Find files affected by container
If a container image has been compromised or has a known bug, Sophos Linux Sensor's Investigations can be queried to identify the damage done by the compromised container. The query will return all file events associated with that container image name.
The name of the suspicious image should replace the
<KNOWN IMAGE NAME> text located in the query.
|The file that was modified|
|file_events.process_uuid||The process id that modified the file|
SELECT unix_nano_timestamp, path, source_path, file_events.process_uuid FROM file_events WHERE EXISTS (SELECT container_id FROM container_events WHERE image_name = '<KNOWN IMAGE NAME>')