This section describes how to investigate Container and Kubernetes events on the Investigate page in the Carbon Black Cloud console.

Note: This content is specific to Containers and Kubernetes. For additional documentation that more broadly describes the Investigate page in the Carbon Black Cloud console, see Investigate.

The Investigate page offers five ways to filter events for Containers and Kubernetes:

  • Container
  • Container Image
  • Kubernetes Cluster
  • Kubernetes Namespace
  • Kubernetes Workload

You can combine filters to achieve a particular result.

  • Click the vertical 3-dot Configuration menu to configure the filters that display in the console.
  • You can exclude search results by clicking the Exclude icon to the right of a filter value. For example:

    Excluded alerts based on filter setting

Note:
  • For a list of Container and Kubernetes event and search fields, see the following tables.
  • For a full list of all available Search fields, open the in-product Search Guide in the upper right corner of the Investigate page.

Container Fields

Table 1. Container Fields in Alphabetical Order
Field Name Description Searchable? Example
Container Annotations A key-value list of arbitrary metadata that is assigned to the container by the container admin. No "com.example.gpu-cores": "2"
Container Engine The engine that runs the container: Containerd, Docker, or CRIO. No Docker
Container Engine Version The version of the container engine. No 1
Container ID ID of the container . Yes f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778
Container Image Hash SHA-256 hash of the container image. Yes sha256:83d3456789b9a85b98bd162f1ec4d7bc1942f0035caed0f80b3b98a3eab225a7dc
Container Image Name Name of the container image. Images are static files with executable code that can create containers. Yes docker.io/alpine:latest
Container IP Address IP address assigned to the container. No 192.168.23.100
Container Name Name of the container; names are typically generated by runtime engines or by platforms. For example, Kubernetes. Yes cbcontainers-node-agent
Container Process PID Container process identifier that is assigned by the operating system; can be multi-valued in case of fork() or exec() process operations on Linux. Yes 2134
Container Root Path The host's path of the container image. No root@someworkloadname-67cf888bcd-gk4jl
Entry Point The command that is executed when the container is started. No /bin/nginx -c /etc/nginx/config.json
Host Name Container's host name. No
Host Process PID Host's process PID. Yes 2345
Mount List List of the container's mounted volumes. No
Mount Name Name of the container's mount. No mylib
Mount Read/Write Type of access to the mounted file or directory. Write access allows modifying files on the node. No RW
Mount Source Path A device name, file, or directory name at the container's host. No /var/lib/somedirectory
Mount Target Path Destination of mount point: the path inside container. No /lib/somedirectory
Mount Type Container's mount type, which can be bind, volume, or tempfs. No tempfs
Privileged Container Defines whether privileged capability is enabled for the running container. https://github.com/opencontainers/runtime-spec/blob/main/config.md. No True
Start Time Container start time. No

Kubernetes Fields

Table 2. Kubernetes Fields in Alphabetical Order
Field Name Description Searchable? Example
Cluster Name Name of the Kubernetes cluster that is associated with the alert. Yes ross:aks-test
Namespace Namespace within the Kubernetes cluster that is associated with the alert. Yes Default, kube-system
Replica Name Name of the pod within a workload. Yes example-workload-1643104800-b2t7f
Workload ID ID of the workload within a specific cluster_name/namespace pair. Yes example-workload
Workload Kind Type of workload: Pod, Deployment, Job, etc. Yes CronJob,Deployment,DemonSet
Workload Name Name of the workload within a specific cluster_name/namespace pair. Yes example-workload

Kubernetes Network Security Fields

Table 3. Kubernetes Network Security Fields in Alphabetical Order
Field Name Description Searchable? Example
Connection Type Type of connection: INGRESS, EGRESS, INTERNAL_INBOUND, etc. Yes EGRESS
Egress Group Name Name of the egress group. Yes null
IP Reputation Reputation assigned by Carbon Black Cloud; ranges 1-100 where 100 is trustworthy. Yes 74
Port Listening port: remote or local. Yes 80
Protocol Name of the protocol. Yes HTTP
Remote Domain Name of the remote domain. Yes archive.ubuntu.com
Remote IP IP address of the remote side of the communication. Yes 91.189.88.152