MISP Object Proposal: container-instance #494
Description
There is no structured way to represent running or stopped containers in forensic investigations.
Introduce container-instance to describe runtime container details.
Proposed Attributes:
- container-id (text)
- image (link to container-image)
- command (text)
- created (datetime)
- started (datetime)
- finished (datetime)
- state (text: running, exited, paused)
- hostname (text)
- user (text)
- privileged (boolean)
- capabilities (text)
- security-opt (text)
- mounts (text)
- network-mode (text)
- ip-address (ip-dst)
- ports (text)
- environment-variables (text)
Using host-based forensic artifacts, but this loses container-specific isolation context.
Useful for DFIR scenarios, especially when analyzing compromised hosts running containers.