Skip to content
Last update: 2022-05-12

Release Notes: Sensor 4.7.0

4.7.0

What's new

  • Wary of privileged containers? Detect when attackers may be preparing for node takeover by launching privileged containers with the "Privileged Container Launched" detection
  • Application and system credentials are key for attackers when looking to gain further access. Capture when attackers search for credentials on the command line with the new detection "Credential Enumeration Detected"
  • Keep records of all command line activity with investigations and custom policies
  • Stay on top of user account changes with the "New System User Added" detection, which alerts whenever a new local user is added to a node

Key improvements

  • The Spectre/Meltdown detection now supports AMD CPUs
  • The remote interactive shell detection is now much more performant on systems with heavy network traffic
  • Improved performance when filtering out high event-rate workloads by program name, parent program, user, group, container, pod, or namespace
  • Introduced support for Linux Kernel 5.11
  • You can now configure a single policy to emit both alerts and audit events
  • You will experience much better performance on file-based detections when an exact filename is matched
  • Improved the Suspicious Interactive Shell detection to use fewer resources
  • Using Azure Blob Storage to store events? You can now use Azure's managed identities as the authentication method
  • You will now see file descriptor limit requirements reported as an error when the system's configured limits are insufficient
  • Older kernels that have unstable support for uprobes are now prohibited from enabling uprobe-based data collection
  • The New File Executed detection now supports the ability to quarantine the newly executing program via a response action
  • General performance improvements in processing system events
  • You can now more easily add exceptions to detection policies based on Kubernetes namespace and pod name with additional built in lists
  • You can now configure all detections to either always alert, to only alert if the process is already associated with an incident (what's called a "Smart Policy"), or to emit an audit-level event
  • Improved coverage for scheduled task modifications through tracking of the at command in the "Scheduled Tasks Modified Via Program" detection

Notable bug fixes

  • Fixed a case where the agent could crash when the system is under heavy load
  • Program argument fetching is now more accurate for short-lived programs
  • If there is a failure when fetching EC2 or GCP labels, you will now see partial metadata in alert details rather than no metadata
  • Heartbeat policies no longer result in events getting processed out of order when the system is under load
  • Fixed cases where working directories show up as empty instead of as /
  • You will now see the detection that was batched within batched alerts
Back to top