Find files affected by container
If a container image has been compromised or has a known bug, Sophos Linux Sensor's Investigations can be queried to identify the damage done by the compromised container. The query will return all file events associated with that container image name.
Required Tables
- file_events
- container_events
Input Fields
The name of the suspicious image should replace the <KNOWN IMAGE NAME>
text located in the query.
Returned Fields
Field | Description |
---|---|
unix_nano_timestamp path source_path | The file that was modified |
file_events.process_uuid | The process id that modified the file |
Query
SELECT unix_nano_timestamp,
path,
source_path,
file_events.process_uuid
FROM file_events
WHERE EXISTS
(SELECT container_id
FROM container_events
WHERE image_name = '<KNOWN IMAGE NAME>')