This section describes how to investigate Container and Kubernetes events on the Investigate page in the Carbon Black Cloud console.
Note: This content is specific to Containers and Kubernetes. For additional documentation that more broadly describes the Investigate page in the
Carbon Black Cloud console, see
Investigate.
The Investigate page offers five ways to filter events for Containers and Kubernetes:
- Container
- Container Image
- Kubernetes Cluster
- Kubernetes Namespace
- Kubernetes Workload
You can combine filters to achieve a particular result.
- Click the vertical 3-dot Configuration menu to configure the filters that display in the console.
- You can exclude search results by clicking the Exclude icon to the right of a filter value. For example:
Note:
- For a list of Container and Kubernetes event and search fields, see the following tables.
- For a full list of all available Search fields, open the in-product Search Guide in the upper right corner of the Investigate page.
Container Fields
Field Name | Description | Searchable? | Example |
---|---|---|---|
Container Annotations |
A key-value list of arbitrary metadata that is assigned to the container by the container admin. | No | "com.example.gpu-cores": "2" |
Container Engine |
The engine that runs the container: Containerd, Docker, or CRIO. | No | Docker |
Container Engine Version |
The version of the container engine. | No | 1 |
Container ID |
ID of the container . | Yes | f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778 |
Container Image Hash |
SHA-256 hash of the container image. | Yes | sha256:83d3456789b9a85b98bd162f1ec4d7bc1942f0035caed0f80b3b98a3eab225a7dc |
Container Image Name |
Name of the container image. Images are static files with executable code that can create containers. | Yes | docker.io/alpine:latest |
Container IP Address |
IP address assigned to the container. | No | 192.168.23.100 |
Container Name |
Name of the container; names are typically generated by runtime engines or by platforms. For example, Kubernetes. | Yes | cbcontainers-node-agent |
Container Process PID |
Container process identifier that is assigned by the operating system; can be multi-valued in case of fork() or exec() process operations on Linux. | Yes | 2134 |
Container Root Path |
The host's path of the container image. | No | root@someworkloadname-67cf888bcd-gk4jl |
Entry Point |
The command that is executed when the container is started. | No | /bin/nginx -c /etc/nginx/config.json |
Host Name |
Container's host name. | No | |
Host Process PID |
Host's process PID. | Yes | 2345 |
Mount List |
List of the container's mounted volumes. | No | |
Mount Name |
Name of the container's mount. | No | mylib |
Mount Read/Write |
Type of access to the mounted file or directory. Write access allows modifying files on the node. | No | RW |
Mount Source Path |
A device name, file, or directory name at the container's host. | No | /var/lib/somedirectory |
Mount Target Path |
Destination of mount point: the path inside container. | No | /lib/somedirectory |
Mount Type |
Container's mount type, which can be bind, volume, or tempfs. | No | tempfs |
Privileged Container |
Defines whether privileged capability is enabled for the running container. https://github.com/opencontainers/runtime-spec/blob/main/config.md. | No | True |
Start Time |
Container start time. | No |
Kubernetes Fields
Field Name | Description | Searchable? | Example |
---|---|---|---|
Cluster Name |
Name of the Kubernetes cluster that is associated with the alert. | Yes | ross:aks-test |
Namespace |
Namespace within the Kubernetes cluster that is associated with the alert. | Yes | Default, kube-system |
Replica Name |
Name of the pod within a workload. | Yes | example-workload-1643104800-b2t7f |
Workload ID |
ID of the workload within a specific cluster_name/namespace pair. | Yes | example-workload |
Workload Kind |
Type of workload: Pod, Deployment, Job, etc. | Yes | CronJob,Deployment,DemonSet |
Workload Name |
Name of the workload within a specific cluster_name/namespace pair. | Yes | example-workload |
Kubernetes Network Security Fields
Field Name | Description | Searchable? | Example |
---|---|---|---|
Connection Type |
Type of connection: INGRESS, EGRESS, INTERNAL_INBOUND, etc. | Yes | EGRESS |
Egress Group Name |
Name of the egress group. | Yes | null |
IP Reputation |
Reputation assigned by Carbon Black Cloud; ranges 1-100 where 100 is trustworthy. | Yes | 74 |
Port |
Listening port: remote or local. | Yes | 80 |
Protocol |
Name of the protocol. | Yes | HTTP |
Remote Domain |
Name of the remote domain. | Yes | archive.ubuntu.com |
Remote IP |
IP address of the remote side of the communication. | Yes | 91.189.88.152 |