Once you’re familiar with Capsule8’s Detections and have successfully added default detections to your environment, you can consider adjusting Capsule8’s default detections to suit your environment. This guide will help you understand the adjustment “levers” you can use to do so.
Content Groups
Capsule8 detection content is grouped to support high-level management of detection groups (Detection Analytics and Smart Policy). To manage the content groups that can be enabled, the enabled_content_groups configuration directive can be used in the host’s configuration file (/etc/capsule8/capsule8-analytics.yaml).
The default configuration for enabled_content_groups is shown below:
enabled_content_groups: - Detection Analytics - Smart Policy
- Audit
The above configuration enabled all detections that are associated with the Detection Analytics and Smart Policy content groups.
Note : Please make sure to include 'Audit' in the message type as in the documentation here.
The grouping of detections is hierarchical, so that all or a subset of detections can be enabled. In the example configuration below, all Smart Policy detections are marked enabled, but only “System Exploitation” is enabled for Detection Analytics:
enabled_content_groups: - Detection Analytics.System Exploitation - Smart Policy
- Audit
Applying the above configuration would effectively disable all Detection Analytics detections that were not related to System Exploitation.
Note for advanced users: Some detections shipped with the Capsule8 content package may be disabled by default at the individual detection level, either due to the potential for the detection to impact performance, or because the detection may carry an increased risk of generating false-positive alerts. If an enabled content group includes one of these detections, that detection will not be enabled by default – it would need to be manually enabled. Further detail regarding configuring individual detections is covered in the next section (Tweak Individual Detections).
Tweaking Individual Detections
While Content Groups provide an easy way to enable or disable a group of detections, sometimes a finer-grained approach is needed. Capsule8 supports tuning the attributes of individual detection mechanisms in order to provide granular enable/disable controls, altering the priority of an alert, changing the response action, and more. Common attribute overrides and examples are included below.
Enabling a default-disabled detection
For a list of default-disabled detections, please refer to the List of Detection Categories and their Individual Detections. As one example, the New File Executed in Container detection is included in Capsule8 content packages, but is disabled by default. The tracking of the file telemetry that supports this detection can have an adverse effect on performance for some systems, hence why you must opt-in to using it.
To enable this detection, the following snippet should be added to the host’s configuration file (/etc/capsule8/capsule8-analytics.yaml):
New File Executed in Container: enabled: true
The above snippet overrides the enabled attribute of the New File Executed in Container detection. Restarting the sensor after having applied the above snippet will enable the New File Executed in Container detection.
Setting a detection to have a “kill” response
All detections provided by Capsule8 are configured to alert by default, but most detections support additional response actions. A common use case for Capsule8 is to set certain detections to an “enforcing” mode that will kill any processes that violate the detection rules.
For example, the Kernel Exploit detection is a good candidate for enforcement, as the detection has a very strong degree of certainty (i.e. very low false positive rate). To enable the “enforcing” mode for Kernel Exploit and kill offending processes in their tracks, override the responseActions attribute for this detection by placing the following override snippet in the host’s configuration file:
Kernel Exploit:
responseActions:
- kill
Restarting the sensor with the above configuration will ensure that any processes that violate the Kernel Exploit detection will be killed if the process generating the detection is still present.
Customizable Attributes
Note that not all properties are customizable, as modification of some attributes would fundamentally change the nature of a detection. If the attributes in this list are insufficient for configuring detections, Configuring Custom Policies describes how to create customized detections for your environment. Custom policy creation and management is a Capsule8 Enterprise feature.
| Detection Attribute | Customizable? | Comments |
|---|---|---|
| policy | no | Fundamentally changes the type of detection |
| enabled | yes | |
| alertMessage | yes | |
| comments | yes | |
| priority | yes | |
| responseActions | yes | |
| dryRun | yes | |
| rules | no | Fundamentally changes detection operation and could result in unexpected behavior |
| alertLabels | yes | |
| additionalCategories | yes | |
| alertDetail | yes | |
| contentGroups | yes |
| List Attribute | Customizable? | Comments |
|---|---|---|
| type | no | Fundamentally changes the type of list |
| description | yes | |
| list | yes |
Where are detections located?
The Capsule8 packaged content is installed in /var/lib/capsule8/content/capsule8-content.yaml, a single content file containing all detections with their default configurations. All of the detections and lists within this file can be overridden with customizations in the host’s configuration file - /etc/capsule8/capsule8-analytics.yaml. While the content file will be updated whenever the Capsule8 content package is upgraded, the host’s configuration file will not be modified by a Capsule8 package and will retain any overrides and customizations across Capsule8 content releases.
The location of the content file is controlled with the content_path configuration directive, which can be applied in the host’s configuration file. By default, the value of content_path is set to /var/lib/capsule8/content/capsule8-content.yaml. Setting a custom content_path will direct the sensor to read content from the specified location.
When a sensor starts up, reads the packed content, and then applies any overrides, the sensor writes a “reference” copy of the merger of the capsule8-content.yaml with the capsule8-analytics.yaml to this location: /var/run/capsule8/cache_analytics.yaml. This cache yaml file represents the result of the merger, which you can inspect or save for debugging or auditing purposes.
If you are running a sensor version before version 4.1, Capsule8 strongly recommends that you adopt the model outlined above. You will get regularly updated Detections from Capsule8 that you can decide to enable in your environment. Capsule8 will do the work for you to break apart your existing policies from the single capsule8-analytics.yaml into the two file approach detailed above. If you would rather not take this step, the 4.1 and later sensor is backward compatible with your existing capsule8-analytics.yaml policies.
Comments
0 comments
Please sign in to leave a comment.