Skip to content
Last update: 2022-05-13

Automated response: killing a container


You can't revert an automated response. Sophos strongly recommends testing automated responses using dry runs before you turn them on in a production environment. See dry runs.

For the policies that support kill-container responses specify responseAction: kill-container.

A kill-container response action is performed by sending the SIGKILL signal to the init process of the container. This causes the entire container to exit immediately. If an alert is fired on a process not in a container and the kill-container response action is specified, no action is taken.

Like kill responses, kill container responses can fail (e.g. if the container has already exited).

Back to top