Configuring detections from the Console

You can configure the policy on each node (The capability to configure policy for multiple nodes on a visual editor is coming in the near future).

Requirements

• Capsule8 Sensor version 4.1.1 or later
• Capsule8 Console version 4.1.0 or later, and before 4.4.0

How to enable

1. Set CAPSULE8_CONSOLE_POLICY_CONFIG_ENABLED in the console deployment to true

2. Get a 10 year token from the console. Two ways to do this:

• Generate a token on the command line capsule8-console generate-token --host
• (with CAPSULE8_CONSOLE_ALERT_BLOB_STORAGE_ENABLED set to false) click the “Add Host” button on <console-url>/app/hosts

3. Edit capsule8-sensor.yaml:

policy_input:
  url: https://<console-url>/policy/via-metadata
  headers:
    Authorization: "BEARER <token>"

How to configure

1. Under the “Hosts” page <console-url>/app/hosts, click on a host you would like to configure the policy for.

2. Under the hostname, click on the “Policy Set” button.

3. You will find a text editor to edit the YAML configuration file that is deployed to the host. This policy supersedes any locally installed /etc/capsule8/capsule8-analytics.yaml configuration as well as capsule8-content package, if installed.