Capsule8 Docs
Capsule8 Docs
Help

Automated Response Dry Runs

Before enabling automated responses, we recommend enabling dry runs to become comfortable with how response actions would impact your environment. For any strategy supporting response actions, specify dryRun: true in its configuration to enable dry runs.

The following example demonstrates this applied to a Program strategy:

Enforced Wget Blacklist:
  policy: program
  responseAction: kill
  dryRun: true
  alertMessage: Unauthorized execution of wget
  comments: This strategy detects and kills instances of wget running
  priority: High
  enabled: true
  rules:
  - match programName == "/usr/bin/wget"
  - default ignore

The following JSON is a truncated example alert demonstrating a successful “dry run” result:

"notifications": [
    {
      "timestamp": "2019-04-17T01:48:37.995942203-04:00",
      "name": "Enforced Wget Blacklist",
      "uuid": "7fe1b7b5-aca0-40e5-a5b8-fc0b6fe55ca9",
      "message": "The program \"/usr/bin/wget\" was executed, which violated the \"Enforced Wget Blacklist\" Program Policy.",
      "message_fields": {}
    },
    {
      "timestamp": "2019-04-17T01:48:37.995942203-04:00",
      "name": "Enforced Wget Blacklist",
      "uuid": "7fe1b7b5-aca0-40e5-a5b8-fc0b6fe55ca9",
      "message": "Would have taken responseAction: kill",
      "message_fields": {
        "action_type": "kill",
        "action_target_type": "process",
        "action_result": "dry run"
      }
    }
  ],