Capsule8 Docs
Capsule8 Docs

Getting Started with Default Detections

This section describes the minimal steps – the “hello world,” if you will – needed to obtain, apply and validate that Capsule8 Protect content is functioning.

Installing and applying Capsule8 Detections

Instructions for acquiring and applying default content for your environment and sensor version can be found in the sensor installation guide here.

Testing that Capsule8 Detections are deployed

Once the sensor and content are installed, it’s a good idea to test that the content is properly deployed and that the generated alerts are going to the right place. The quickest way to test this is to cause an alert for a suspicious interactive shell:

  1. Ensure the sensor is started on the host that you wish to test.
    • If on a node: systemctl status capsule8-sensor
    • If using Kubernetes: kubectl get pods --all-namespaces | grep capsule8-sensor
  2. Start a new interactive shell on the test host. This could be via SSH or a kubectl exec. This shell should not create an alert, as SSH and kubectl are not suspicious methods for starting an interactive shell.
  3. In your new shell, create a new shell with the command: sh -i
    • Specifying interactivity with the -i flag is common for illegitimate interactive shells, and one of the ways that Capsule8 detects unauthorized shell access.
  4. Look for a Suspicious Interactive Shell alert in the alert output you configured.

Keeping Capsule8 Detections Up to Date

If you have installed Capsule8 content using a standard package manager, updates will be made available in the Capsule8 package repository, much the same as the sensor - and will adhere to the system update management programs you have in place (e.g. weekly apt updates).

Next up: Adjusting Default Detections

Once you feel comfortable with Capsule8’s default detections running in your environments, you can explore adjusting default detections.