Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
K8s process events. This table is collected by the detection team in MDC.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | LogManagement |
| Basic log | Yes |
| Ingestion-time transformation | No |
| Sample Queries | - |
Columns
| Column | Type | Description |
|---|---|---|
| AdditionalData | dynamic | Additional metadata about the container event. |
| AgentId | string | The ID of the monitoring agent tracking the container. |
| Auid | string | The audit user ID associated with the container process. |
| _BilledSize | real | The record size in bytes |
| Cmdline | string | The command-line instruction that started the container. |
| Comm | string | The name of the executed command. |
| Computer | string | The name of the node where the container is running. |
| ContainerID | string | The unique identifier of the running container. |
| ContainerName | string | The name of the container. |
| Cwd | string | The current working directory of the container process. |
| Digest | string | The SHA-256 digest of the container image. |
| DriftAction | string | Indicates if there were any modifications in the container files. |
| Exe | string | The path to the executable running inside the container. |
| Gid | string | The group ID under which the process is running. |
| Group | string | The group name associated with the process. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| Memfd | bool | Indicates if the container has memory file descriptor (memfd) execution. |
| Namespace | string | The namespace where the Kubernetes pod is deployed. |
| Pid | string | The process ID of the containerized application. |
| Pname | string | The parent process name of the containerized application. |
| PodLabels | dynamic | Labels associated with the Kubernetes pod. |
| PodName | string | The name of the Kubernetes pod. |
| Ppid | string | The parent process ID of the containerized application. |
| Repository | string | The container image repository. |
| Ses | string | The session ID of the container process. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| Success | string | Indicates whether the command execution was successful. |
| Tag | string | The tag of the container image. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp when the event was recorded in UTC. |
| Type | string | The name of the table |
| Uid | string | The user ID under which the process is running. |
| UpperLayer | bool | Indicates if the container image uses an upper layer in the overlay filesystem. |
| User | string | The username running the process inside the container. |