Skip to main content

Post incident investigation

  • Updated

Once a Capsule8 Incident is generated it can be further investigated to see a timeline of events for the incident. This timeline can provide a deeper contextual view of what happened.

 

Required Tables

  • alerts
  • file_events
  • process_events
  • shell_commands
  • connections

Input Fields

Each Capsule8 Alert is assigned an Incident_id representing that the Alert is part of an Incident. This incident ID should replace the <INCIDENT ID FROM CAPSULE8 ALERT> text in the provided query.

 

Returned Fields

Incident id

The incident id, timestamp, and c8id for the process

UnixNano

c8id

Dsthost

Destination host and destination port if the event is a connection event

Dstport

progrargs

The program arguments and name if the event is a shell command

progname

priority

The priority, policy type, and strategy of the alert if the event is an alert

policy_type

strategy

path

The path, container id, source path, and file event path if the event is a file event.

container_id

source_path

file_event_path


Query

SELECT incident,
	ts,
	c8id,
	dsthost,
	dstport,
	progargs,
	progname,
	priority,
	policy_type,
	strategy,
	path,
	container_id,
	source_path,
	file_event_path
FROM
    (SELECT connections.incident_id AS incident,
         connections.unix_nano_timestamp AS ts,
         connections.process_c8id AS c8id,
         connections.dst_addr AS dsthost,
         cast(connections.dst_port AS varchar) AS dstport,
         '' AS progargs, '' AS progname, '' AS priority, '' AS policy_type, '' AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
    FROM connections
    UNION ALL
    SELECT shell_commands.incident_id AS incident,
         shell_commands.unix_nano_timestamp AS ts,
         shell_commands.process_c8id AS c8id,
         '' AS dsthost, '' AS dstport, array_join(shell_commands.program_arguments, ' ') AS progargs, shell_commands.program_filename AS progname, '' AS priority, '' AS policy_type, '' AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
    FROM shell_commands
    UNION ALL
    SELECT alerts.incident_id AS incident,
         alerts.unix_nano_timestamp AS ts,
         alerts.process_c8id AS c8id,
         '' AS dsthost, '' AS dstport, '' AS progargs, '' AS progname, alerts.priority AS priority, alerts.policy_type AS policy_type, alerts.strategy_name AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
    FROM alerts
    UNION ALL
    SELECT file_events.incident_id AS incident,
         file_events.unix_nano_timestamp AS ts,
         file_events.process_c8id AS c8id,
         '' AS dsthost, '' AS dstport, '' AS progargs, '' AS progname, '' AS priority, '' AS policy_type, '' AS strategy, file_events.path AS path, file_events.container_id AS container_id, file_events.source_path AS source_path, cast(file_events.event_type AS varchar) AS file_event_path
    FROM file_events )
WHERE c8id IN 
    (SELECT process_c8id
    FROM process_events
    WHERE incident_id = '<INCIDENT ID FROM CAPSULE8 ALERT>')
ORDER BY  ts ASC
Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.