probe policies have been added which supports monitoring kernel functions for activity that matches specific patterns of prohibited behavior
Customizable incident association can now be specified on a policy-by-policy basis
Key Improvements
Packages are now available for Ubuntu 20.04
Improvements have been made to interactive shell, scheduled job change, and memory protection detections to improve the quality of alerts and reduce the frequency of uninteresting audit events
Health check endpoint verifies that more internal components are correctly operating
Policies can now specify whether or not alerts should be triggered if partial lineage data is matched
Data collection can be configured to run in a separate subprocess, which can reduce the frequency of telemetry drops
Better alert load shedding - alerts are now discarded when the output is unable to receive them as fast as they’re being produced.
Improved performance in tracking of filesystem mounts, evaluation of filters, and file write event processing
Updates to our default detections to make them harder, better, faster, stronger
Notable Bug Fixes
Event ordering and downstream data is now more accurate on RHEL 6 and CentOS 6 kernels
Short lived threads which caused an infrequent crash when indexing the initial state of the system at startup has been fixed
Detections which rely on tracking of file writes are now compatible with reduced precision timestamps of ext3 and NFS filesystems
Comments
0 comments
Please sign in to leave a comment.