Kaspersky Container Security
2.0
English

Contents

Analyzing container forensics

In the InvestigationContainer forensic section, Kaspersky Container Security lets you organize events that occurred in containers for further analysis. Information about events is presented in the form of a table.

This section is available if you have rights to view events.

In the table, the solution shows the following information about events:

  • Date and time of the event.
  • Event type — Process, File operations, Network traffic, or File Threat Protection.
  • Additional information about the events, displayed in the following way:
    • for a process launch, the command executed in the container is shown
    • for file operations, the type of operation is indicated (for example, write or delete)
    • for network traffic, the source and destination of traffic is displayed, namely the name of the pod or domain of the source, ports and IP addresses
    • for events generated by the File Threat Protection component, the name of the detected malware is displayed.
  • Runtime policy mode — Audit or Enforce.
  • Full path and name of the container executable file to be started. For file operations, the path to the file is displayed as the name and location of the file or directory in the file system of the container on which any action was taken.

Using filters, you can customize the display of information in the table as follows:

  • By event type:
    • By running processes
    • Bn file operations
    • By network traffic
    • By the malware detected by the File Threat Protection component
  • By the time of the event (you must specify the date and time of the event). The solution shows events for the current day by default.
  • By event data or path (you need to enter the data or path in the search field).

By clicking an event row in the table, you can expand the sidebar with detailed information about the selected event.

Page top
[Topic 291028]

Searching container forensics

Under Investigation → Container forensic, you can search for events that occurred in containers.

To find security events that occurred in the container:

In the Search by event data and path field, enter the event data for your search.

Depending on the event type, you must specify the following:

  • Container ID or container name (for all event types).
  • Path to the files (for Process, File operations, or File Threat Protection events).
  • IP address or domain name (for events of the Network traffic type).

The solution displays search results in the security event table in the Investigation → Container forensic section.

Page top
[Topic 293485]

Detailed information about a running process

To open detailed information about a running process:

  1. Click anywhere in the row of a Process event in the table of security events in the InvestigationContainer forensic section.
  2. In the sidebar that opens, go to the Information tab.

Kaspersky Container Security displays the following information:

  • The General information section contains general information:
    • Date and time the process was started.
    • Command used to start the process, including arguments.
    • Path to the file or directory.
    • Runtime policy mode.
  • The Location details section contains the following information about the container where the process was started:
    • Container ID and name.
    • Image name and checksum. You can open the page with image scan results by clicking the name of the relevant image.

      To view the results of an image scan, you need the rights to view image scan results. You also need access to the scope for the clusters.

    • Pod name. You can display pod details by clicking the name of the pod.

      Viewing and managing cluster resources requires the corresponding rights. You also need access to the corresponding scope.

    • Namespace name.
    • Cluster name.
    • Host name and IP address.
  • The Process section contains the following data about the running process:
    • Parent process ID (PPID)
    • Process ID (PID) and a new PID.
    • Effective User ID (EUID).
    • Effective Group ID (EGID).
    • Group ID (GID).
  • The table under Runtime policies impacting the container displays a list of all runtime policies that could be applied to the container with the running process. For each policy, the solution shows the name of the policy and its mode.

    You can open the sidebar with a detailed description of the applied by clicking the name of the policy. Policy information is displayed in a similar way to how information about applied policies is presented when viewing application information on the graph. Limitations apply when viewing policy information.

Page top

[Topic 292170]

Detailed information about file operations

To open detailed information about file operations,

  1. Click anywhere in the row of a File operations event in the table of security events in the InvestigationContainer forensic section.
  2. In the sidebar that opens, go to the Information tab.

Kaspersky Container Security displays the following information:

  • The General information section contains general information:
    • Date and time the file operation was performed.
    • Type of file operation (for example, Create or Delete).

      Examples of file operations in Kaspersky Container Security

      Kaspersky Container Security detects the following types of file operations:

      • Open
      • Create
      • Read
      • Write
      • Rename or move
      • Delete
      • Change ownership
      • Change access permissions
    • Path to the file or directory.
    • New path to the file or directory (displayed only for the Rename or move file operation type).
    • New permissions (displayed only for the Change access permissions operation type).
    • Runtime policy mode.
    • Error code.
  • The Location details block provides the following information about the container where the file operations were found:
    • Container ID and name.
    • Image name and checksum. You can open the page with image scan results by clicking the name of the relevant image.

      To view the results of an image scan, you need the rights to view image scan results. You also need access to the scope for the clusters.

    • Pod name. You can display pod details by clicking the name of the pod.

      Viewing and managing cluster resources requires the corresponding rights. You also need access to the corresponding scope.

    • Namespace name.
    • Cluster name.
    • Host name and IP address.
  • The Process section contains the following data about the process where file operations were found:
    • Parent process ID (PPID)
    • Process ID (PID) and a new PID.
    • User ID (UID).
    • Group ID (GID).
    • Effective User ID (EUID).
    • Effective Group ID (EGID).
    • UID of the new owner (displayed only for the Change ownership file operation type).
    • GID of the new owner (displayed only for the Change ownership file operation type).
  • The table under Runtime policies impacting the container displays a list of all runtime policies that could be applied to the container in which the file operations were detected. For each policy, the solution shows the name of the policy and its mode.

    You can open the sidebar with a detailed description of the applied by clicking the name of the policy. Policy information is displayed in a similar way to how information about applied policies is presented when viewing application information on the graph. Limitations apply when viewing policy information.

Page top

[Topic 292232]

Details information about network traffic

To open detailed information about file operations,

  1. Click anywhere in the row of a Network traffic event in the table of security events in the InvestigationContainer forensic section.
  2. In the sidebar that opens, go to the Information tab.

Kaspersky Container Security displays the following information:

  • The General information section contains general information:
    • Date and time the file operation was performed.
    • Runtime policy mode.
    • Traffic type: ingress or egress connection.
  • The Source section contains the following information about the connection:
    • Pod name or domain of the source of the connection. You can display pod details by clicking the name of the pod.

      Viewing and managing cluster resources requires the corresponding rights. You also need access to the corresponding scope.

    • IP address of the source of network traffic.
    • Port used for the connection.
  • The Destination section contains the following information about the connection:
    • Pod name or domain of the recipient of network traffic. You can display pod details by clicking the name of the pod.
    • IP address of the recipient of network traffic.
    • Port used for the connection.
  • The Location details section provides the following information about the container where the network traffic was detected:
    • Container ID and name.
    • Image name and checksum. You can open the page with image scan results by clicking the name of the relevant image.

      To view the results of an image scan, you need the rights to view image scan results. You also need access to the scope for the clusters.

    • Pod name. You can display pod details by clicking the name of the pod.
    • Namespace name.
    • Cluster name.
    • Host name and IP address.
  • The table under Runtime policies impacting the container displays a list of all runtime policies that could be applied to the container in which the network connections were detected. For each policy, the solution shows the name of the policy and its mode.

    You can open the sidebar with a detailed description of the applied by clicking the name of the policy. Policy information is displayed in a similar way to how information about applied policies is presented when viewing application information on the graph. Limitations apply when viewing policy information.

Page top

[Topic 292235]

Detailed information about detected malicious objects

To open detailed information about detected malicious objects:

  1. Click anywhere in the row of a File Threat Protection event in the table of security events in the Investigation → Container forensic section.
  2. In the sidebar that opens, go to the Information tab.

Kaspersky Container Security displays the following information:

  • The General information section contains general information:
    • Date and time the malware was detected.
    • Malware name.
    • Type of malware detected (for example, virus software).
    • Severity level of the malware.
    • File checksums in MD5 and SHA286 formats.
    • Event type (for example, detected threat).
    • Path to the file or directory.
    • Owner ID.
    • Object ID.
    • Runtime policy mode.
    • File interceptor mode (the file interceptor runs regardless of the runtime policy mode).
  • The Location details section contains the following information about the container where malware was detected:
    • Container ID and name.
    • Image name and checksum. You can open the page with image scan results by clicking the name of the relevant image.

      To view the results of an image scan, you need the rights to view image scan results. You also need access to the scope for the clusters.

    • Pod name. You can display pod details by clicking the name of the pod.

      Viewing and managing cluster resources requires the corresponding rights. You also need access to the corresponding scope.

    • Namespace name.
    • Cluster name.
    • Host name and IP address.
  • The Process section contains the following information about the process where malware was detected:
    • Process ID (PID) and a new PID.
    • Effective User ID (EUID).
  • The table under Runtime policies impacting the container displays a list of all runtime policies that could be applied to the container in which the malware was detected. For each policy, the solution shows the name of the policy and its mode.

    You can open the sidebar with a detailed description of the applied by clicking the name of the policy. Policy information is displayed in a similar way to how information about applied policies is presented when viewing application information on the graph. Limitations apply when viewing policy information.

Page top

[Topic 292237]

Restrictions on runtime policies

For each event type, Kaspersky Container Security displays a list of all runtime policies that can be applied to the container where the security event was found. Access to the list of policies is provided subject to the following restrictions:

  • If a user has the rights to manage runtime policies and has the same role as the author of the policy, the user has access to all information about the policies, and also has the ability to edit runtime policy settings.
  • If a user is granted rights to view runtime policies, the user has access to all information about the policies.
  • If a user is not granted rights to view runtime policies, the user cannot open the detailed description of a runtime policy. A user only has access to information about the list of applied runtime policies on the Information tab in the sidebar with a detailed description of the security event.

Page top

[Topic 292240]

Investigating container forensics while accounting for adjacent events

When investigating an event, you should pay attention to and analyze the events that occurred before and after the event in question.

To view the events that occurred before and after the event in question:

  1. Click anywhere in the row of an event in the table of security events in the Investigation → Container forensic section.
  2. Go to the Adjacent events tab.

By default, the solution displays a table with the following information:

  • Event being examined.
  • 3 events that occurred before the event being examined.
  • 46 events that occurred after the event being examined.

For each event, you can also view events in a 90-day range. For example, if you are viewing an event from the current day, you can open events from the past 90 days. If an event of interest occurred 45 days ago, you can open events that occurred 45 days before the event being examined.

For each event in the table, the solution shows the following information:

  • Date and time of the event.
  • Event type.
  • Additional information about the event
  • Full path.

You can open the sidebar with detailed information about the selected event by clicking the row of the event in the table.

You can also download information about all events with a detailed description of each of them in text format.

Page top
[Topic 292233]