Data Collection
The Capsule8 sensor collects many different data types by default.
- Container lifecycle
- File opens
- Kernel function calls
- Network activity
- Process lifecycle
- Raw system calls
Sensor Architecture
The sensor collects host telemetry through a kprobe event monitor. We use perf, an instrumentation tool within the Linux kernel, to extract kprobe events. The sensor includes a telemetry service via a grpc server to receive telemetry events.
Leveraging this telemetry, the Capsule8 sensor adds detection, integration, and investigation capabilities.
| Component | Description |
|---|---|
| Analytics | A detection engine that analyzes collected events. |
| Integrations | Integrations allow alerts and metaevents to be exported into third party systems. |
| Metaevents | A “flight recorder” that stores facts about the host for use in investigation. |
Comments
0 comments
Please sign in to leave a comment.