Skip to content

Find files affected by container

If a container image has been compromised or has a known bug, Sophos Linux Sensor's Investigations can be queried to identify the damage done by the compromised container. The query will return all file events associated with that container image name.

Required Tables

  • file_events
  • container_events

Input Fields

The name of the suspicious image should replace the <KNOWN IMAGE NAME> text located in the query.

Returned Fields

Field Description
unix_nano_timestamp
path
source_path
The file that was modified
file_events.process_uuid The process id that modified the file

Query

SELECT unix_nano_timestamp,
         path,
         source_path,
         file_events.process_uuid
FROM file_events
WHERE EXISTS
    (SELECT container_id
    FROM container_events
    WHERE image_name = '<KNOWN IMAGE NAME>')