Release Notes: Sensor 4.8

4.8.0 What's new

Adds 5.12 and 5.13 Linux compatibility
Alert location information now includes Kubernetes labels.
Enable restriction of policy types based on node metadata
Container IDs are now included in connection metaevents
Add support for delete and quarantine response action for new file exec
Adds the ability to generate a test alert with the -test-alert flag to ensure Sensor and the
Detection Content are properly installed and configured.
AWS EKS service roles are now supported for managing Sensor access to cloud resources
New detection: unusual access to Docker sockets
New detection: coverage for suspicious command executions through sudo
New detection: suspicious (non-SSH) remote interactive shell sessions

Reduced overall overhead of file detections
Improved Yara scan status messages which was previously generating inappropriate alerts
Reduced overall memory usage
Process ancestry alert information is now more accurate
SegFault alert detection now applies on the process level rather than the thread level
Custom kprobe and uprobe policies are now treated as separate event types
Lost data is now less able to cause false positives in unauthorized kernel credential change detections and other data inconsistencies
Health check now waits for analytics to be processing data before returning healthy
Parquet file increments are now configurable allowing for larger, more efficient writes.
Detect support for 5-level page tables on x86_64 for kernel payload and container escape detections
More accurate event ordering using periodic perfmarker
Improved detection of common kernel exploitation techniques