If a container image has been compromised or has a known bug Capsule8's Investigations can be queried to identify the damage done by the compromised container. The query will return all file events associated with that container image name.
Required Tables
- file_events
- container_events
Input Fields
The name of the suspicious image should replace the <KNOWN IMAGE NAME> text located in the query.
Returned Fields
|
unix_nano_timestamp |
The file that was modified |
|
path |
|
|
source_path |
|
|
file_events.process_c8id |
The process c8id that modified the file |
Query
SELECT unix_nano_timestamp,
path,
source_path,
file_events.process_c8id
FROM file_events
WHERE EXISTS
(SELECT container_id
FROM container_events
WHERE image_name = '<KNOWN IMAGE NAME>')
Comments
0 comments
Please sign in to leave a comment.