Sensor v7.0.0
Improved sensor stability and safety when running in audit mode
- Override default Audit Framework settings, optimize for stability and safety
- Use query mode if Audit Framework could not be configured to run safely
- Kernel version <3.14 doesn’t allow to configure the `backlog_wait_time` setting, which could cause a significant performance impact if not configured properly. In such case the sensor will use query mode to ensure the host production safety
- Audit Multicast mode has been deprecated due to stability issues
Improved sensor self-monitoring
- In addition to the memory-efficient design and implementation, the sensor will also monitor both physical (RAM) and paged (disk) memory and will self-terminate in case of unexpected high memory usage
Improved network usage
- Improved network connections reuse will provide lower network usage
Improved logs
- Informative startup log
- Automatic detection of various scenarios that prevent the usage of audit mode
e.g. auditd is already running - Noisy and uninformative logs were removed
Sensor Version Pinning Support
- It is now possible to install a specific sensor version by adding additional URL parameter to the installation command:
"https://protect.intezer.com/v2/install?key=LICENSE_KEY&version=7.0.0"
Host Groups
- You are now able to define a set of conditions that will create a dynamic collection of hosts based on various attributes (e.g. hostname pattern).
- Host group association will be visible throughout the system and could be used for finer adjustments of detection rules exclusions and notifications settings.
Multiple notification subscriptions per type
- Create multiple email, webhook, and slack notification subscriptions
- Each subscription can differentiate by:
- The recipient
- The event types that will trigger a notification
- The hosts that the selected events had occurred on (entire environment, by hostname pattern, and predefined host group)
Process command line in the alert process tree
The process tree shown in alerts will now contain the process command line to provide more context and improve investigation
API + Webhook Improvements
- Alert info provided via API or Webhook will contain:
- process command line
- process tree info - A new Webhook notification will be sent upon an alert update
- An alert is updated when an additional threat is found matching the same detection rule and host -
Search Hosts by CVE
- Our hosts api now supports filtering hosts by cve-id