Skip to content
Last update: 2022-05-12

Release Notes: Sensor 4.8

4.8.0

What's new

  • Adds 5.12 and 5.13 Linux compatibility

  • Alert location information now includes Kubernetes labels.

  • Enable restriction of policy types based on node metadata

  • Container IDs are now included in connection metaevents

  • Add support for delete and quarantine response action for new file exec

  • Adds the ability to generate a test alert with the -test-alert flag to ensure Sensor and the

  • Detection Content are properly installed and configured.

  • AWS EKS service roles are now supported for managing Sensor access to cloud resources

  • New detection: unusual access to Docker sockets

  • New detection: coverage for suspicious command executions through sudo

  • New detection: suspicious (non-SSH) remote interactive shell sessions

Key improvements

  • Reduced overall overhead of file detections

  • Improved Yara scan status messages which was previously generating inappropriate alerts

  • Reduced overall memory usage

  • Process ancestry alert information is now more accurate

  • SegFault alert detection now applies on the process level rather than the thread level

  • Custom kprobe and uprobe policies are now treated as separate event types

  • Lost data is now less able to cause false positives in unauthorized kernel credential change detections and other data inconsistencies

  • Health check now waits for analytics to be processing data before returning healthy

  • Parquet file increments are now configurable allowing for larger, more efficient writes.

  • Detect support for 5-level page tables on x86_64 for kernel payload and container escape detections

  • More accurate event ordering using periodic perfmarker

  • Improved detection of common kernel exploitation techniques

Notable bug fixes

  • Fixed bug in processtree which could cause incorrect container information
Back to top