How Capsule8 Enables Incident Investigations

Capsule8 helps organizations collect and understand all the data needed to respond to incidents involving their enterprise Linux infrastructure, without having to reinvent the wheel with costly manual effort.

Capsule8’s sensor generates low-level telemetry about enterprise Linux resources — whether containers, VMs, or servers — then outputs higher-level event data into cloud bucket storage. By using the Apache Parquet format, Capsule8’s event data is queryable by popular interactive querying services like AWS Athena, GCP Big Query, or Apache Hive, removing the need for your teams to deploy or learn new tools.

Create an on-demand security database – without the manual effort

By leveraging native cloud functionality, including AWS Athena and Google’s BigQuery, organizations can create an on-demand database for security-relevant data, making that data accessible for practitioners seeking additional context about alerts and system activities. Capsule8 tackles the expensive data warehousing problem that can limit security investigations, instead giving organizations the benefit of a scalable data pipeline with minimal setup and maintenance.

Quickly determine what transpired in an incident

Capsule8 Investigations lets organizations easily query their enterprise Linux infrastructure, surfacing system activity ranging from network connections to process activity and everything in between. Doing so enables organizations to determine exactly what happened in an incident and how it happened, tracing the actions taken by all users involved. Armed with this information, incident responders can more efficiently plan and conduct their investigations.

For instance, incident responders can query Linux hosts using SQL syntax to answer critical questions such as:

  • Which users have run a command through sudo?
    Which programs and their users were connected to a given IP?
  • Which containers or images have run on my cluster, and where?
  • What are all the shell commands relevant to this incident?
  • What are all the alerts relevant to this incident?

Capsule8’s Investigations in action with AWS Athena