- Adds 5.12 and 5.13 Linux compatibility
- Alert location information now includes Kubernetes labels.
- Enable restriction of policy types based on node metadata
- Container IDs are now included in connection metaevents
- Add support for delete and quarantine response action for new file exec
- Adds the ability to generate a test alert with the -test-alert flag to ensure Capsule8 Sensor and the Detection Content are properly installed and configured.
- AWS EKS service roles are now supported for managing Capsule8 Sensor access to cloud resources
- New detection: unusual access to Docker sockets
- New detection: coverage for suspicious command executions through sudo
- New detection: suspicious (non-SSH) remote interactive shell sessions
- Reduced overall overhead of file detections
- Improved Yara scan status messages which was previously generating inappropriate alerts
- Reduced overall memory usage
- Process ancestry alert information is now more accurate
- SegFault alert detection now applies on the process level rather than the thread level
- Custom kprobe and uprobe policies are now treated as separate event types
- Lost data is now less able to cause false positives in unauthorized kernel credential change detections and other data inconsistencies
- Health check now waits for analytics to be processing data before returning healthy
- Parquet file increments are now configurable allowing for larger, more efficient writes.
- Detect support for 5-level page tables on x86_64 for kernel payload and container escape detections
- More accurate event ordering using periodic perfmarker
- Improved detection of common kernel exploitation techniques
Notable Bug Fixes
- Fixed bug in processtree which could cause incorrect container information