Cisco Isovalent - new detections batch 1 #3706

patel-bhavin · 2025-10-02T00:04:52Z

Added 8 new detections , added isovalent datasets for existing searches
1 new story
1 data source

detections/endpoint/linux_apt_get_privilege_escalation.yml

detections/endpoint/linux_at_application_execution.yml

detections/endpoint/linux_curl_upload_file.yml

stories/cisco_isovalent_suspicious_activity.yml

contentctl.yml

nasbench · 2025-10-06T10:50:37Z

macros/cisco_isovalent_allowed_images.yml

@@ -0,0 +1,3 @@
+definition: pod_image_name IN ("docker.io/library/ubuntu:22.04")


Maybe add cilium versions since its seems to be used with isovalent too

Good point, adding these images since they are configured while setting up isovalent:

("docker.io/library/ubuntu:22.04","docker.io/grafana/grafana:12.0.1", "quay.io/isovalent-dev/tetragon-ci*",""quay.io/isovalent/tetragon-ci*","quay.io/isovalent/hubble-export-fluentd*")

nasbench · 2025-10-06T10:58:21Z

detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml

+status: production
+description: The following analytic detects execution of nsenter from within a container, including explicit attempts to join the host’s mount namespace via --mount=/host/proc/1/ns/mnt. Adversaries commonly use nsenter when a pod is misconfigured with excessive privileges (e.g., privileged, hostPID, or broad hostPath mounts) to interact with the underlying node filesystem and processes. This behavior may indicate a container escape attempt to gain persistence or control over the Kubernetes node. Extra scrutiny is warranted for workloads running with privileged security contexts or access to host namespaces and for pods that suddenly begin invoking nsenter outside of normal maintenance activity.
+search: |
+  `cisco_isovalent_process_exec` process_name="nsenter" OR process="--mount=/host/proc/1/ns/mnt"


the proc/1 in this instance refers to your shell i presume. But I don't think this would always be the case right?

If so maybe we can drop it and focus on the binary name?

Just thinking out loud

detections/cloud/cisco_isovalent___detect_shell_execution.yml

nasbench · 2025-10-06T11:19:39Z

detections/cloud/cisco_isovalent___late_process_execution.yml

+  The analytic compares the process start time to the container start time and flags processes
+  launched more than 5 minutes (300 seconds) after initialization.


Random question for you, would this not trigger on cron jobs that occurs in the future ?

Co-authored-by: Nasreddine Bencherchali <[email protected]>

patel-bhavin added 27 commits August 14, 2025 14:27

adding 1 detection

9c53da8

one more

3fdd953

not sure

36aac51

adding draft detections

21b17fd

Merge branch 'develop' into isovalent_batch_1

40c9732

stash a commit

4f78689

updating sourcetype and fields

c9e8628

updating detections

2a8d3e4

textual updates

b54a8cc

new detection for sus images

fd21a77

udpating fields

fd5f7c2

adding new search

ed3bc02

Merge branch 'develop' into isovalent_batch_1

dff1a2c

testing TA

d602c7e

space

576fac3

fixing sourcetype

f21f9e4

updating detection and dataset

a50280d

updates to all files

b6058aa

updating isovalent detections

f800a3b

updating dataset

be1c385

Merge branch 'develop' into isovalent_batch_1

f692117

updating two detections

1bd337d

yaml fixes

e8d6292

fixing mitre

4fbadb3

added dataset for curl

64dd230

add new detection

03ff337

new detection

a181580

github-actions bot added Detections Stories Macros labels Oct 2, 2025

github-actions bot added the Datasource label Oct 2, 2025

patel-bhavin and others added 7 commits October 1, 2025 17:05

Merge branch 'develop' into isovalent_batch_1

dfc80d9

updating links

444abaf

fixing data source app

bcb0184

adding correct fields and output fields

e10390c

inspect error

36d6a75

incorrect change

794bcd4

updating path

fd24e9d

nasbench reviewed Oct 6, 2025

View reviewed changes

patel-bhavin and others added 6 commits October 6, 2025 09:24

Merge branch 'develop' into isovalent_batch_1

445a333

Update stories/cisco_isovalent_suspicious_activity.yml

4fc2c9d

Co-authored-by: Nasreddine Bencherchali <[email protected]>

Update detections/cloud/cisco_isovalent___detect_shell_execution.yml

ad8c286

Co-authored-by: Nasreddine Bencherchali <[email protected]>

remove detect from everywhere

eff7562

adding story

efc4ce8

updating allowed images

9d6e1e4

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Cisco Isovalent - new detections batch 1 #3706

Cisco Isovalent - new detections batch 1 #3706

Uh oh!

patel-bhavin commented Oct 2, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

nasbench Oct 6, 2025

Uh oh!

patel-bhavin Oct 6, 2025

Uh oh!

nasbench Oct 6, 2025

Uh oh!

Uh oh!

nasbench Oct 6, 2025

Uh oh!

Uh oh!

		@@ -0,0 +1,3 @@
		definition: pod_image_name IN ("docker.io/library/ubuntu:22.04")

		The analytic compares the process start time to the container start time and flags processes
		launched more than 5 minutes (300 seconds) after initialization.

Cisco Isovalent - new detections batch 1 #3706

Are you sure you want to change the base?

Cisco Isovalent - new detections batch 1 #3706

Uh oh!

Conversation

patel-bhavin commented Oct 2, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

nasbench Oct 6, 2025

Choose a reason for hiding this comment

Uh oh!

patel-bhavin Oct 6, 2025

Choose a reason for hiding this comment

Uh oh!

nasbench Oct 6, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

nasbench Oct 6, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!