Getting Started with Default Detections
This section describes the minimal steps – the “hello world,” if you will – needed to obtain, apply and validate that Capsule8 Protect content is functioning.
Installing and applying Capsule8 Detections
Instructions for acquiring and applying default content for your environment and sensor version can be found in the sensor installation guide here.
Testing that Capsule8 Detections are deployed
Once the sensor and content are installed, it’s a good idea to test that the content is properly deployed and that the generated alerts are going to the right place. The quickest way to test this is to cause an alert for a suspicious interactive shell:
- Ensure the sensor is started on the host that you wish to test.
- If on a node:
systemctl status capsule8-sensor
- If using Kubernetes:
kubectl get pods --all-namespaces | grep capsule8-sensor
- If on a node:
- Start a new interactive shell on the test host. This could be via SSH or a kubectl exec. This shell should not create an alert, as SSH and kubectl are not suspicious methods for starting an interactive shell.
- In your new shell, create a new shell with the command:
- Specifying interactivity with the -i flag is common for illegitimate interactive shells, and one of the ways that Capsule8 detects unauthorized shell access.
- Look for a Suspicious Interactive Shell alert in the alert output you configured.
Keeping Capsule8 Detections Up to Date
If you have installed Capsule8 content using a standard package manager, updates will be made available in the Capsule8 package repository, much the same as the sensor - and will adhere to the system update management programs you have in place (e.g. weekly