Capsule8 Docs
Capsule8 Docs

Version 4.2.0

What’s New

  • Default Detection Updates: 14 new detections across Detection Analytics, Smart Policy, and Audit detection classes, providing greater visibility of post-exploitation attacker behavior
  • Ptrace detection now includes target process information in alerts and optionally includes the ability to monitor accesses to process memory via /proc
  • New file exec alerts now show details on the program that created the new file that was executed. This gives operators more context on the source of new file execution
  • Incident grouping now includes the creator program in the case of new file exec alerts and the traced program in the case of ptrace alerts
  • The Capsule8 sensor may now be started and stopped via the console’s hosts page when configured to retrieve detection configuration from the console
  • Capsule8 Investigations - not just for the cloud anymore: support for storing data to HDFS (Hadoop Distributed File System) to support a wider range of on-premises and cloud computing environments
  • New arbitrary kernel probe policies have been added which supports monitoring kernel functions for activity that matches specific patterns of prohibited behaviour
  • Customizable incident association can now be specified on a policy-by-policy basis

Key Improvements

  • Packages are now available for Ubuntu 20.04
  • Improvements have been made to interactive shell, scheduled job change, and memory protection detections to improve the quality of alerts and reduce the frequency of uninteresting audit events
  • Health check endpoint verifies that more internal components are correctly operating
  • Policies can now specify whether or not alerts should be triggered if partial lineage data is matched
  • Data collection can be configured to run in a separate subprocess, which can reduce the frequency of telemetry drops
  • Better alert load shedding - alerts are now discarded when the output is unable to receive them as fast as they’re being produced.
  • Improved performance in tracking of filesystem mounts, evaluation of filters, and file write event processing
  • Updates to our default detections to make them harder, better, faster, stronger

Notable Bug Fixes

  • Event ordering and downstream data is now more accurate on RHEL 6 and CentOS 6 kernels
  • Short lived threads which caused an infrequent crash when indexing the initial state of the system at startup has been fixed
  • Detections which rely on tracking of file writes are now compatible with reduced precision timestamps of ext3 and NFS filesystems