Investigating container forensics while accounting for adjacent events

When investigating an event, you should pay attention to and analyze the events that occurred before and after the event in question.

To view the events that occurred before and after the event in question:

1. Click anywhere in the row of an event in the table of security events in the Investigation → Container forensic section.
2. Go to the Adjacent events tab.

By default, the solution displays a table with the following information:

• Event being examined.
• 3 events that occurred before the event being examined.
• 46 events that occurred after the event being examined.

For each event, you can also view events in a 90-day range. For example, if you are viewing an event from the current day, you can open events from the past 90 days. If an event of interest occurred 45 days ago, you can open events that occurred 45 days before the event being examined.

For each event in the table, the solution shows the following information:

• Date and time of the event.
• Event type.
• Additional information about the event
• Full path.

You can open the sidebar with detailed information about the selected event by clicking the row of the event in the table.

You can also download information about all events with a detailed description of each of them in text format.

Page top