Kaspersky Container Security

Analyzing container forensics

In the Investigation → Container forensic section, Kaspersky Container Security lets you organize events that occurred in containers for further analysis. Information about events is presented in the form of a table.

This section is available if you have rights to view events.

In the table, the solution shows the following information about events:

• Date and time of the event.
• Event type — Process, File operations, Network traffic, or File Threat Protection.
• Additional information about the events, displayed in the following way:
  • for a process launch, the command executed in the container is shown
  • for file operations, the type of operation is indicated (for example, write or delete)
  • for network traffic, the source and destination of traffic is displayed, namely the name of the pod or domain of the source, ports and IP addresses
  • for events generated by the File Threat Protection component, the name of the detected malware is displayed.
• Runtime policy mode — Audit or Enforce.
• Full path and name of the container executable file to be started. For file operations, the path to the file is displayed as the name and location of the file or directory in the file system of the container on which any action was taken.

Using filters, you can customize the display of information in the table as follows:

• By event type:
  • By running processes
  • Bn file operations
  • By network traffic
  • By the malware detected by the File Threat Protection component
• By the time of the event (you must specify the date and time of the event). The solution shows events for the current day by default.
• By event data or path (you need to enter the data or path in the search field).

By clicking an event row in the table, you can expand the sidebar with detailed information about the selected event.