Views:

Stop the spread of suspicious behavior within a container by isolating the containing pod from the environment.

This task is supported by the following services:
  • Trend Vision One Container Security
Important
Important
Only currently running Kubernetes pods are supported for the Isolate Container task.
The Isolate Container task allows you to limit the spread of suspicious processes within a container and investigate their causes by disconnecting the pod from relevant networks and preventing data transfer into and out of the pod. Isolating a container is preferable to terminating a container because it preserves the evidence needed to prevent the behavior from happening again. Start the task using context menus on the Trend Vision One console.

Procedure

  1. After identifying the container to isolate, access the context or response menu and click Isolate Container.
    The Isolate Container Task screen appears.
  2. Confirm the target of the response.
  3. Specify a Description for the response or event.
  4. Click Create.
    Trend Vision One creates the task and displays the current task status in Response Management.
  5. Monitor the task status.
    1. Open Response Management.
    2. (Optional) Locate the task using the Search field or by selecting Isolate Container from the Action drop-down list.
    3. View the task status.
      • In progress (in-progress.jpg): Trend Vision One sent the command and is waiting for a response.
      • Successful (successful_001.jpg): The command was successfully executed.
      • Unsuccessful (error.jpg): An error or time-out occurred when attempting to send the command, or the specified pod no longer exists.
    After resolving the security issue in the isolated container, you can resume the container by clicking the options button (options-icon.jpg) associated with the Response Management task and selecting Resume Container.
    For more information, see the Resume Container task.