Capsule8 Docs
Capsule8 Docs
Help

Automated Response Dry Runs

Before enabling automated responses, we recommend enabling dry runs to become comfortable with how response actions would impact your environment. For any policy supporting response actions, specify dryRun: true in its configuration to enable dry runs.

The following example demonstrates this applied to a Program Policy:

Enforced Wget Blocklist:
  policy: program
  responseAction: kill
  dryRun: true
  alertMessage: Unauthorized execution of wget
  comments: This policy detects and kills instances of wget running
  priority: High
  enabled: true
  rules:
  - match programName == "/usr/bin/wget"
  - default ignore

The following JSON is a truncated example alert demonstrating a successful “dry run” result:

"notifications": [
    {
      "timestamp": "2019-04-17T01:48:37.995942203-04:00",
      "name": "Enforced Wget Blacklist",
      "uuid": "7fe1b7b5-aca0-40e5-a5b8-fc0b6fe55ca9",
      "message": "The program \"/usr/bin/wget\" was executed, which violated the \"Enforced Wget Blacklist\" Program Policy.",
      "message_fields": {}
    },
    {
      "timestamp": "2019-04-17T01:48:37.995942203-04:00",
      "name": "Enforced Wget Blacklist",
      "uuid": "7fe1b7b5-aca0-40e5-a5b8-fc0b6fe55ca9",
      "message": "Would have taken responseAction: kill",
      "message_fields": {
        "action_type": "kill",
        "action_target_type": "process",
        "action_result": "dry run"
      }
    }
  ],