Monitoring your systems for unwanted activity requires defining it first. Capsule8’s detection policies provide you with deep insight into your systems’ behaviors, from program monitoring detecting exploitation attempts to granular policy enforcement based on program, user, network, or file activity.
Learn how to configure and deploy your detection policies to one or more sensors from the console.
- Console 4.4.0 or later with remote policy configuration enabled
- Sensor 4.2.0 or later
Some features are not available when configuring detections from the Capsule8 Console:
- Automated Responses like kill, quarantine, and stop are not available.
uprobestrategies are not available.
Configure and Deploy Detection Policy Set
You can create and configure your detection policies under the "Detection" page. Under "Detection," you will find a list of policy sets that you may deploy to one or more sensors to implement Capsule8's detection. A policy set is composed of individual policies comprised of rules and any policy-specific parameters. This policy determines how the data collected and analyzed should be acted upon.
Once a policy set is deployed, it will begin generating events when it encounters system activity matching its specified configuration.You can configure integration with third party services so that common operations systems – SIEMs, Slack, PagerDuty – or other custom endpoints via Webhooks will be aware of detected events.
If there are multiple policy sets assigned to a particular sensor, the policy set that was most recently applied will be applied to that sensor.
How to create a policy set
Under the "Detection" page, click "New Policy Set."
In the text editor, you can find an example of Capsule8's default configuration. If you would like to tweak the default configuration, take a look at a list of detection categories and their individual detections. You may also paste a yaml configuration into the text editor.
Follow the instructions below on how to deploy a policy set to complete the set up.
Please note that for the Console 4.4 release, you cannot delete policy sets and create policy sets using the visual editor. For the time being, you can build a policy set using the yaml editor.
How to edit a policy set
Under the "Detection" page, select the policy set you would like to configure. Below is an example of a policy set page.
There are four attributes you can edit on the policy set page – make sure to click "Save and Apply" after making any changes to the following:
- Name of policy set
- Assigned policies within this policy set
- Quickly enable or disable a policy using a toggle
- Edit individual policies
- Lists in Use
- Assigned Resources
Please note that for the Console 4.4 release, you cannot create and delete policies and lists using the visual editor. For the time being, you can switch to the YAML editor for these capabilities.
How to edit policies
Click on the policy you would like to edit under "Assigned Policies." You can configure the rules and any policy-specific parameters of the selected policy.
- Enabled: Toggle to enable or disable
- Comments: Description of this policy that will be emitted when triggered
- Event labels: user-defined labels for a policy that will be emitted when triggered
- Alert Message
- Response Action: Set automated response
Not all policy types can support all response actions as each policy type detects different behaviors that require different responses.
- Rules: Each policy exposes a set of valid fields that can be used for the construction of higher-level rules in policy instances. In each policy instance definition, the rules define how an alert will be generated upon the receipt of an event.
- Click "+" to add an AND statement to the existing rule
- Click "+ Add Rule" to add an additional statement
- You can point to a list here using $ListName (i.e. $BLKMapps in the above example)
Make sure to click "OK" to apply the changes you've made here.
How to edit lists
Policy rules can use lists for even more control over when and how events should be fired. Lists are particularly useful for configuring policies to block or allow certain behavior. Capsule8 supports four data types for lists: names, hosts, paths, and numbers (along with an experimental lineage type). For more detail, look at creating custom detection policies.
If there is a list in the policy set, it will appear under "Lists in Use"
- Name of list*
- Type of list*
- Rules that belong in the list
- Add, remove, and edit the rules within the list
- Click "–" to remove a rule
- Click "+ Add an entry" to add a rule
- Rules can be edited on the string field
*To edit these attributes, switch to the yaml editor.
How to deploy a policy set
"Assigned Resources" is used to specify which sensors a policy set will be deployed on. One or more parameters may be chosen, and each must have a single value. The policy set will be applied to every sensor that matches all parameters when those sensors requests a configuration.
Note that if you create another configuration that also matches the sensor, the most recent configuration will be applied, overwriting this one.
Apply a policy set to a single sensor
- Since we are applying a policy to a single sensor, choose the "Hostname" parameter under "Assigned Resources".
- Navigate the list or use the search element to select the hostname of the sensor that should receive this policy.
- Click "Save and Apply"
Apply a policy set to multiple sensors
- Instead of choosing the "Hostname" parameter, choose a broader parameter, for instance, "Capsule8 Sensor Version" under "Assigned Resources."
- Choose a value for the parameter.
- Click "Save and Apply"
Deleting Policy Set(s)
Got the section "Detection". Available policy sets will be displayed as shown below.
Click on the checkbox next to the policy set(s), that need to be deleted. Please note the the button Delete will be disabled until one policy is selected.
Once the required policies are selected, click on the button Delete. Confirm on the pop up message by selecting "Yes, Delete" to delete the selected policy set(s).
If any changes has to be made, please click on No, to go back to the Policy sets table. And repeat the above steps to delete the required policy sets.
- The Console 4.4.0 release limits the available resource 'key' criteria to Environment, Architecture, Hostname, In Container, uname, Sensor Version, and Kernel Release.
- When assigning resources, only "AND" logic is supported. For instance, selecting both "env:production" (Environment is the key, and Production is the value) and "uname_os:linux" (uname is the key, and Linux is the value) will not apply the policy set to a Windows machine in a production environment, nor to a Linux machine in a staging environment.