To configure this feature, see our Getting Investigations data via HDFS/Presto and Getting Investigations data via S3/Athena guides.
On an alert details page, the top-left card contains information about the environment in which the alert was detected.
The top-right card contains information about any response taken by the Capsule8 Sensor. In this case, we asked the Sensor to “dry run” killing the process.
Scroll down to find the second card on the left, Process Lineage. This shows the process lineage of the process that caused this alert to be generated. The “User: root(0)” is highlighted red because this is the first process in the lineage that became a root user from a non-root user.
The bottom right card shows alerts that are also part of this incident, on this host, or in this container.

Capsule8 also highlights queries to help you get additional information about the environment around the time of the alert. Clicking on one of these items will cause you to run a query and navigate away. These queries can take time to complete (typically 5-15 seconds).

Click on any row in the result set to see its details.
Back on the alert details page, you can also click the play button on the Terminal Replay widget. This will run a video recording of the terminal session based on the processes that were involved in this alert.
If the Terminal Replay widget is blank, it is still loading the underlying data. It will turn black once it is ready.
Comments
0 comments
Please sign in to leave a comment.