This document describes a legacy configuration method to choose which resources should receive a given policyset.
Users running Console 4.8.0 or later should instead refer to Deploy Detections from the Console.
The "Assigned Resources" interface on the New Detection and Edit Detection pages is used to specify which sensors a policy set will be deployed on. One or more parameters may be chosen, and each must have a single value. The policy set will be applied to every sensor that matches all parameters when those sensors requests a configuration.
Note that if you create another configuration that also matches the sensor, the most recent configuration will be applied, overwriting this one.
"Recommended" parameters include:
Environment: Determines on which environment the policy will be executed. For example Production.
Hostname: Determines on which host the policy will be executed. This parameter is used when we are applying the policy to a single sensor.
In Container: Determines whether the policy will be used inside a container or not. It takes the values True or False.
Capsule8 Sensor Version: Determines on which sensor versions the policy will be applied to. This can be used when we need to assign a policy to multiple sensors.
Kernel Release: Determines on which versions of Linux this policy applies to.
Console 4.7.x may instead choose from "All" parameters, allowing the user to select from each metadata item that is present on a connected sensor.
- The Console 4.6.0 release limits the available resource 'key' criteria to Environment, Architecture, Hostname, In Container, uname, Sensor Version, and Kernel Release.
- When assigning resources, only "AND" logic is supported. For instance, selecting both "env:production" (Environment is the key, and Production is the value) and "uname_os:linux" (uname is the key, and Linux is the value) will not apply the policy set to a Windows machine in a production environment, nor to a Linux machine in a staging environment.