Capsule8 Docs
Capsule8 Docs

Getting Started: What is a Detection?

Capsule8’s Detection refers to the capability of spotting unwanted activity on Linux-based systems and either generating an alert or creating a log record for these events.

Capsule8 provides two tiers of Detection, Protect and Enterprise. Both rest upon the same analytics capabilities and same host-based sensor. This article will focus on Protect deployments, rather than Enterprise deployments.

All of the detections provided in the Protect tier are enabled by default, but are configurable with constraints. You may change the priority of a Detection or add an entry to an allow list. Protect Detections are designed to allow you to receive and apply regular Detection updates from Capsule8, without breaking any customizations you’ve made.

We recommend enabling and trying out the Protect Tier’s features in the sequence outlined below – that is, enabling and evaluating Detection Analytics first, and then Smart Policy.

Read on to learn more about what detection is included in the Product tier and the Enteprise Tier, then dig deeper by reading about the types of detections Capsule8 makes available. Once you’ve finished reading through those, we recommend continuing with Getting Started with Default Detections.

Protect Tier

The Protect tier includes two types of detection bundles: Detection Analytics and Smart Policy.

Detection Analytics

Default content

Detections included in Detection Analytics are enabled by default.

The bundle of detections in Detection Analytics provides immediate attack detection without any configuration, tuning, or filtering required. It includes out-of-the-box detection of privilege escalation, kernel exploitation, backdoors, unusual application behavior, memory corruption, tampering of security mechanisms, and container escapes.

These detections are specifically created to be stable, performant, and unlikely to generate a false positive in their default configuration.

Smart Policy

Default content

Detections included in Smart Policy are enabled by default.

The bundle of detections in Smart Policy catches unwanted attacker or developer behavior that could jeopardize security and performance. It includes detection of security-related events based on user, process, file system, and network activity.

These are detections which are too noisy on their own, but are highly relevant when associated with an incident. For example, a chmod of a file may sometimes be legitimate; but when it’s associated with an event from Detection Analytics, it becomes worthy of an alert.

Smart policy alerts are identified in a way which allows the Capsule8 console (or your SIEM) to group alerts together.

Enterprise Tier

Audit Trail

Audit Trail allows you to audit all suspicious system events to aid in incident response and investigation. It records all Smart Policy detections, even if they aren’t associated with an incident.

Custom Policy

This allows you to create your own rulesets and allowlists / blocklists based on your unique concerns and environments. You can define custom policies for specific events by leveraging detailed system metadata to carefully control the conditions that trigger detection.

The Capsule8 analytics configuration enables you to create custom policies to generate additional Detection Analytics, Smart Policy, and Audit Trail events, which is covered in the Creating Custom Policies guide.