From 9c53da807d857ae7a3c88779923728d2f6d7ad06 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 14 Aug 2025 14:27:34 -0700 Subject: [PATCH 01/37] adding 1 detection --- data_sources/cisco_isovalent_process_exec.yml | 213 ++++++++++++++++++ ...sco_isovalent___detect_shell_execution.yml | 63 ++++++ macros/cisco_isovalent.yml | 4 + .../cisco_isovalent_suspicious_activity.yml | 21 ++ 4 files changed, 301 insertions(+) create mode 100644 data_sources/cisco_isovalent_process_exec.yml create mode 100644 detections/cloud/cisco_isovalent___detect_shell_execution.yml create mode 100644 macros/cisco_isovalent.yml create mode 100644 stories/cisco_isovalent_suspicious_activity.yml diff --git a/data_sources/cisco_isovalent_process_exec.yml b/data_sources/cisco_isovalent_process_exec.yml new file mode 100644 index 0000000000..ce039d92ce --- /dev/null +++ b/data_sources/cisco_isovalent_process_exec.yml @@ -0,0 +1,213 @@ +name: Cisco Isovalent Process Exec +id: 87654321-dcba-4321-00fe-0987654321ba +version: 1 +date: '2025-08-12' +author: Bhavin Patel, Splunk +description: Logs process execution events within Cisco Isovalent environments, providing visibility into process exec ancestry and Kubernetes workload identity. +mitre_components: +- Process Execution +- Container Monitoring +- Kubernetes Monitoring +source: cisco_isovalent +sourcetype: cisco:isovalent +fields: +- _bkt +- _cd +- _eventtype_color +- _indextime +- _raw +- _serial +- _si +- _sourcetype +- _subsecond +- _time +- cluster_name +- dest_ip +- dest_port +- duration +- eventtype +- host +- index +- linecount +- node_labels.alpha.eksctl.io/cluster-name +- node_labels.alpha.eksctl.io/instance-id +- node_labels.alpha.eksctl.io/nodegroup-name +- node_labels.beta.kubernetes.io/arch +- node_labels.beta.kubernetes.io/instance-type +- node_labels.beta.kubernetes.io/os +- node_labels.failure-domain.beta.kubernetes.io/region +- node_labels.failure-domain.beta.kubernetes.io/zone +- node_labels.k8s.io/cloud-provider-aws +- node_labels.kubernetes.io/arch +- node_labels.kubernetes.io/hostname +- node_labels.kubernetes.io/os +- node_labels.node-lifecycle +- node_labels.node.kubernetes.io/instance-type +- node_labels.topology.k8s.aws/zone-id +- node_labels.topology.kubernetes.io/region +- node_labels.topology.kubernetes.io/zone +- node_name +- parent_process +- parent_process_exec +- parent_process_id +- parent_process_name +- parent_process_path +- process +- process_connect.destination_ip +- process_connect.destination_pod.name +- process_connect.destination_pod.namespace +- process_connect.destination_pod.pod_labels.app.kubernetes.io/component +- process_connect.destination_pod.pod_labels.app.kubernetes.io/instance +- process_connect.destination_pod.pod_labels.app.kubernetes.io/managed-by +- process_connect.destination_pod.pod_labels.app.kubernetes.io/name +- process_connect.destination_pod.pod_labels.app.kubernetes.io/part-of +- process_connect.destination_pod.pod_labels.app.kubernetes.io/version +- process_connect.destination_pod.pod_labels.apps.kubernetes.io/pod-index +- process_connect.destination_pod.pod_labels.controller-revision-hash +- process_connect.destination_pod.pod_labels.eks.amazonaws.com/component +- process_connect.destination_pod.pod_labels.helm.sh/chart +- process_connect.destination_pod.pod_labels.k8s-app +- process_connect.destination_pod.pod_labels.pod-template-hash +- process_connect.destination_pod.pod_labels.statefulset.kubernetes.io/pod-name +- process_connect.destination_pod.workload +- process_connect.destination_pod.workload_kind +- process_connect.destination_port +- process_connect.parent.arguments +- process_connect.parent.auid +- process_connect.parent.binary +- process_connect.parent.cwd +- process_connect.parent.docker +- process_connect.parent.exec_id +- process_connect.parent.flags +- process_connect.parent.in_init_tree +- process_connect.parent.parent_exec_id +- process_connect.parent.pid +- process_connect.parent.pod.container.id +- process_connect.parent.pod.container.image.id +- process_connect.parent.pod.container.image.name +- process_connect.parent.pod.container.name +- process_connect.parent.pod.container.pid +- process_connect.parent.pod.container.start_time +- process_connect.parent.pod.name +- process_connect.parent.pod.namespace +- process_connect.parent.pod.pod_labels.app.kubernetes.io/instance +- process_connect.parent.pod.pod_labels.app.kubernetes.io/name +- process_connect.parent.pod.pod_labels.controller-revision-hash +- process_connect.parent.pod.pod_labels.k8s-app +- process_connect.parent.pod.pod_labels.pod-template-generation +- process_connect.parent.pod.workload +- process_connect.parent.pod.workload_kind +- process_connect.parent.start_time +- process_connect.parent.tid +- process_connect.parent.uid +- process_connect.process.arguments +- process_connect.process.auid +- process_connect.process.binary +- process_connect.process.cwd +- process_connect.process.docker +- process_connect.process.exec_id +- process_connect.process.flags +- process_connect.process.in_init_tree +- process_connect.process.parent_exec_id +- process_connect.process.pid +- process_connect.process.pod.container.id +- process_connect.process.pod.container.image.id +- process_connect.process.pod.container.image.name +- process_connect.process.pod.container.maybe_exec_probe +- process_connect.process.pod.container.name +- process_connect.process.pod.container.pid +- process_connect.process.pod.container.start_time +- process_connect.process.pod.name +- process_connect.process.pod.namespace +- process_connect.process.pod.pod_labels.app.kubernetes.io/instance +- process_connect.process.pod.pod_labels.app.kubernetes.io/name +- process_connect.process.pod.pod_labels.controller-revision-hash +- process_connect.process.pod.pod_labels.eks.amazonaws.com/component +- process_connect.process.pod.pod_labels.k8s-app +- process_connect.process.pod.pod_labels.pod-template-generation +- process_connect.process.pod.pod_labels.pod-template-hash +- process_connect.process.pod.workload +- process_connect.process.pod.workload_kind +- process_connect.process.start_time +- process_connect.process.tid +- process_connect.process.uid +- process_connect.protocol +- process_connect.sock_cookie +- process_connect.source_ip +- process_connect.source_port +- process_current_directory +- process_exec +- process_exec.ancestors{}.arguments +- process_exec.ancestors{}.auid +- process_exec.ancestors{}.binary +- process_exec.ancestors{}.cwd +- process_exec.ancestors{}.exec_id +- process_exec.ancestors{}.flags +- process_exec.ancestors{}.in_init_tree +- process_exec.ancestors{}.parent_exec_id +- process_exec.ancestors{}.pid +- process_exec.ancestors{}.start_time +- process_exec.ancestors{}.tid +- process_exec.ancestors{}.uid +- process_exec.parent.arguments +- process_exec.parent.auid +- process_exec.parent.binary +- process_exec.parent.cwd +- process_exec.parent.exec_id +- process_exec.parent.flags +- process_exec.parent.in_init_tree +- process_exec.parent.parent_exec_id +- process_exec.parent.pid +- process_exec.parent.start_time +- process_exec.parent.tid +- process_exec.parent.uid +- process_exec.process.arguments +- process_exec.process.auid +- process_exec.process.binary +- process_exec.process.cwd +- process_exec.process.docker +- process_exec.process.exec_id +- process_exec.process.flags +- process_exec.process.in_init_tree +- process_exec.process.parent_exec_id +- process_exec.process.pid +- process_exec.process.pod.container.id +- process_exec.process.pod.container.image.id +- process_exec.process.pod.container.image.name +- process_exec.process.pod.container.maybe_exec_probe +- process_exec.process.pod.container.name +- process_exec.process.pod.container.pid +- process_exec.process.pod.container.start_time +- process_exec.process.pod.name +- process_exec.process.pod.namespace +- process_exec.process.pod.pod_labels.app.kubernetes.io/instance +- process_exec.process.pod.pod_labels.app.kubernetes.io/name +- process_exec.process.pod.pod_labels.controller-revision-hash +- process_exec.process.pod.pod_labels.k8s-app +- process_exec.process.pod.pod_labels.pod-template-generation +- process_exec.process.pod.workload +- process_exec.process.pod.workload_kind +- process_exec.process.start_time +- process_exec.process.tid +- process_exec.process.uid +- process_id +- process_name +- punct +- session_id +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_ip +- src_port +- tag +- tag::eventtype +- time +- transport +- user_id +- vendor_product +output_fields: +- process_exec.process.pod.namespace +example_log: | + {"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk5MjQ2MDAwNDozNTAyOTE0","pid":3502914,"uid":0,"cwd":"/app","binary":"/app/grpc-health-probe","arguments":"-addr=:50051 -connect-timeout=5s -rpc-timeout=5s","flags":"execve clone","start_time":"2025-08-14T20:42:47.459946745Z","auid":4294967295,"pod":{"namespace":"kube-system","name":"aws-node-9twpn","container":{"id":"containerd://dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","name":"aws-node","image":{"id":"sha256:0b48ad70935c9dea3627854c46a5d12028b941334ad82bf7be6a6fcddd4a2674","name":"066635153087.dkr.ecr.il-central-1.amazonaws.com/amazon-k8s-cni:v1.19.2"},"start_time":"2025-07-28T22:21:44Z","pid":3635324,"maybe_exec_probe":true,"security_context":{}},"pod_labels":{"app.kubernetes.io/instance":"aws-vpc-cni","app.kubernetes.io/name":"aws-node","controller-revision-hash":"dfddff8c5","k8s-app":"aws-node","pod-template-generation":"1"},"workload":"aws-node","workload_kind":"DaemonSet"},"docker":"dc5b541d139c38ec01e485712f0eec3","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","tid":3502914,"in_init_tree":false},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","pid":3502900,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/log.json --log-format json --systemd-cgroup exec --process /tmp/runc-process2848112653 --detach --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/939f032732ee71076b86175deba715fc56e5cacb6047fb3602069bdbbfd21e45.pid dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","flags":"execve clone","start_time":"2025-08-14T20:42:47.439585277Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","tid":3502900,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","pid":3059,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe -address /run/containerd/containerd.sock","flags":"procFS auid","start_time":"2025-07-28T22:21:34.807485194Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":3059,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-14T20:42:47.459945318Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}} \ No newline at end of file diff --git a/detections/cloud/cisco_isovalent___detect_shell_execution.yml b/detections/cloud/cisco_isovalent___detect_shell_execution.yml new file mode 100644 index 0000000000..f1f7758f99 --- /dev/null +++ b/detections/cloud/cisco_isovalent___detect_shell_execution.yml @@ -0,0 +1,63 @@ +name: Cisco Isovalent - Detect Shell Execution +id: 12345678-abcd-1234-ef00-1234567890ab +version: 1 +date: '2025-08-12' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: Gaining shell access through a compromised workload is one of the primary goals of an attack. Isovalent Networking for Kubernetes uses eBPF to hook into the kernel and provide visibility into process_exec events, including information about the process ancestry tree (process_exec.process.binary, process_exec.ancestors{}.binary fields) and the Kubernetes workload identity (process_exec.process.pod.namespace, process_exec.process.pod.labels{} fields). Security teams can use this information to build a robust alert and threat detection system. This analytic monitors an exec of a shell inside a container namespace. +search: | + `cisco_isovalent` process_exec.process.pod.name!="" + (process_exec.process.binary="*/bin/sh" OR process_exec.process.binary="*/bin/bash") + | rename process_exec.process.pod.namespace as WorkloadNamespace + | rename process_exec.process.pod.labels{} as WorkloadLabels + | rename process_exec.ancestors{}.binary as WorkloadAncestorsBinary + | eval WorkloadAncestorsBinary=mvjoin(WorkloadAncestorsBinary, " <- ") + | eval WorkloadLabels=mvjoin(WorkloadLabels, "; ") + | stats count by WorkloadNamespace, process_exec.process.binary, process_exec.parent.binary, WorkloadAncestorsBinary | `cisco_isovalent___detect_shell_execution_filter` +how_to_implement: This analytic leverages Tetragon logs to be ingested using the + Cisco Security Cloud App. +known_false_positives: Shell scripts executed by legitimate users or automated processes. +references: +- https://isovalent.com +- https://tetragon.io +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A shell execution has been detected by user on container pod namespace $WorkloadNamespace$ + risk_objects: + - field: WorkloadNamespace + type: system + score: 49 + threat_objects: [] +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1059 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent_process_exec/cisco_isovalent_process_exec.log + source: not_applicable + sourcetype: cisco:isovalent \ No newline at end of file diff --git a/macros/cisco_isovalent.yml b/macros/cisco_isovalent.yml new file mode 100644 index 0000000000..35754066eb --- /dev/null +++ b/macros/cisco_isovalent.yml @@ -0,0 +1,4 @@ +definition: sourcetype=cisco:isovalent +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: cisco_isovalent diff --git a/stories/cisco_isovalent_suspicious_activity.yml b/stories/cisco_isovalent_suspicious_activity.yml new file mode 100644 index 0000000000..bf6848d515 --- /dev/null +++ b/stories/cisco_isovalent_suspicious_activity.yml @@ -0,0 +1,21 @@ +name: Cisco Isovalent Suspicious Activity +id: 245ac99a-1355-44fe-9ef7-a7e826e20c6f +version: 1 +date: '2025-08-12' +author: Bhavin Patel, Splunk +status: production +description: This analytics story focuses on identifying suspicious activities and potential security threats within environments using Cisco Isovalent. It provides detection rules and guidance to help security teams recognize signs of adversary tactics such as unauthorized access attempts, unusual network activity, and other behaviors indicative of potential compromise. +narrative: | + Cisco Isovalent provides advanced networking and security capabilities for Kubernetes environments. However, attackers continue to develop techniques to exploit vulnerabilities and misconfigurations. This story brings together detections that highlight suspicious activity patterns in Isovalent-protected environments, such as unusual shell executions, anomalous network connections, and other indicators of potential compromise. By leveraging these detections, security teams can quickly identify and respond to threats targeting Kubernetes environments, reducing the risk of successful attacks and subsequent malicious activity. +references: +- https://isovalent.com +- https://tetragon.io +tags: + category: + - Adversary Tactics + - Cloud Security + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection From 3fdd95384e382177e1fd27ec30d86c3ddf09541d Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 14 Aug 2025 16:53:02 -0700 Subject: [PATCH 02/37] one more --- ...t___curl_execution_with_insecure_flags.yml | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml new file mode 100644 index 0000000000..3b8cfe83eb --- /dev/null +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -0,0 +1,65 @@ +name: Cisco Isovalent - Curl Execution With Insecure Flags +id: ece07077-e577-42bb-a8d2-c3c102793723 +version: 1 +date: '2025-08-12' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: Detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. This analytic monitors for the use of the -k or --insecure flags, which may indicate attempts to bypass SSL/TLS verification, potentially exposing the system to man-in-the-middle attacks. +search: | + `cisco_isovalent` process_exec.process.pod.name!="" + (process_name="*curl") + | regex process="(?i)(? Date: Thu, 21 Aug 2025 09:20:00 -0700 Subject: [PATCH 03/37] not sure --- .../cisco_isovalent___cron_job_creation.yml | 56 +++++++++++++++++ ...sco_isovalent___detect_shell_execution.yml | 5 +- ...lent___nsenter_usage_in_kubernetes_pod.yml | 63 +++++++++++++++++++ 3 files changed, 121 insertions(+), 3 deletions(-) create mode 100644 detections/cloud/cisco_isovalent___cron_job_creation.yml create mode 100644 detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml new file mode 100644 index 0000000000..268418e2d3 --- /dev/null +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -0,0 +1,56 @@ +name: Cisco Isovalent - Cron Job Creation +id: 45678901-defg-4567-hi23-456789012def +version: 1 +date: '2025-08-12' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information. +search: | + `cisco_isovalent` process_exec.process.binary="*/bin/cron" + | stats count values(user.groups{}) as user_groups by process_exec.process.pod.name, process_exec.process.pod.namespace, process_exec.process.binary, process_exec.process.arguments, process_exec.process.start_time, process_exec.process.pod.container.image.name + | rename process_exec.process.pod.name as PodName, process_exec.process.pod.namespace as Namespace, process_exec.process.binary as Binary, process_exec.process.arguments as Arguments, process_exec.process.start_time as StartTime, process_exec.process.pod.container.image.name as ImageName + | `cisco_isovalent___cron_job_creation_filter` +how_to_implement: The detection is based on data that originates from Cisco Isovalent logs. Ensure that logging is enabled in your Cisco Isovalent environment. These logs provide a record of the process execution events, which is crucial for monitoring and detecting suspicious activities. Use the Cisco Security Cloud App to collect the logs. +known_false_positives: unknown +references: +- https://isovalent.com +- https://tetragon.io +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Cisco Isovalent cron job creation detected in namespace $Namespace$ + risk_objects: + - field: Namespace + type: system + score: 50 + threat_objects: + - field: PodName + type: pod + score: 50 + threat_objects: [] +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Kubernetes + mitre_attack_id: + - T1053.007 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network diff --git a/detections/cloud/cisco_isovalent___detect_shell_execution.yml b/detections/cloud/cisco_isovalent___detect_shell_execution.yml index f1f7758f99..0d81c48da8 100644 --- a/detections/cloud/cisco_isovalent___detect_shell_execution.yml +++ b/detections/cloud/cisco_isovalent___detect_shell_execution.yml @@ -21,8 +21,7 @@ how_to_implement: This analytic leverages Tetragon logs to be ingested using the Cisco Security Cloud App. known_false_positives: Shell scripts executed by legitimate users or automated processes. references: -- https://isovalent.com -- https://tetragon.io +- https://www.sysdig.com/blog/mitre-attck-framework-for-container-runtime-security-with-sysdig-falco drilldown_searches: - name: View the detection results for - "$user$" search: '%original_detection_search% | search user = "$user$"' @@ -60,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent_process_exec/cisco_isovalent_process_exec.log source: not_applicable - sourcetype: cisco:isovalent \ No newline at end of file + sourcetype: cisco:isovalent diff --git a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml new file mode 100644 index 0000000000..451bf698dc --- /dev/null +++ b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml @@ -0,0 +1,63 @@ +name: Cisco Isovalent - Nsenter Usage in Kubernetes Pod +id: 34567890-cdef-3456-gh12-345678901cde +version: 1 +date: '2025-08-12' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: The following analytic detects execution of nsenter from within a container, including explicit attempts to join the host’s mount namespace via --mount=/host/proc/1/ns/mnt. Adversaries commonly use nsenter when a pod is misconfigured with excessive privileges (e.g., privileged, hostPID, or broad hostPath mounts) to interact with the underlying node filesystem and processes. This behavior may indicate a container escape attempt to gain persistence or control over the Kubernetes node. Extra scrutiny is warranted for workloads running with privileged security contexts or access to host namespaces and for pods that suddenly begin invoking nsenter outside of normal maintenance activity. +search: | + `cisco_isovalent` process_exec.process.binary IN ("/usr/bin/nsenter","/bin/nsenter","nsenter") + OR process_exec.process.args="--mount=/host/proc/1/ns/mnt" + | rename process_exec.process.pod.namespace as WorkloadNamespace + | rename process_exec.process.pod.labels{} as WorkloadLabels + | rename process_exec.ancestors{}.binary as WorkloadAncestorsBinary + | eval WorkloadAncestorsBinary=mvjoin(WorkloadAncestorsBinary, " <- ") + | eval WorkloadLabels=mvjoin(WorkloadLabels, "; ") + | stats count by WorkloadNamespace, process_exec.process.binary, process_exec.parent.binary, WorkloadAncestorsBinary | `cisco_isovalent___nsenter_usage_in_kubernetes_pod_filter` +how_to_implement: This analytic leverages Tetragon logs to be ingested using the + Cisco Security Cloud App. +known_false_positives: Legitimate use of nsenter for administrative purposes. +references: +- https://isovalent.com/blog/post/2021-11-container-escape/ +- https://kubehound.io/reference/attacks/CE_NSENTER/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An nsenter escape attempt has been detected by user on container pod namespace $WorkloadNamespace$ + risk_objects: + - field: WorkloadNamespace + type: system + score: 50 + threat_objects: [] +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1611 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent_process_exec/cisco_isovalent_process_exec.log + source: cisco_isovalent + sourcetype: cisco:isovalent From 21b17fdf778f9455a2b1c2c031400cb8fa50c1ac Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 26 Aug 2025 15:21:02 -0700 Subject: [PATCH 04/37] adding draft detections --- data_sources/cisco_isovalent_process_exec.yml | 3 +- .../cisco_isovalent___cron_job_creation.yml | 8 +- ...t___curl_execution_with_insecure_flags.yml | 6 +- ...valent___detect_late_process_execution.yml | 75 +++++++++++++++++++ ...sco_isovalent___detect_shell_execution.yml | 2 +- ...lent___nsenter_usage_in_kubernetes_pod.yml | 4 +- 6 files changed, 89 insertions(+), 9 deletions(-) create mode 100644 detections/cloud/cisco_isovalent___detect_late_process_execution.yml diff --git a/data_sources/cisco_isovalent_process_exec.yml b/data_sources/cisco_isovalent_process_exec.yml index ce039d92ce..d510014a03 100644 --- a/data_sources/cisco_isovalent_process_exec.yml +++ b/data_sources/cisco_isovalent_process_exec.yml @@ -207,7 +207,6 @@ fields: - transport - user_id - vendor_product -output_fields: -- process_exec.process.pod.namespace +output_fields: [] example_log: | {"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk5MjQ2MDAwNDozNTAyOTE0","pid":3502914,"uid":0,"cwd":"/app","binary":"/app/grpc-health-probe","arguments":"-addr=:50051 -connect-timeout=5s -rpc-timeout=5s","flags":"execve clone","start_time":"2025-08-14T20:42:47.459946745Z","auid":4294967295,"pod":{"namespace":"kube-system","name":"aws-node-9twpn","container":{"id":"containerd://dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","name":"aws-node","image":{"id":"sha256:0b48ad70935c9dea3627854c46a5d12028b941334ad82bf7be6a6fcddd4a2674","name":"066635153087.dkr.ecr.il-central-1.amazonaws.com/amazon-k8s-cni:v1.19.2"},"start_time":"2025-07-28T22:21:44Z","pid":3635324,"maybe_exec_probe":true,"security_context":{}},"pod_labels":{"app.kubernetes.io/instance":"aws-vpc-cni","app.kubernetes.io/name":"aws-node","controller-revision-hash":"dfddff8c5","k8s-app":"aws-node","pod-template-generation":"1"},"workload":"aws-node","workload_kind":"DaemonSet"},"docker":"dc5b541d139c38ec01e485712f0eec3","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","tid":3502914,"in_init_tree":false},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","pid":3502900,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/log.json --log-format json --systemd-cgroup exec --process /tmp/runc-process2848112653 --detach --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/939f032732ee71076b86175deba715fc56e5cacb6047fb3602069bdbbfd21e45.pid dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","flags":"execve clone","start_time":"2025-08-14T20:42:47.439585277Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","tid":3502900,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","pid":3059,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe -address /run/containerd/containerd.sock","flags":"procFS auid","start_time":"2025-07-28T22:21:34.807485194Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":3059,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-14T20:42:47.459945318Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}} \ No newline at end of file diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml index 268418e2d3..a1b10f5d3b 100644 --- a/detections/cloud/cisco_isovalent___cron_job_creation.yml +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -1,5 +1,5 @@ name: Cisco Isovalent - Cron Job Creation -id: 45678901-defg-4567-hi23-456789012def +id: 94531a31-a041-4777-909f-cd92ed3b71ad version: 1 date: '2025-08-12' author: Bhavin Patel, Splunk @@ -54,3 +54,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent_process_exec/cisco_isovalent_process_exec.log + source: not_applicable + sourcetype: cisco:isovalent diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml index 3b8cfe83eb..3bf6c5bb4c 100644 --- a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -1,5 +1,5 @@ name: Cisco Isovalent - Curl Execution With Insecure Flags -id: ece07077-e577-42bb-a8d2-c3c102793723 +id: c16c4899-d3f7-461b-92c2-cc0ef5758855 version: 1 date: '2025-08-12' author: Bhavin Patel, Splunk @@ -58,8 +58,8 @@ tags: - Splunk Cloud security_domain: endpoint tests: - - name: True Positive Test - Cisco Isovalent Process Exec + - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent_process_exec/cisco_isovalent_process_exec.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent diff --git a/detections/cloud/cisco_isovalent___detect_late_process_execution.yml b/detections/cloud/cisco_isovalent___detect_late_process_execution.yml new file mode 100644 index 0000000000..f8f2eb9863 --- /dev/null +++ b/detections/cloud/cisco_isovalent___detect_late_process_execution.yml @@ -0,0 +1,75 @@ +name: Cisco Isovalent - Detect Late Process Execution +id: 7f4b9b8e-5d6a-4a21-9e3f-0f1e8f2d1c3a +version: 1 +date: '2025-08-21' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: | + Detects process executions that occur well after a container has initialized, which can indicate + suspicious activity (e.g., interactive shells, injected binaries, or post-compromise tooling). + The analytic compares the process start time to the container start time and flags processes + launched more than 5 minutes (300 seconds) after initialization. +search: | + `cisco_isovalent` process_name="/bin/sh" + | rename process_exec.process.pod.container.name as ContainerName + | rename process_exec.process.start_time as ProcessStartTime + | rename process_exec.process.pod.container.start_time as ContainerStartTime + | eval ProcessStartTime=strptime(ProcessStartTime, "%Y-%m-%dT%H:%M:%S.%3Q") + | eval ContainerStartTime=strptime(ContainerStartTime, "%Y-%m-%dT%H:%M:%S.%9Q") + | eval ContainerTime5min=relative_time(ContainerStartTime, "+1m") + | where ProcessStartTime > ContainerTime5min + | table ContainerName, process_name, ProcessStartTime, ContainerTime5min | `security_content_ctime(ProcessStartTime)` + | `security_content_ctime(ContainerTime5min)` + | `cisco_isovalent___detect_late_process_execution_filter` +how_to_implement: | + This analytic relies on Cisco Isovalent/Tetragon process execution telemetry that includes both + process and container start timestamps. Ensure these logs are onboarded (e.g., via the Cisco Security + Cloud App) and mapped to the `cisco_isovalent` macro. Tune the 300-second threshold to your environment + and consider allowlisting known late-start maintenance or backup jobs. +known_false_positives: | + Legitimate scheduled tasks (cron jobs), health probes, or maintenance tooling may start well after + container initialization. Baseline common late-start processes and suppress as needed. +references: +- https://docs.isovalent.com/user-guide/sec-ops-visibility/process-execution/index.html +drilldown_searches: +- name: View the detection results for pod - "$ContainerName$" + search: '%original_detection_search% | search ContainerName = "$ContainerName$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Late process execution ($process_name$) detected in pod $ContainerName$ + risk_objects: + - field: ContainerName + type: system + score: 45 + threat_objects: [] +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1059 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent_process_exec/cisco_isovalent_process_exec.log + source: not_applicable + sourcetype: cisco:isovalent + diff --git a/detections/cloud/cisco_isovalent___detect_shell_execution.yml b/detections/cloud/cisco_isovalent___detect_shell_execution.yml index 0d81c48da8..1acda6b908 100644 --- a/detections/cloud/cisco_isovalent___detect_shell_execution.yml +++ b/detections/cloud/cisco_isovalent___detect_shell_execution.yml @@ -57,6 +57,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent_process_exec/cisco_isovalent_process_exec.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent diff --git a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml index 451bf698dc..edb9a10ac9 100644 --- a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml +++ b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml @@ -1,5 +1,5 @@ name: Cisco Isovalent - Nsenter Usage in Kubernetes Pod -id: 34567890-cdef-3456-gh12-345678901cde +id: cd07120d-4265-481a-ba0f-3b91fbc5a02f version: 1 date: '2025-08-12' author: Bhavin Patel, Splunk @@ -58,6 +58,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent_process_exec/cisco_isovalent_process_exec.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log source: cisco_isovalent sourcetype: cisco:isovalent From 4f78689f48a81583c342f86b1386fc0de9ac67d0 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 3 Sep 2025 09:32:53 -0700 Subject: [PATCH 05/37] stash a commit --- detections/cloud/cisco_isovalent___cron_job_creation.yml | 2 +- ...co_isovalent___curl_execution_with_insecure_flags.yml | 2 +- .../cisco_isovalent___detect_late_process_execution.yml | 9 ++++----- .../cloud/cisco_isovalent___detect_shell_execution.yml | 2 +- ...cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml | 2 +- ...co_isovalent.yml => cisco_isovalent_process_exec.yml} | 4 ++-- 6 files changed, 10 insertions(+), 11 deletions(-) rename macros/{cisco_isovalent.yml => cisco_isovalent_process_exec.yml} (65%) diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml index a1b10f5d3b..48a4476d16 100644 --- a/detections/cloud/cisco_isovalent___cron_job_creation.yml +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -9,7 +9,7 @@ data_source: status: production description: The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information. search: | - `cisco_isovalent` process_exec.process.binary="*/bin/cron" + `cisco_isovalent_process_exec` process_exec.process.binary="*/bin/cron" | stats count values(user.groups{}) as user_groups by process_exec.process.pod.name, process_exec.process.pod.namespace, process_exec.process.binary, process_exec.process.arguments, process_exec.process.start_time, process_exec.process.pod.container.image.name | rename process_exec.process.pod.name as PodName, process_exec.process.pod.namespace as Namespace, process_exec.process.binary as Binary, process_exec.process.arguments as Arguments, process_exec.process.start_time as StartTime, process_exec.process.pod.container.image.name as ImageName | `cisco_isovalent___cron_job_creation_filter` diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml index 3bf6c5bb4c..c5e3fcc0ca 100644 --- a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -9,7 +9,7 @@ data_source: status: production description: Detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. This analytic monitors for the use of the -k or --insecure flags, which may indicate attempts to bypass SSL/TLS verification, potentially exposing the system to man-in-the-middle attacks. search: | - `cisco_isovalent` process_exec.process.pod.name!="" + `cisco_isovalent_process_exec` process_exec.process.pod.name!="" (process_name="*curl") | regex process="(?i)(? Date: Wed, 3 Sep 2025 12:31:04 -0700 Subject: [PATCH 06/37] updating sourcetype and fields --- .../cisco_isovalent___cron_job_creation.yml | 22 +++++++++------- ...t___curl_execution_with_insecure_flags.yml | 26 +++++++++---------- ...valent___detect_late_process_execution.yml | 4 +-- ...sco_isovalent___detect_shell_execution.yml | 2 +- ...lent___nsenter_usage_in_kubernetes_pod.yml | 4 +-- 5 files changed, 30 insertions(+), 28 deletions(-) diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml index 48a4476d16..9eaaf0c1c5 100644 --- a/detections/cloud/cisco_isovalent___cron_job_creation.yml +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -9,9 +9,15 @@ data_source: status: production description: The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information. search: | - `cisco_isovalent_process_exec` process_exec.process.binary="*/bin/cron" - | stats count values(user.groups{}) as user_groups by process_exec.process.pod.name, process_exec.process.pod.namespace, process_exec.process.binary, process_exec.process.arguments, process_exec.process.start_time, process_exec.process.pod.container.image.name - | rename process_exec.process.pod.name as PodName, process_exec.process.pod.namespace as Namespace, process_exec.process.binary as Binary, process_exec.process.arguments as Arguments, process_exec.process.start_time as StartTime, process_exec.process.pod.container.image.name as ImageName + `cisco_isovalent_process_exec` process_exec.process.pod.name!="" process_name IN ("*/crond","*/cron","*/crontab") + OR process_exec.process.arguments="*-l*" OR process_exec.process.arguments="*-e*" + | stats count min(_time) as firstTime max(_time) as lastTime values(process_exec.process.arguments) as process + by process_exec.process.pod.name process_exec.process.pod.container.image.name + parent_process_name process_name cluster_name + | rename process_exec.process.pod.name as pod_name | rename process_exec.process.pod.container.image.name + as process_image_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `cisco_isovalent___cron_job_creation_filter` how_to_implement: The detection is based on data that originates from Cisco Isovalent logs. Ensure that logging is enabled in your Cisco Isovalent environment. These logs provide a record of the process execution events, which is crucial for monitoring and detecting suspicious activities. Use the Cisco Security Cloud App to collect the logs. known_false_positives: unknown @@ -33,15 +39,11 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Cisco Isovalent cron job creation detected in namespace $Namespace$ + message: Cisco Isovalent cron job creation detected in namespace $cluster_name$ risk_objects: - - field: Namespace + - field: cluster_name type: system score: 50 - threat_objects: - - field: PodName - type: pod - score: 50 threat_objects: [] tags: analytic_story: @@ -59,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent_process_exec/cisco_isovalent_process_exec.log source: not_applicable - sourcetype: cisco:isovalent + sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml index c5e3fcc0ca..1eedd0167e 100644 --- a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -9,16 +9,16 @@ data_source: status: production description: Detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. This analytic monitors for the use of the -k or --insecure flags, which may indicate attempts to bypass SSL/TLS verification, potentially exposing the system to man-in-the-middle attacks. search: | - `cisco_isovalent_process_exec` process_exec.process.pod.name!="" - (process_name="*curl") - | regex process="(?i)(? Date: Wed, 3 Sep 2025 14:00:53 -0700 Subject: [PATCH 07/37] updating detections --- detections/cloud/cisco_isovalent___cron_job_creation.yml | 2 +- ...isco_isovalent___curl_execution_with_insecure_flags.yml | 7 +++---- .../cisco_isovalent___detect_late_process_execution.yml | 4 +--- .../cloud/cisco_isovalent___detect_shell_execution.yml | 5 ++--- .../cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml | 3 +-- 5 files changed, 8 insertions(+), 13 deletions(-) diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml index 9eaaf0c1c5..f1f1d3c586 100644 --- a/detections/cloud/cisco_isovalent___cron_job_creation.yml +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -19,7 +19,7 @@ search: | | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_isovalent___cron_job_creation_filter` -how_to_implement: The detection is based on data that originates from Cisco Isovalent logs. Ensure that logging is enabled in your Cisco Isovalent environment. These logs provide a record of the process execution events, which is crucial for monitoring and detecting suspicious activities. Use the Cisco Security Cloud App to collect the logs. +how_to_implement: The detection is based on data that originates from Cisco Isovalent. Ensure that logging is enabled in your environment where Cisco Isovalent is installed. These logs provide a record of the process execution events, which is crucial for monitoring and detecting suspicious activities. Use the Cisco Security Cloud App to collect the logs. known_false_positives: unknown references: - https://isovalent.com diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml index 1eedd0167e..1d9f38b2be 100644 --- a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -7,7 +7,7 @@ type: Anomaly data_source: - Cisco Isovalent Process Exec status: production -description: Detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. This analytic monitors for the use of the -k or --insecure flags, which may indicate attempts to bypass SSL/TLS verification, potentially exposing the system to man-in-the-middle attacks. +description: The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information. search: | `cisco_isovalent_process_exec` process_exec.process.pod.name!="" (process_name="*curl") | regex process="(?i)(? Date: Wed, 3 Sep 2025 14:03:41 -0700 Subject: [PATCH 08/37] textual updates --- stories/cisco_isovalent_suspicious_activity.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/stories/cisco_isovalent_suspicious_activity.yml b/stories/cisco_isovalent_suspicious_activity.yml index bf6848d515..617760fe9f 100644 --- a/stories/cisco_isovalent_suspicious_activity.yml +++ b/stories/cisco_isovalent_suspicious_activity.yml @@ -6,7 +6,9 @@ author: Bhavin Patel, Splunk status: production description: This analytics story focuses on identifying suspicious activities and potential security threats within environments using Cisco Isovalent. It provides detection rules and guidance to help security teams recognize signs of adversary tactics such as unauthorized access attempts, unusual network activity, and other behaviors indicative of potential compromise. narrative: | - Cisco Isovalent provides advanced networking and security capabilities for Kubernetes environments. However, attackers continue to develop techniques to exploit vulnerabilities and misconfigurations. This story brings together detections that highlight suspicious activity patterns in Isovalent-protected environments, such as unusual shell executions, anomalous network connections, and other indicators of potential compromise. By leveraging these detections, security teams can quickly identify and respond to threats targeting Kubernetes environments, reducing the risk of successful attacks and subsequent malicious activity. + Cisco Isovalent with Tetragon delivers kernel-level, eBPF-powered visibility that traditional logs miss, correlating process execution, file access, and network flows with Kubernetes workload identity (namespace, labels, pod/container) and full process ancestry. This depth enables reliable detection of real-world Kubernetes threats, including container escapes (nsenter/host mounts), ServiceAccount token theft and API abuse, IMDS credential access, kubectl-in-container misuse, DGA/C2 beacons over trusted SaaS (GitHub, Pastebin, Discord), insecure curl usage (-k/--insecure), cron-based persistence, crypto‑mining, scanner/supply-chain image pulls, and privileged/hostPath abuse. + + By continuously observing process_exec and L7 DNS/HTTP activity tied to specific pods and deployments, these detections surface late process launches, anomalous shells, and suspicious outbound connections that deviate from normal workload behavior—accelerating triage and response, reducing dwell time, and shrinking blast radius across Kubernetes environments. references: - https://isovalent.com - https://tetragon.io From fd21a77af353d80bac4073d177c86ba67262e278 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 3 Sep 2025 14:29:50 -0700 Subject: [PATCH 09/37] new detection for sus images --- ...cisco_isovalent___suspicious_image_use.yml | 66 +++++++++++++++++++ macros/cisco_isovalent_allowed_images.yml | 3 + 2 files changed, 69 insertions(+) create mode 100644 detections/cloud/cisco_isovalent___suspicious_image_use.yml create mode 100644 macros/cisco_isovalent_allowed_images.yml diff --git a/detections/cloud/cisco_isovalent___suspicious_image_use.yml b/detections/cloud/cisco_isovalent___suspicious_image_use.yml new file mode 100644 index 0000000000..5defda5cd0 --- /dev/null +++ b/detections/cloud/cisco_isovalent___suspicious_image_use.yml @@ -0,0 +1,66 @@ +name: Cisco Isovalent - Suspicious Image Use +id: 9f2b7b1d-6c2f-4f2d-9a8b-8a1d7c5f2e11 +version: 1 +date: '2025-08-21' +author: Bhavin Patel, Splunk +status: production +type: Anomaly +description: | + Detects use of container images that are not in an approved allowlist by leveraging + Cisco Isovalent/Tetragon runtime telemetry. This may indicate deployment of unvetted + or malicious software, image pull from untrusted registries, or supply‑chain abuse. +data_source: +- Cisco Isovalent Process Exec +search: | + `cisco_isovalent` process_exec.process.pod.name!="" + | eval ImageName=process_exec.process.pod.container.image.name + | eval Namespace=process_exec.process.pod.namespace, PodName=process_exec.process.pod.name + | search NOT `cisco_isovalent_allowed_images` + | stats count min(_time) as firstTime max(_time) as lastTime by ImageName Namespace PodName process_exec.process.binary + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___suspicious_image_use_filter` +how_to_implement: | + Ensure Cisco Isovalent/Tetragon process execution logs are ingested and mapped to the + `cisco_isovalent` macro. Create and maintain an environment‑specific macro named + `cisco_isovalent_allowed_images` that returns true for approved images, for example: + (ImageName="gcr.io/org/app:*" OR ImageName="registry.local/*" OR ImageName="myco/*"). + The search alerts on images NOT matching that allowlist. Tune by namespace or team as needed. +known_false_positives: | + New legitimate images during rollouts or blue/green deployments may appear until the allowlist + is updated. Coordinate with platform/DevOps teams to synchronize allowlist changes. +references: +- https://tetragon.io +- https://isovalent.com +drilldown_searches: +- name: View results for image - "$ImageName$" + search: '%original_detection_search% | search ImageName = "$ImageName$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Suspicious (non‑allowlisted) image $ImageName$ used by pod $PodName$ in namespace $Namespace$ + risk_objects: + - field: ImageName + type: image + score: 45 + threat_objects: + - field: PodName + type: pod +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Kubernetes + mitre_attack_id: + - T1526 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent_process_exec/cisco_isovalent_process_exec.log + sourcetype: cisco:isovalent + source: cisco_isovalent + diff --git a/macros/cisco_isovalent_allowed_images.yml b/macros/cisco_isovalent_allowed_images.yml new file mode 100644 index 0000000000..971ab75b51 --- /dev/null +++ b/macros/cisco_isovalent_allowed_images.yml @@ -0,0 +1,3 @@ +definition: ImageName IN ("docker.io/library/ubuntu:22.04") +description: List of image names which are allowed to be used in the Cisco Isovalent environment. +name: cisco_isovalent_allowed_images From fd5f7c27a3d6c7c390463bc037bb24d9bce312c0 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 3 Sep 2025 14:50:39 -0700 Subject: [PATCH 10/37] udpating fields --- .../cisco_isovalent___cron_job_creation.yml | 12 ++--- ...t___curl_execution_with_insecure_flags.yml | 10 ++-- ...valent___detect_late_process_execution.yml | 16 +++--- ...sco_isovalent___detect_shell_execution.yml | 15 +++--- ...lent___nsenter_usage_in_kubernetes_pod.yml | 15 +++--- ...cisco_isovalent___suspicious_image_use.yml | 49 +++++++++++++------ 6 files changed, 69 insertions(+), 48 deletions(-) diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml index f1f1d3c586..9e7cdd5599 100644 --- a/detections/cloud/cisco_isovalent___cron_job_creation.yml +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -25,12 +25,12 @@ references: - https://isovalent.com - https://tetragon.io drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search user = "$pod_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -39,9 +39,9 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Cisco Isovalent cron job creation detected in namespace $cluster_name$ + message: cron job creation detected in pod $pod_name$ in the cluster $cluster_name$ risk_objects: - - field: cluster_name + - field: pod_name type: system score: 50 threat_objects: [] diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml index 1d9f38b2be..5642848702 100644 --- a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -25,12 +25,12 @@ references: - https://isovalent.com - https://tetragon.io drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,7 +41,7 @@ drilldown_searches: rba: message: A curl execution with insecure flags has been detected on pod_name $pod_name$ in the cluster $cluster_name$ risk_objects: - - field: cluster_name + - field: pod_name type: system score: 45 threat_objects: [] diff --git a/detections/cloud/cisco_isovalent___detect_late_process_execution.yml b/detections/cloud/cisco_isovalent___detect_late_process_execution.yml index cbe168c32a..ca065cef43 100644 --- a/detections/cloud/cisco_isovalent___detect_late_process_execution.yml +++ b/detections/cloud/cisco_isovalent___detect_late_process_execution.yml @@ -14,14 +14,14 @@ description: | launched more than 5 minutes (300 seconds) after initialization. search: | `cisco_isovalent_process_exec` process_name="/bin/sh" - | rename process_exec.process.pod.container.name as ContainerName + | rename process_exec.process.pod.container.name as pod_name | rename process_exec.process.start_time as ProcessStartTime | rename process_exec.process.pod.container.start_time as ContainerStartTime | eval ProcessStartTime=strptime(ProcessStartTime, "%Y-%m-%dT%H:%M:%S.%3Q") | eval ContainerStartTime=strptime(ContainerStartTime, "%Y-%m-%dT%H:%M:%S.%9Q") | eval ContainerTime5min=relative_time(ContainerStartTime, "+1m") | where ProcessStartTime > ContainerTime5min - | table ContainerName, process_name, ProcessStartTime, ContainerTime5min | `security_content_ctime(ProcessStartTime)` + | table pod_name, process_name, ProcessStartTime, ContainerTime5min | `security_content_ctime(ProcessStartTime)` | `security_content_ctime(ContainerTime5min)` | `cisco_isovalent___detect_late_process_execution_filter` how_to_implement: | @@ -33,12 +33,12 @@ known_false_positives: | references: - https://docs.isovalent.com/user-guide/sec-ops-visibility/process-execution/index.html drilldown_searches: -- name: View the detection results for pod - "$ContainerName$" - search: '%original_detection_search% | search ContainerName = "$ContainerName$"' +- name: View the detection results for pod - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -47,9 +47,9 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Late process execution ($process_name$) detected in pod $ContainerName$ + message: Late process execution ($process_name$) detected in pod $pod_name$ risk_objects: - - field: ContainerName + - field: pod_name type: system score: 45 threat_objects: [] diff --git a/detections/cloud/cisco_isovalent___detect_shell_execution.yml b/detections/cloud/cisco_isovalent___detect_shell_execution.yml index b20d65fc63..dab131e4d2 100644 --- a/detections/cloud/cisco_isovalent___detect_shell_execution.yml +++ b/detections/cloud/cisco_isovalent___detect_shell_execution.yml @@ -11,23 +11,24 @@ description: The following analytic detects the execution of a shell inside a co search: | `cisco_isovalent_process_exec` process_exec.process.pod.name!="" (process_exec.process.binary="*/bin/sh" OR process_exec.process.binary="*/bin/bash") + | rename process_exec.process.pod.container.name as pod_name | rename process_exec.process.pod.namespace as WorkloadNamespace | rename process_exec.process.pod.labels{} as WorkloadLabels | rename process_exec.ancestors{}.binary as WorkloadAncestorsBinary | eval WorkloadAncestorsBinary=mvjoin(WorkloadAncestorsBinary, " <- ") | eval WorkloadLabels=mvjoin(WorkloadLabels, "; ") - | stats count by WorkloadNamespace, process_exec.process.binary, process_exec.parent.binary, WorkloadAncestorsBinary | `cisco_isovalent___detect_shell_execution_filter` + | stats count by pod_name WorkloadNamespace, process_exec.process.binary, process_exec.parent.binary, WorkloadAncestorsBinary | `cisco_isovalent___detect_shell_execution_filter` how_to_implement: The detection is based on data that originates from Cisco Isovalent. Ensure that logging is enabled in your environment where Cisco Isovalent is installed. These logs provide a record of the process execution events, which is crucial for monitoring and detecting suspicious activities. Use the Cisco Security Cloud App to collect the logs. known_false_positives: Shell scripts executed by legitimate users or automated processes. references: - https://www.sysdig.com/blog/mitre-attck-framework-for-container-runtime-security-with-sysdig-falco drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -36,9 +37,9 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A shell execution has been detected by user on container pod namespace $WorkloadNamespace$ + message: A shell execution has been detected by user on container pod namespace $pod_name$ risk_objects: - - field: WorkloadNamespace + - field: pod_name type: system score: 49 threat_objects: [] diff --git a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml index 66eb828797..95328c8922 100644 --- a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml +++ b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml @@ -11,24 +11,25 @@ description: The following analytic detects execution of nsenter from within a c search: | `cisco_isovalent_process_exec` process_exec.process.binary IN ("/usr/bin/nsenter","/bin/nsenter","nsenter") OR process_exec.process.args="--mount=/host/proc/1/ns/mnt" + | rename process_exec.process.pod.container.name as pod_name | rename process_exec.process.pod.namespace as WorkloadNamespace | rename process_exec.process.pod.labels{} as WorkloadLabels | rename process_exec.ancestors{}.binary as WorkloadAncestorsBinary | eval WorkloadAncestorsBinary=mvjoin(WorkloadAncestorsBinary, " <- ") | eval WorkloadLabels=mvjoin(WorkloadLabels, "; ") - | stats count by WorkloadNamespace, process_exec.process.binary, process_exec.parent.binary, WorkloadAncestorsBinary | `cisco_isovalent___nsenter_usage_in_kubernetes_pod_filter` + | stats count by pod_name WorkloadNamespace, process_exec.process.binary, process_exec.parent.binary, WorkloadAncestorsBinary | `cisco_isovalent___nsenter_usage_in_kubernetes_pod_filter` how_to_implement: The detection is based on data that originates from Cisco Isovalent. Ensure that logging is enabled in your environment where Cisco Isovalent is installed. These logs provide a record of the process execution events, which is crucial for monitoring and detecting suspicious activities. Use the Cisco Security Cloud App to collect the logs. known_false_positives: Legitimate use of nsenter for administrative purposes. references: - https://isovalent.com/blog/post/2021-11-container-escape/ - https://kubehound.io/reference/attacks/CE_NSENTER/ drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search user = "$pod_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -37,9 +38,9 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: An nsenter escape attempt has been detected by user on container pod namespace $WorkloadNamespace$ + message: An nsenter escape attempt has been detected by user on container pod - $pod_name$ risk_objects: - - field: WorkloadNamespace + - field: pod_name type: system score: 50 threat_objects: [] diff --git a/detections/cloud/cisco_isovalent___suspicious_image_use.yml b/detections/cloud/cisco_isovalent___suspicious_image_use.yml index 5defda5cd0..a0408c5304 100644 --- a/detections/cloud/cisco_isovalent___suspicious_image_use.yml +++ b/detections/cloud/cisco_isovalent___suspicious_image_use.yml @@ -6,17 +6,29 @@ author: Bhavin Patel, Splunk status: production type: Anomaly description: | - Detects use of container images that are not in an approved allowlist by leveraging - Cisco Isovalent/Tetragon runtime telemetry. This may indicate deployment of unvetted - or malicious software, image pull from untrusted registries, or supply‑chain abuse. + The following analytic detects use of container images that fall outside an approved + allowlist, leveraging Cisco Isovalent/Tetragon runtime telemetry (image name and + workload identity). Adversaries commonly introduce untrusted or newly published + images to deploy tooling, establish persistence, or abuse supply‑chain trust. This + behavior may indicate image pulls from unauthorized registries, execution of + unvetted software, or a drift from established deployment baselines. Extra scrutiny + is warranted for namespaces and workloads that normally source images from restricted + registries, and for pods that suddenly begin running images outside expected + prefixes. + + Maintain an environment‑specific allowlist via the macro `cisco_isovalent_allowed_images` + (for example, allow trusted registries/prefixes such as ImageName="gcr.io/org/*", + "registry.local/*", or "myco/*") and keep it updated as new baseline images are + introduced. This analytic alerts on images NOT matching the allowlist. data_source: - Cisco Isovalent Process Exec search: | - `cisco_isovalent` process_exec.process.pod.name!="" - | eval ImageName=process_exec.process.pod.container.image.name - | eval Namespace=process_exec.process.pod.namespace, PodName=process_exec.process.pod.name + `cisco_isovalent_process_exec` process_exec.process.pod.name!="" + | rename process_exec.process.pod.container.image.name as ImageName + | rename process_exec.process.pod.namespace as Namespace + | rename process_exec.process.pod.name as pod_name | search NOT `cisco_isovalent_allowed_images` - | stats count min(_time) as firstTime max(_time) as lastTime by ImageName Namespace PodName process_exec.process.binary + | stats count min(_time) as firstTime max(_time) as lastTime by ImageName Namespace pod_name process_name cluster_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_isovalent___suspicious_image_use_filter` @@ -33,19 +45,26 @@ references: - https://tetragon.io - https://isovalent.com drilldown_searches: -- name: View results for image - "$ImageName$" - search: '%original_detection_search% | search ImageName = "$ImageName$"' +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search user = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Suspicious (non‑allowlisted) image $ImageName$ used by pod $PodName$ in namespace $Namespace$ + message: Suspicious (non‑allowlisted) image $ImageName$ used by pod $pod_name$ in namespace $Namespace$ in the cluster $cluster_name$ risk_objects: - - field: ImageName - type: image + - field: pod_name + type: system score: 45 - threat_objects: - - field: PodName - type: pod + threat_objects: [] tags: analytic_story: - Cisco Isovalent Suspicious Activity From ed3bc02090f8fe10e01ddf8a73463354d775fc1b Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 3 Sep 2025 15:53:21 -0700 Subject: [PATCH 11/37] adding new search --- ...ovalent___pods_running_offensive_tools.yml | 65 +++++++++++++++++++ macros/cisco_isovalent_allowed_images.yml | 2 +- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml diff --git a/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml new file mode 100644 index 0000000000..dd9d38bdc7 --- /dev/null +++ b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml @@ -0,0 +1,65 @@ +name: Cisco Isovalent - Pods Running Offensive Tools +id: e9d0b9e6-2f3c-4a8a-9d61-2b6f4a9c1c2e +version: 1 +date: '2025-08-21' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: The following analytic detects execution of known offensive tooling from within Kubernetes pods, including network scanners and post-exploitation frameworks (e.g., nmap, masscan, zmap, impacket-*, hashcat, john, SharpHound, kube-hunter, peirates, and mimikatz.exe). Adversaries commonly introduce these tools into compromised workloads to conduct discovery, lateral movement, credential access, or cluster reconnaissance. This behavior may indicate a compromised container or supply-chain abuse. Extra scrutiny is warranted for namespaces that do not typically run diagnostic scanners and for pods that suddenly begin invoking these binaries outside of normal maintenance activity. +search: | + `cisco_isovalent_process_exec` process_exec.process.pod.name!="" process_name IN ("*nmap", "*masscan", "*zmap", "*impacket-", "*hashcat", "*SharpHound", "*kube-hunter", "*peirates", "*mimikatz.exe") + | stats count min(_time) as firstTime max(_time) as lastTime values(process_exec.process.arguments) as process + by process_exec.process.pod.name parent_process_name process_name cluster_name process_exec.process.pod.container.name + | rename process_exec.process.pod.name as pod_name + process_exec.process.pod.container.name as container_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___pods_running_offensive_tools_filter` +how_to_implement: The detection is based on Cisco Isovalent/Tetragon process execution logs. Ensure telemetry is ingested via the Cisco Security Cloud App and mapped to the `cisco_isovalent_process_exec` macro. Tune by namespace or team, and consider allowlisting approved diagnostic images to reduce noise. +known_false_positives: Security testing, approved red team exercises, or sanctioned diagnostics can trigger this analytic. Coordinate allowlists and maintenance windows with platform/SecOps teams. +references: +- https://isovalent.com +- https://tetragon.io +drilldown_searches: +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Offensive tool execution ($process_name$) detected in pod $pod_name$ on cluster $cluster_name$ + risk_objects: + - field: pod_name + type: system + score: 48 + threat_objects: [] +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1046 + - T1033 + - T1003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec + diff --git a/macros/cisco_isovalent_allowed_images.yml b/macros/cisco_isovalent_allowed_images.yml index 971ab75b51..21a3b43c4c 100644 --- a/macros/cisco_isovalent_allowed_images.yml +++ b/macros/cisco_isovalent_allowed_images.yml @@ -1,3 +1,3 @@ definition: ImageName IN ("docker.io/library/ubuntu:22.04") description: List of image names which are allowed to be used in the Cisco Isovalent environment. -name: cisco_isovalent_allowed_images +name: cisco_isovalent_allowed_images \ No newline at end of file From d602c7efbf39e2326f267851380fc7bc6d95a6f2 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 15 Sep 2025 13:18:35 -0700 Subject: [PATCH 12/37] testing TA --- data_sources/cisco_isovalent_process_exec.yml | 4 ++++ .../cisco_isovalent___curl_execution_with_insecure_flags.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/data_sources/cisco_isovalent_process_exec.yml b/data_sources/cisco_isovalent_process_exec.yml index d510014a03..7fdd4bdb75 100644 --- a/data_sources/cisco_isovalent_process_exec.yml +++ b/data_sources/cisco_isovalent_process_exec.yml @@ -10,6 +10,10 @@ mitre_components: - Kubernetes Monitoring source: cisco_isovalent sourcetype: cisco:isovalent +supported_TA: +- name: Cisco Networks Add-on + url: https://splunkbase.splunk.com/app/1467 + version: 2.7.8 fields: - _bkt - _cd diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml index 5642848702..3d0f34f19d 100644 --- a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -7,7 +7,7 @@ type: Anomaly data_source: - Cisco Isovalent Process Exec status: production -description: The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information. + description: The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information. search: | `cisco_isovalent_process_exec` process_exec.process.pod.name!="" (process_name="*curl") | regex process="(?i)(? Date: Mon, 15 Sep 2025 13:24:50 -0700 Subject: [PATCH 13/37] space --- .../cisco_isovalent___curl_execution_with_insecure_flags.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml index 3d0f34f19d..7af8c8edf3 100644 --- a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -7,7 +7,7 @@ type: Anomaly data_source: - Cisco Isovalent Process Exec status: production - description: The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information. +description: The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information. search: | `cisco_isovalent_process_exec` process_exec.process.pod.name!="" (process_name="*curl") | regex process="(?i)(? Date: Mon, 15 Sep 2025 13:32:35 -0700 Subject: [PATCH 14/37] fixing sourcetype --- data_sources/cisco_isovalent_process_exec.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data_sources/cisco_isovalent_process_exec.yml b/data_sources/cisco_isovalent_process_exec.yml index 7fdd4bdb75..40ead012c5 100644 --- a/data_sources/cisco_isovalent_process_exec.yml +++ b/data_sources/cisco_isovalent_process_exec.yml @@ -8,8 +8,8 @@ mitre_components: - Process Execution - Container Monitoring - Kubernetes Monitoring -source: cisco_isovalent -sourcetype: cisco:isovalent +source: not_applicable +sourcetype: cisco:isovalent:processExec supported_TA: - name: Cisco Networks Add-on url: https://splunkbase.splunk.com/app/1467 From a50280d606a618d4a936f15fe9b178541d1825bd Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 16 Sep 2025 14:15:43 -0700 Subject: [PATCH 15/37] updating detection and dataset --- .../cisco_isovalent___cron_job_creation.yml | 16 +++++------ ...t___curl_execution_with_insecure_flags.yml | 13 ++++----- ...valent___detect_late_process_execution.yml | 19 +++++-------- ...sco_isovalent___detect_shell_execution.yml | 27 +++++++------------ ...lent___nsenter_usage_in_kubernetes_pod.yml | 4 +-- ...ovalent___pods_running_offensive_tools.yml | 2 +- ...cisco_isovalent___suspicious_image_use.yml | 11 ++------ 7 files changed, 35 insertions(+), 57 deletions(-) diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml index 9e7cdd5599..d137265e56 100644 --- a/detections/cloud/cisco_isovalent___cron_job_creation.yml +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -9,14 +9,14 @@ data_source: status: production description: The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information. search: | - `cisco_isovalent_process_exec` process_exec.process.pod.name!="" process_name IN ("*/crond","*/cron","*/crontab") - OR process_exec.process.arguments="*-l*" OR process_exec.process.arguments="*-e*" - | stats count min(_time) as firstTime max(_time) as lastTime values(process_exec.process.arguments) as process - by process_exec.process.pod.name process_exec.process.pod.container.image.name - parent_process_name process_name cluster_name - | rename process_exec.process.pod.name as pod_name | rename process_exec.process.pod.container.image.name - as process_image_name - | `security_content_ctime(firstTime)` + `cisco_isovalent_process_exec` process_name IN ("crond","cron","crontab") + | search pod_name!="" + | stats count + min(_time) as firstTime + max(_time) as lastTime + values(process) as process + by cluster_name pod_name parent_process_name process_name process_exec process_id node_name + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_isovalent___cron_job_creation_filter` how_to_implement: The detection is based on data that originates from Cisco Isovalent. Ensure that logging is enabled in your environment where Cisco Isovalent is installed. These logs provide a record of the process execution events, which is crucial for monitoring and detecting suspicious activities. Use the Cisco Security Cloud App to collect the logs. diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml index 7af8c8edf3..506ab11809 100644 --- a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -9,18 +9,15 @@ data_source: status: production description: The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information. search: | - `cisco_isovalent_process_exec` process_exec.process.pod.name!="" (process_name="*curl") + `cisco_isovalent_process_exec` process_name="curl" | regex process="(?i)(? ContainerTime5min - | table pod_name, process_name, ProcessStartTime, ContainerTime5min | `security_content_ctime(ProcessStartTime)` - | `security_content_ctime(ContainerTime5min)` + | table node_name cluster_name, pod_name, container_id, process_name, process_exec, process, ProcessStartTime, ContainerTime5min | `security_content_ctime(ProcessStartTime)` + | `security_content_ctime(ContainerTime5min)` | `cisco_isovalent___detect_late_process_execution_filter` -how_to_implement: | - how_to_implement: The detection is based on data that originates from Cisco Isovalent. Ensure that logging is enabled in your environment where Cisco Isovalent is installed. These logs provide a record of the process execution events, which is crucial for monitoring and detecting suspicious activities. Use the Cisco Security Cloud App to collect the logs. Tune the 300-second threshold to your environment - and consider allowlisting known late-start maintenance or backup jobs. -known_false_positives: | - Legitimate scheduled tasks (cron jobs), health probes, or maintenance tooling may start well after - container initialization. Baseline common late-start processes and suppress as needed. +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. references: - https://docs.isovalent.com/user-guide/sec-ops-visibility/process-execution/index.html drilldown_searches: @@ -69,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent_process_exec_delayed_shell.log source: not_applicable - sourcetype: cisco:isovalent:processExec \ No newline at end of file + sourcetype: cisco:isovalent \ No newline at end of file diff --git a/detections/cloud/cisco_isovalent___detect_shell_execution.yml b/detections/cloud/cisco_isovalent___detect_shell_execution.yml index dab131e4d2..186a7a07b2 100644 --- a/detections/cloud/cisco_isovalent___detect_shell_execution.yml +++ b/detections/cloud/cisco_isovalent___detect_shell_execution.yml @@ -9,26 +9,19 @@ data_source: status: production description: The following analytic detects the execution of a shell inside a container namespace within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for the execution of a shell (sh or bash) inside a container namespace. This behavior is significant for a SOC as it could allow an attacker to gain shell access to the container, potentially leading to further compromise of the Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity. search: | - `cisco_isovalent_process_exec` process_exec.process.pod.name!="" - (process_exec.process.binary="*/bin/sh" OR process_exec.process.binary="*/bin/bash") - | rename process_exec.process.pod.container.name as pod_name - | rename process_exec.process.pod.namespace as WorkloadNamespace - | rename process_exec.process.pod.labels{} as WorkloadLabels - | rename process_exec.ancestors{}.binary as WorkloadAncestorsBinary - | eval WorkloadAncestorsBinary=mvjoin(WorkloadAncestorsBinary, " <- ") - | eval WorkloadLabels=mvjoin(WorkloadLabels, "; ") - | stats count by pod_name WorkloadNamespace, process_exec.process.binary, process_exec.parent.binary, WorkloadAncestorsBinary | `cisco_isovalent___detect_shell_execution_filter` -how_to_implement: The detection is based on data that originates from Cisco Isovalent. Ensure that logging is enabled in your environment where Cisco Isovalent is installed. These logs provide a record of the process execution events, which is crucial for monitoring and detecting suspicious activities. Use the Cisco Security Cloud App to collect the logs. -known_false_positives: Shell scripts executed by legitimate users or automated processes. + `cisco_isovalent_process_exec` process_name IN ("sh", "bash", "pwsh", "zsh") + | stats count by cluster_name parent_process_name process_name process_exec process_id node_name | `cisco_isovalent___detect_shell_execution_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. references: - https://www.sysdig.com/blog/mitre-attck-framework-for-container-runtime-security-with-sysdig-falco drilldown_searches: -- name: View the detection results for - "$pod_name$" - search: '%original_detection_search% | search pod_name = "$pod_name$"' +- name: View the detection results for - "$node_name$" + search: '%original_detection_search% | search node_name = "$node_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$pod_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") +- name: View risk events for the last 7 days for - "$node_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$node_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -37,9 +30,9 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A shell execution has been detected by user on container pod namespace $pod_name$ + message: A shell execution has been detected by user on container pod namespace $node_name$ risk_objects: - - field: pod_name + - field: node_name type: system score: 49 threat_objects: [] diff --git a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml index 95328c8922..1c2ebf3b08 100644 --- a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml +++ b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml @@ -18,8 +18,8 @@ search: | | eval WorkloadAncestorsBinary=mvjoin(WorkloadAncestorsBinary, " <- ") | eval WorkloadLabels=mvjoin(WorkloadLabels, "; ") | stats count by pod_name WorkloadNamespace, process_exec.process.binary, process_exec.parent.binary, WorkloadAncestorsBinary | `cisco_isovalent___nsenter_usage_in_kubernetes_pod_filter` -how_to_implement: The detection is based on data that originates from Cisco Isovalent. Ensure that logging is enabled in your environment where Cisco Isovalent is installed. These logs provide a record of the process execution events, which is crucial for monitoring and detecting suspicious activities. Use the Cisco Security Cloud App to collect the logs. -known_false_positives: Legitimate use of nsenter for administrative purposes. +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: It is highly unlikely that nsenter will be used in a legitimate way, investigate the alert in context to rule out benign operations. references: - https://isovalent.com/blog/post/2021-11-container-escape/ - https://kubehound.io/reference/attacks/CE_NSENTER/ diff --git a/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml index dd9d38bdc7..f480257a70 100644 --- a/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml +++ b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml @@ -17,7 +17,7 @@ search: | | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_isovalent___pods_running_offensive_tools_filter` -how_to_implement: The detection is based on Cisco Isovalent/Tetragon process execution logs. Ensure telemetry is ingested via the Cisco Security Cloud App and mapped to the `cisco_isovalent_process_exec` macro. Tune by namespace or team, and consider allowlisting approved diagnostic images to reduce noise. +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. known_false_positives: Security testing, approved red team exercises, or sanctioned diagnostics can trigger this analytic. Coordinate allowlists and maintenance windows with platform/SecOps teams. references: - https://isovalent.com diff --git a/detections/cloud/cisco_isovalent___suspicious_image_use.yml b/detections/cloud/cisco_isovalent___suspicious_image_use.yml index a0408c5304..3eb6f2ef94 100644 --- a/detections/cloud/cisco_isovalent___suspicious_image_use.yml +++ b/detections/cloud/cisco_isovalent___suspicious_image_use.yml @@ -32,15 +32,8 @@ search: | | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_isovalent___suspicious_image_use_filter` -how_to_implement: | - Ensure Cisco Isovalent/Tetragon process execution logs are ingested and mapped to the - `cisco_isovalent` macro. Create and maintain an environment‑specific macro named - `cisco_isovalent_allowed_images` that returns true for approved images, for example: - (ImageName="gcr.io/org/app:*" OR ImageName="registry.local/*" OR ImageName="myco/*"). - The search alerts on images NOT matching that allowlist. Tune by namespace or team as needed. -known_false_positives: | - New legitimate images during rollouts or blue/green deployments may appear until the allowlist - is updated. Coordinate with platform/DevOps teams to synchronize allowlist changes. +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. Create and maintain an environment‑specific macro named`cisco_isovalent_allowed_images` that returns true for approved images, for example:(ImageName="gcr.io/org/app:*" OR ImageName="registry.local/*" OR ImageName="myco/*"). The search alerts on images NOT matching that allowlist. Tune by namespace or team as needed. +known_false_positives: New legitimate images during rollouts or blue/green deployments may appear until the allowlist is updated. Coordinate with platform/DevOps teams to synchronize allowlist changes. references: - https://tetragon.io - https://isovalent.com From b6058aa2cbbc2503c1c271f3a02f60882e20865a Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 17 Sep 2025 10:55:58 -0700 Subject: [PATCH 16/37] updates to all files --- .../cisco_isovalent___cron_job_creation.yml | 6 +++--- ...t___curl_execution_with_insecure_flags.yml | 2 +- ...valent___detect_late_process_execution.yml | 2 +- ...sco_isovalent___detect_shell_execution.yml | 2 +- ...lent___nsenter_usage_in_kubernetes_pod.yml | 20 ++++++++++--------- ...ovalent___pods_running_offensive_tools.yml | 11 +++++----- ...cisco_isovalent___suspicious_image_use.yml | 10 +++------- macros/cisco_isovalent_allowed_images.yml | 4 ++-- 8 files changed, 28 insertions(+), 29 deletions(-) diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml index d137265e56..8e48aaa176 100644 --- a/detections/cloud/cisco_isovalent___cron_job_creation.yml +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -19,8 +19,8 @@ search: | | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_isovalent___cron_job_creation_filter` -how_to_implement: The detection is based on data that originates from Cisco Isovalent. Ensure that logging is enabled in your environment where Cisco Isovalent is installed. These logs provide a record of the process execution events, which is crucial for monitoring and detecting suspicious activities. Use the Cisco Security Cloud App to collect the logs. -known_false_positives: unknown +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. references: - https://isovalent.com - https://tetragon.io @@ -59,6 +59,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent_process_exec/cisco_isovalent_process_exec.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml index 506ab11809..2aa6979cb4 100644 --- a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -7,7 +7,7 @@ type: Anomaly data_source: - Cisco Isovalent Process Exec status: production -description: The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information. +description: The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information. search: | `cisco_isovalent_process_exec` process_name="curl" | regex process="(?i)(? Date: Wed, 17 Sep 2025 12:21:27 -0700 Subject: [PATCH 17/37] updating isovalent detections --- .../cloud/cisco_isovalent___suspicious_image_use.yml | 12 ++++++++---- detections/endpoint/linux_add_user_account.yml | 11 +++++++++-- .../linux_adding_crontab_using_list_parameter.yml | 12 +++++++++--- 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/detections/cloud/cisco_isovalent___suspicious_image_use.yml b/detections/cloud/cisco_isovalent___suspicious_image_use.yml index 6be741cb71..e1fc91aea6 100644 --- a/detections/cloud/cisco_isovalent___suspicious_image_use.yml +++ b/detections/cloud/cisco_isovalent___suspicious_image_use.yml @@ -23,8 +23,12 @@ description: | data_source: - Cisco Isovalent Process Exec search: | - `cisco_isovalent_process_exec` - | stats count min(_time) as firstTime max(_time) as lastTime by ImageName Namespace pod_name process_name cluster_name + `cisco_isovalent_process_exec` pod_name!="" + | search NOT `cisco_isovalent_allowed_images` + | stats count + min(_time) as firstTime + max(_time) as lastTime + by pod_image_name pod_namespace pod_name process_name cluster_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_isovalent___suspicious_image_use_filter` @@ -69,6 +73,6 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log - sourcetype: cisco:isovalent - source: cisco_isovalent + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/endpoint/linux_add_user_account.yml b/detections/endpoint/linux_add_user_account.yml index 2443b5505f..5a59e33989 100644 --- a/detections/endpoint/linux_add_user_account.yml +++ b/detections/endpoint/linux_add_user_account.yml @@ -1,8 +1,8 @@ name: Linux Add User Account id: 51fbcaf2-6259-11ec-b0f3-acde48001122 -version: 7 +version: 8 date: '2025-05-02' -author: Teoderick Contreras, Splunk +author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting description: The following analytic detects the creation of new user accounts on Linux @@ -14,6 +14,7 @@ description: The following analytic detects the creation of new user accounts on the system, posing a severe security risk. data_source: - Sysmon for Linux EventID 1 +- Cisco Isovalent Process Exec search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN ("useradd", "adduser") OR Processes.process IN ("*useradd *", "*adduser *") by Processes.action Processes.dest Processes.original_file_name @@ -40,6 +41,7 @@ tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques + - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - T1136.001 @@ -54,3 +56,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec \ No newline at end of file diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index 8d4713d014..7429512f38 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -1,8 +1,8 @@ name: Linux Adding Crontab Using List Parameter id: 52f6d751-1fd4-4c74-a4c9-777ecfeb5c58 -version: 7 -date: '2025-05-02' -author: Teoderick Contreras, Splunk +version: 8 +date: '2025-09-17' +author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting description: The following analytic detects suspicious modifications to cron jobs @@ -40,6 +40,7 @@ references: - https://cert.gov.ua/article/39518 tags: analytic_story: + - Cisco Isovalent Suspicious Activity - Industroyer2 - Linux Privilege Escalation - Linux Living Off The Land @@ -61,3 +62,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec From be1c3855ec6d44a3033caac1cba31e0cea8ec222 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 17 Sep 2025 12:56:06 -0700 Subject: [PATCH 18/37] updating dataset --- .../endpoint/linux_apt_get_privilege_escalation.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index 528f624ef3..96369a721a 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -1,8 +1,8 @@ name: Linux apt-get Privilege Escalation id: d870ce3b-e796-402f-b2af-cab4da1223f2 -version: 9 -date: '2025-05-02' -author: Gowthamaraj Rajendran, Splunk +version: 10 +date: '2025-09-17' +author: Gowthamaraj Rajendran, Bhavin Patel, Splunk status: production type: Anomaly description: The following analytic detects the execution of the 'apt-get' command @@ -15,6 +15,7 @@ description: The following analytic detects the execution of the 'apt-get' comma compromise the entire system. data_source: - Sysmon for Linux EventID 1 +- Cisco Isovalent Process Exec search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt-get*" AND Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" @@ -82,3 +83,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec \ No newline at end of file From 1bd337d8181e627b94d5c96d5cae3e0ca600f96b Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 30 Sep 2025 13:34:53 -0700 Subject: [PATCH 19/37] updating two detections --- .../cloud/cisco_isovalent___suspicious_image_use.yml | 2 +- detections/endpoint/linux_at_application_execution.yml | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/detections/cloud/cisco_isovalent___suspicious_image_use.yml b/detections/cloud/cisco_isovalent___suspicious_image_use.yml index e1fc91aea6..f5dedcc682 100644 --- a/detections/cloud/cisco_isovalent___suspicious_image_use.yml +++ b/detections/cloud/cisco_isovalent___suspicious_image_use.yml @@ -52,7 +52,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Suspicious (non‑allowlisted) image $ImageName$ used by pod $pod_name$ in namespace $Namespace$ in the cluster $cluster_name$ + message: Suspicious (non‑allowlisted) image $pod_image_name$ used by pod $pod_name$ in namespace $Namespace$ in the cluster $cluster_name$ risk_objects: - field: pod_name type: system diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index 414ef6080d..f0d5c5b02a 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -1,8 +1,8 @@ name: Linux At Application Execution id: bf0a378e-5f3c-11ec-a6de-acde48001122 -version: 8 +version: 9 date: '2025-05-02' -author: Teoderick Contreras, Splunk +author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Anomaly description: The following analytic detects the execution of the "At" application @@ -80,3 +80,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec From e8d629297d0ca19a18f1f29b195aea82c97a60ae Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 30 Sep 2025 14:43:32 -0700 Subject: [PATCH 20/37] yaml fixes --- detections/cloud/cisco_isovalent___cron_job_creation.yml | 9 ++++++--- ...co_isovalent___curl_execution_with_insecure_flags.yml | 8 +++++--- .../cisco_isovalent___detect_late_process_execution.yml | 4 +++- .../cloud/cisco_isovalent___detect_shell_execution.yml | 4 +++- ...cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml | 4 +++- .../cisco_isovalent___pods_running_offensive_tools.yml | 8 +++++--- .../cloud/cisco_isovalent___suspicious_image_use.yml | 8 +++++--- detections/endpoint/linux_auditd_auditd_daemon_abort.yml | 2 +- detections/endpoint/potential_password_in_username.yml | 2 +- stories/cisco_isovalent_suspicious_activity.yml | 9 +++++---- 10 files changed, 37 insertions(+), 21 deletions(-) diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml index 8e48aaa176..4a856b81fc 100644 --- a/detections/cloud/cisco_isovalent___cron_job_creation.yml +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -22,8 +22,9 @@ search: | how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. references: -- https://isovalent.com -- https://tetragon.io +- https://attack.mitre.org/techniques/T1053/003/ +- https://medium.com/@bag0zathev2/cronjobs-for-hackers-bugbounty-article-7d51588d0fd5 +- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ drilldown_searches: - name: View the detection results for - "$pod_name$" search: '%original_detection_search% | search user = "$pod_name$"' @@ -44,7 +45,9 @@ rba: - field: pod_name type: system score: 50 - threat_objects: [] + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Cisco Isovalent Suspicious Activity diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml index 2aa6979cb4..288295a7c8 100644 --- a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -19,8 +19,8 @@ search: | how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. references: -- https://isovalent.com -- https://tetragon.io +- https://rawcode7.medium.com/understanding-the-kubernetes-attack-surface-9a48ebcb6bc4 +- https://www.tutorialworks.com/kubernetes-curl/ drilldown_searches: - name: View the detection results for - "$pod_name$" search: '%original_detection_search% | search pod_name = "$pod_name$"' @@ -41,7 +41,9 @@ rba: - field: pod_name type: system score: 45 - threat_objects: [] + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Cisco Isovalent Suspicious Activity diff --git a/detections/cloud/cisco_isovalent___detect_late_process_execution.yml b/detections/cloud/cisco_isovalent___detect_late_process_execution.yml index e56cc0d36e..642b74cdde 100644 --- a/detections/cloud/cisco_isovalent___detect_late_process_execution.yml +++ b/detections/cloud/cisco_isovalent___detect_late_process_execution.yml @@ -47,7 +47,9 @@ rba: - field: pod_name type: system score: 45 - threat_objects: [] + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Cisco Isovalent Suspicious Activity diff --git a/detections/cloud/cisco_isovalent___detect_shell_execution.yml b/detections/cloud/cisco_isovalent___detect_shell_execution.yml index 0883a2aad0..4790eb2212 100644 --- a/detections/cloud/cisco_isovalent___detect_shell_execution.yml +++ b/detections/cloud/cisco_isovalent___detect_shell_execution.yml @@ -35,7 +35,9 @@ rba: - field: node_name type: system score: 49 - threat_objects: [] + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Cisco Isovalent Suspicious Activity diff --git a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml index 65063dbe03..96bcc8682a 100644 --- a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml +++ b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml @@ -45,7 +45,9 @@ rba: - field: pod_name type: system score: 50 - threat_objects: [] + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Cisco Isovalent Suspicious Activity diff --git a/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml index 52f0bcd11d..43a2349df1 100644 --- a/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml +++ b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml @@ -21,8 +21,8 @@ search: | how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. known_false_positives: Security testing, approved red team exercises, or sanctioned diagnostics can trigger this analytic. Coordinate allowlists and maintenance windows with platform/SecOps teams. references: -- https://isovalent.com -- https://tetragon.io +- https://dev.to/thenjdevopsguy/attacking-a-kubernetes-cluster-enter-red-team-mode-2onj +- https://www.reddit.com/r/kubernetes/comments/l6e5yr/one_of_our_kubernetes_containers_was_compromised/ drilldown_searches: - name: View the detection results for - "$pod_name$" search: '%original_detection_search% | search pod_name = "$pod_name$"' @@ -43,7 +43,9 @@ rba: - field: pod_name type: system score: 48 - threat_objects: [] + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Cisco Isovalent Suspicious Activity diff --git a/detections/cloud/cisco_isovalent___suspicious_image_use.yml b/detections/cloud/cisco_isovalent___suspicious_image_use.yml index f5dedcc682..2cff8b302e 100644 --- a/detections/cloud/cisco_isovalent___suspicious_image_use.yml +++ b/detections/cloud/cisco_isovalent___suspicious_image_use.yml @@ -35,8 +35,8 @@ search: | how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. Create and maintain an environment‑specific macro named`cisco_isovalent_allowed_images` that returns true for approved images, for example:(ImageName="gcr.io/org/app:*" OR ImageName="registry.local/*" OR ImageName="myco/*"). The search alerts on images NOT matching that allowlist. Tune by namespace or team as needed. known_false_positives: New legitimate images during rollouts or blue/green deployments may appear until the allowlist is updated. Coordinate with platform/DevOps teams to synchronize allowlist changes. references: -- https://tetragon.io -- https://isovalent.com +- https://dev.to/thenjdevopsguy/attacking-a-kubernetes-cluster-enter-red-team-mode-2onj +- https://www.reddit.com/r/kubernetes/comments/l6e5yr/one_of_our_kubernetes_containers_was_compromised/ drilldown_searches: - name: View the detection results for - "$pod_name$" search: '%original_detection_search% | search user = "$pod_name$"' @@ -57,7 +57,9 @@ rba: - field: pod_name type: system score: 45 - threat_objects: [] + threat_objects: + - field:process_name + type: process_name tags: analytic_story: - Cisco Isovalent Suspicious Activity diff --git a/detections/endpoint/linux_auditd_auditd_daemon_abort.yml b/detections/endpoint/linux_auditd_auditd_daemon_abort.yml index 0a4ee0eb82..8799c43d13 100644 --- a/detections/endpoint/linux_auditd_auditd_daemon_abort.yml +++ b/detections/endpoint/linux_auditd_auditd_daemon_abort.yml @@ -5,7 +5,7 @@ date: '2025-06-06' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the abnormal termination of the Linux audit daemon (auditd) by identifying DAEMON_ABORT events in audit logs. These terminations suggest a serious failure of the auditing subsystem, potentially due to resource exhaustion, corruption, or malicious interference. Unlike a clean shutdown, DAEMON_ABORT implies that audit logging may have been disabled without system administrator intent. Alerts should be generated on detection and correlated with DAEMON_START, DAEMON_END, and system logs to determine root cause. If no DAEMON_START follows soon after, or this pattern repeats, it indicates a high-severity issue that impacts log integrity and should be immediately investigated. +description: The following analytic detects the abnormal termination of the Linux audit daemon (auditd) by identifying DAEMON_ABORT events in audit logs. These terminations suggest a serious failure of the auditing subsystem, potentially due to resource exhaustion, corruption, or malicious interference. Unlike a clean shutdown, DAEMON_ABORT implies that audit logging may have been disabled without system administrator intent. Alerts should be generated on detection and correlated with DAEMON_START, DAEMON_END, and system logs to determine root c ause. If no DAEMON_START follows soon after, or this pattern repeats, it indicates a high-severity issue that impacts log integrity and should be immediately investigated. data_source: - Linux Auditd Daemon Abort search: '`linux_auditd` type=DAEMON_ABORT diff --git a/detections/endpoint/potential_password_in_username.yml b/detections/endpoint/potential_password_in_username.yml index 6b4097435d..81f86e1b3a 100644 --- a/detections/endpoint/potential_password_in_username.yml +++ b/detections/endpoint/potential_password_in_username.yml @@ -51,7 +51,7 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: access - manual_test: Due to an existing bug with eventtypes/tags in the splunk-add-on-for-unix-and-linux TA, this detection does not work with the latest version of the TA 10.0.0. You can refer to the following link for more information - https://splunk.atlassian.net/browse/ADDON-81872. This detection works as expected with TAs prior to 10.0.0. + # manual_test: Due to an existing bug with eventtypes/tags in the splunk-add-on-for-unix-and-linux TA, this detection does not work with the latest version of the TA 10.0.0. You can refer to the following link for more information - https://splunk.atlassian.net/browse/ADDON-81872. This detection works as expected with TAs prior to 10.0.0. tests: - name: True Positive Test attack_data: diff --git a/stories/cisco_isovalent_suspicious_activity.yml b/stories/cisco_isovalent_suspicious_activity.yml index 617760fe9f..9d2c34da9b 100644 --- a/stories/cisco_isovalent_suspicious_activity.yml +++ b/stories/cisco_isovalent_suspicious_activity.yml @@ -1,7 +1,7 @@ name: Cisco Isovalent Suspicious Activity id: 245ac99a-1355-44fe-9ef7-a7e826e20c6f version: 1 -date: '2025-08-12' +date: '2025-09-30' author: Bhavin Patel, Splunk status: production description: This analytics story focuses on identifying suspicious activities and potential security threats within environments using Cisco Isovalent. It provides detection rules and guidance to help security teams recognize signs of adversary tactics such as unauthorized access attempts, unusual network activity, and other behaviors indicative of potential compromise. @@ -10,8 +10,9 @@ narrative: | By continuously observing process_exec and L7 DNS/HTTP activity tied to specific pods and deployments, these detections surface late process launches, anomalous shells, and suspicious outbound connections that deviate from normal workload behavior—accelerating triage and response, reducing dwell time, and shrinking blast radius across Kubernetes environments. references: -- https://isovalent.com -- https://tetragon.io +- https://isovalent.com/blog/post/isovalent-splunk-better-together/ +- https://isovalent.com/blog/post/mitre-attack-tetragon/ +- https://www.reddit.com/r/kubernetes/comments/l6e5yr/one_of_our_kubernetes_containers_was_compromised/ tags: category: - Adversary Tactics @@ -20,4 +21,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - usecase: Advanced Threat Detection + usecase: Advanced Threat Detection \ No newline at end of file From 4fbadb3999b95f67fda295ac74177776f875efb7 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 30 Sep 2025 14:52:09 -0700 Subject: [PATCH 21/37] fixing mitre --- detections/cloud/cisco_isovalent___cron_job_creation.yml | 2 +- .../cisco_isovalent___curl_execution_with_insecure_flags.yml | 3 ++- .../cloud/cisco_isovalent___detect_late_process_execution.yml | 2 +- detections/cloud/cisco_isovalent___detect_shell_execution.yml | 2 +- .../cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml | 2 +- .../cloud/cisco_isovalent___pods_running_offensive_tools.yml | 4 +--- detections/cloud/cisco_isovalent___suspicious_image_use.yml | 4 ++-- stories/cisco_isovalent_suspicious_activity.yml | 1 + 8 files changed, 10 insertions(+), 10 deletions(-) diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml index 4a856b81fc..248a1cf89d 100644 --- a/detections/cloud/cisco_isovalent___cron_job_creation.yml +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -53,7 +53,7 @@ tags: - Cisco Isovalent Suspicious Activity asset_type: Kubernetes mitre_attack_id: - - T1053.007 + - T1053.003 product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml index 288295a7c8..f3a98df25a 100644 --- a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -49,7 +49,8 @@ tags: - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - - T1071 + - T1105 + atomic_guid: [] product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/cisco_isovalent___detect_late_process_execution.yml b/detections/cloud/cisco_isovalent___detect_late_process_execution.yml index 642b74cdde..25e63373d0 100644 --- a/detections/cloud/cisco_isovalent___detect_late_process_execution.yml +++ b/detections/cloud/cisco_isovalent___detect_late_process_execution.yml @@ -55,7 +55,7 @@ tags: - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - - T1059 + - T1543 product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/cisco_isovalent___detect_shell_execution.yml b/detections/cloud/cisco_isovalent___detect_shell_execution.yml index 4790eb2212..ec14ed9181 100644 --- a/detections/cloud/cisco_isovalent___detect_shell_execution.yml +++ b/detections/cloud/cisco_isovalent___detect_shell_execution.yml @@ -43,7 +43,7 @@ tags: - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - - T1059 + - T1543 product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml index 96bcc8682a..cfe92e3582 100644 --- a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml +++ b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml @@ -53,7 +53,7 @@ tags: - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - - T1611 + - T1543 product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml index 43a2349df1..98332c0322 100644 --- a/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml +++ b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml @@ -51,9 +51,7 @@ tags: - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - - T1046 - - T1033 - - T1003 + - T1204.003 product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/cisco_isovalent___suspicious_image_use.yml b/detections/cloud/cisco_isovalent___suspicious_image_use.yml index 2cff8b302e..f0a0ca3178 100644 --- a/detections/cloud/cisco_isovalent___suspicious_image_use.yml +++ b/detections/cloud/cisco_isovalent___suspicious_image_use.yml @@ -58,14 +58,14 @@ rba: type: system score: 45 threat_objects: - - field:process_name + - field: process_name type: process_name tags: analytic_story: - Cisco Isovalent Suspicious Activity asset_type: Kubernetes mitre_attack_id: - - T1526 + - T1204.003 product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/stories/cisco_isovalent_suspicious_activity.yml b/stories/cisco_isovalent_suspicious_activity.yml index 9d2c34da9b..63559b51a8 100644 --- a/stories/cisco_isovalent_suspicious_activity.yml +++ b/stories/cisco_isovalent_suspicious_activity.yml @@ -13,6 +13,7 @@ references: - https://isovalent.com/blog/post/isovalent-splunk-better-together/ - https://isovalent.com/blog/post/mitre-attack-tetragon/ - https://www.reddit.com/r/kubernetes/comments/l6e5yr/one_of_our_kubernetes_containers_was_compromised/ +- https://attack.mitre.org/matrices/enterprise/containers/ tags: category: - Adversary Tactics From 64dd230757117948de07a2f7b2e9e12d69d92cec Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 11:39:56 -0700 Subject: [PATCH 22/37] added dataset for curl --- detections/endpoint/linux_curl_upload_file.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml index 8aa322d09b..e6d99a4b9e 100644 --- a/detections/endpoint/linux_curl_upload_file.yml +++ b/detections/endpoint/linux_curl_upload_file.yml @@ -1,7 +1,7 @@ name: Linux Curl Upload File id: c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-09-30' author: Michael Haag, Splunk status: production type: TTP @@ -15,6 +15,7 @@ description: The following analytic detects the use of the curl command with spe and potential compromise of AWS resources. data_source: - Sysmon for Linux EventID 1 +- Cisco Isovalent Process Exec search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN ("*-F *", "*--form *","*--upload-file *","*-T *","*-d *","*--data @@ -88,3 +89,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec From 03ff337c9a664779e37a851bb20a337b2e909338 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 15:17:33 -0700 Subject: [PATCH 23/37] add new detection --- .../cisco_isovalent___cron_job_creation.yml | 1 + ...lent___detect_potential_escape_to_host.yml | 95 +++++++++++++++++++ .../endpoint/linux_decode_base64_to_shell.yml | 11 ++- 3 files changed, 105 insertions(+), 2 deletions(-) create mode 100644 detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml index 248a1cf89d..0ffa243fff 100644 --- a/detections/cloud/cisco_isovalent___cron_job_creation.yml +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -54,6 +54,7 @@ tags: asset_type: Kubernetes mitre_attack_id: - T1053.003 + - T1053.007 product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml b/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml new file mode 100644 index 0000000000..0aa9f52af3 --- /dev/null +++ b/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml @@ -0,0 +1,95 @@ +name: Cisco Isovalent - Escape to Host Attempt via nsenter or mount +id: 2b8a7a21-bec6-4e1f-84c4-7b319f45d2ab +version: 1 +date: '2025-10-01' +author: Bhavin Patel, Splunk +type: TTP +data_source: +- Cisco Isovalent Process Exec +status: production +description: | + This analytic detects potential container escape or reconnaissance attempts by monitoring for the rapid execution of multiple suspicious Linux commands (nsenter, mount, ps aux, and ls) within a short time window. The search aggregates process execution logs into 5-minute buckets and identifies when two or more distinct commands occur in quick succession. This behavior is noteworthy because attackers often chain these commands together to pivot from a container into the host, enumerate processes, or browse filesystems. For a SOC, catching these clustered command executions is important because it highlights possible adversary activity attempting to break isolation and escalate privileges inside a Kubernetes environment. +search: | + `cisco_isovalent_process_exec` + sourcetype=cisco:isovalent:processExec + ( + process_name IN ("nsenter","mount","ps","ls") + OR process="*nsenter*" OR process="*mount*" OR process="*ps aux*" OR process="*ps -ef*" + ) + | bin _time span=5m + | stats + count AS total_events + dc(process_name) AS distinct_cmds + min(_time) AS firstTime + max(_time) AS lastTime + values(process) AS process + values(process_name) AS process_name + BY cluster_name node_name pod_name _time + | eval duration_s = round(lastTime - firstTime, 0) + | where distinct_cmds >= 2 AND duration_s <= 120 + | table _time cluster_name node_name pod_name total_events distinct_cmds duration_s firstTime lastTime process process_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___escape_to_host_attempt_filter` +how_to_implement: | + This detection relies on process execution telemetry from Cisco Isovalent Runtime Security. + Ensure Isovalent Runtime Security is deployed and configured in your Kubernetes environment + to generate process_exec events. Configure the Cisco Security Cloud TA to collect these logs + via HEC and normalize them into Splunk CIM. Privileged pods and hostPID configurations + should be closely monitored as they increase the risk of container escape attempts. +known_false_positives: | + Some legitimate administrative containers or troubleshooting workflows may use nsenter + or mount commands (e.g., debugging nodes with hostPID pods). Such activity should be + investigated in context to ensure it is not malicious. +references: +- https://attack.mitre.org/techniques/T1611/ +https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ +drilldown_searches: +- name: View detection results for pod - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: | + | from datamodel Risk.All_Risk + | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 + | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" + values(risk_message) as "Risk Message" + values(analyticstories) as "Analytic Stories" + values(annotations._all) as "Annotations" + values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Escape-to-host attempt detected in pod $pod_name$ on cluster $cluster_name$ + risk_objects: + - field: pod_name + type: system + score: 70 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + - Kubernetes Container Escape + asset_type: Endpoint + mitre_attack_id: + - T1611 + atomic_guid: [] + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec \ No newline at end of file diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index a3f55ddc36..65b2b3e66e 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -1,7 +1,7 @@ name: Linux Decode Base64 to Shell id: 637b603e-1799-40fd-bf87-47ecbd551b66 -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-10-01' author: Michael Haag, Splunk status: production type: TTP @@ -17,6 +17,7 @@ description: The following analytic detects the behavior of decoding base64-enco unauthorized access, for data exfiltration, or perform other malicious actions. data_source: - Sysmon for Linux EventID 1 +- Cisco Isovalent Process Exec search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*|*" `linux_shells` by Processes.action Processes.dest Processes.original_file_name Processes.parent_process @@ -74,6 +75,7 @@ rba: tags: analytic_story: - Linux Living Off The Land + - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - T1027 @@ -89,3 +91,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec From a181580cd7ec642ce457e037af12618bc05b645f Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 15:47:38 -0700 Subject: [PATCH 24/37] new detection --- .../cisco_isovalent___detect_kprobe_spike.yml | 50 +++++++++++++++++++ ...lent___detect_potential_escape_to_host.yml | 28 ++++------- macros/cisco_isovalent.yml | 4 ++ 3 files changed, 64 insertions(+), 18 deletions(-) create mode 100644 detections/cloud/cisco_isovalent___detect_kprobe_spike.yml create mode 100644 macros/cisco_isovalent.yml diff --git a/detections/cloud/cisco_isovalent___detect_kprobe_spike.yml b/detections/cloud/cisco_isovalent___detect_kprobe_spike.yml new file mode 100644 index 0000000000..d508382360 --- /dev/null +++ b/detections/cloud/cisco_isovalent___detect_kprobe_spike.yml @@ -0,0 +1,50 @@ +name: Cisco Isovalent - Detect Kprobe Spike +id: 3df0e9a8-7d5e-4b2f-bcd7-bf93e671d1f2 +version: 1 +date: '2025-10-01' +author: Bhavin Patel, Splunk +type: Hunting +data_source: [] +status: production +description: | + This analytic detects excessive kernel probe (kprobe) events in a Kubernetes + cluster over a short period of time. More than 10 kprobe events within 5 minutes + may indicate suspicious activity, such as an attacker probing the kernel through + repeated system calls (e.g., nsenter, mount, sethostname). This behavior can be + a strong signal of container escape attempts or low-level tampering with the host. +search: | + `cisco_isovalent` "process_kprobe.action"!="" + | bin _time span=1h | rename process_kprobe.parent.pod.name as pod_name + | stats count as kprobe_count + values(process_kprobe.function_name) as functions + values(process_kprobe.process.binary) as binaries + values(process_kprobe.args{}.string_arg) as args + by pod_name _time + | where kprobe_count > 10 | `cisco_isovalent___detect_kprobe_spike_filter` +how_to_implement: | + Requires Cisco Isovalent Runtime Security with kprobe tracing enabled and logs + forwarded into Splunk. Ensure that your Splunk Technology Add-on (TA) for Cisco + Security Cloud parses the kprobe JSON correctly. Tune the threshold based on + your workload baseline. +known_false_positives: | + Busy or noisy pods may legitimately produce bursts of kprobe events during normal + operation. Tune thresholds and filter by function_name to reduce false positives. +references: +- https://docs.isovalent.com/user-guide/sec-ops-visibility/process-execution/index.html +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1068 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/kprobe_spike.log + source: not_applicable + sourcetype: cisco:isovalent \ No newline at end of file diff --git a/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml b/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml index 0aa9f52af3..21d840f4df 100644 --- a/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml +++ b/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml @@ -1,4 +1,4 @@ -name: Cisco Isovalent - Escape to Host Attempt via nsenter or mount +name: Cisco Isovalent - Detect Potential Escape to Host id: 2b8a7a21-bec6-4e1f-84c4-7b319f45d2ab version: 1 date: '2025-10-01' @@ -30,7 +30,7 @@ search: | | table _time cluster_name node_name pod_name total_events distinct_cmds duration_s firstTime lastTime process process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `cisco_isovalent___escape_to_host_attempt_filter` + | `cisco_isovalent___detect_potential_escape_to_host_filter` how_to_implement: | This detection relies on process execution telemetry from Cisco Isovalent Runtime Security. Ensure Isovalent Runtime Security is deployed and configured in your Kubernetes environment @@ -43,26 +43,19 @@ known_false_positives: | investigated in context to ensure it is not malicious. references: - https://attack.mitre.org/techniques/T1611/ -https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ +- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ drilldown_searches: -- name: View detection results for pod - "$pod_name$" +- name: View the detection results for pod - "$pod_name$" search: '%original_detection_search% | search pod_name = "$pod_name$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$pod_name$" - search: | - | from datamodel Risk.All_Risk - | search normalized_risk_object IN ("$pod_name$") - starthoursago=168 - | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" - values(risk_message) as "Risk Message" - values(analyticstories) as "Analytic Stories" - values(annotations._all) as "Annotations" - values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -77,7 +70,6 @@ rba: tags: analytic_story: - Cisco Isovalent Suspicious Activity - - Kubernetes Container Escape asset_type: Endpoint mitre_attack_id: - T1611 diff --git a/macros/cisco_isovalent.yml b/macros/cisco_isovalent.yml new file mode 100644 index 0000000000..35754066eb --- /dev/null +++ b/macros/cisco_isovalent.yml @@ -0,0 +1,4 @@ +definition: sourcetype=cisco:isovalent +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: cisco_isovalent From 444abaf91594610c2bea85e9e861d2e87136670c Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 17:12:33 -0700 Subject: [PATCH 25/37] updating links --- detections/cloud/cisco_isovalent___cron_job_creation.yml | 2 +- .../cisco_isovalent___curl_execution_with_insecure_flags.yml | 2 +- .../cloud/cisco_isovalent___detect_potential_escape_to_host.yml | 2 +- detections/cloud/cisco_isovalent___detect_shell_execution.yml | 2 +- .../cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml | 2 +- .../cloud/cisco_isovalent___pods_running_offensive_tools.yml | 2 +- detections/cloud/cisco_isovalent___suspicious_image_use.yml | 2 +- detections/endpoint/linux_add_user_account.yml | 2 +- .../endpoint/linux_adding_crontab_using_list_parameter.yml | 2 +- detections/endpoint/linux_apt_get_privilege_escalation.yml | 2 +- detections/endpoint/linux_at_application_execution.yml | 2 +- detections/endpoint/linux_curl_upload_file.yml | 2 +- detections/endpoint/linux_decode_base64_to_shell.yml | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml index 0ffa243fff..2f465ede6e 100644 --- a/detections/cloud/cisco_isovalent___cron_job_creation.yml +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -63,6 +63,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml index f3a98df25a..755771d1d3 100644 --- a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -59,6 +59,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml b/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml index 21d840f4df..35d88e6d58 100644 --- a/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml +++ b/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml @@ -82,6 +82,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec \ No newline at end of file diff --git a/detections/cloud/cisco_isovalent___detect_shell_execution.yml b/detections/cloud/cisco_isovalent___detect_shell_execution.yml index ec14ed9181..468d408f5c 100644 --- a/detections/cloud/cisco_isovalent___detect_shell_execution.yml +++ b/detections/cloud/cisco_isovalent___detect_shell_execution.yml @@ -52,6 +52,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml index cfe92e3582..0c851ea137 100644 --- a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml +++ b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml @@ -62,6 +62,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml index 98332c0322..a9cd9e3116 100644 --- a/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml +++ b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml @@ -60,7 +60,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___suspicious_image_use.yml b/detections/cloud/cisco_isovalent___suspicious_image_use.yml index f0a0ca3178..0fd5c55e5e 100644 --- a/detections/cloud/cisco_isovalent___suspicious_image_use.yml +++ b/detections/cloud/cisco_isovalent___suspicious_image_use.yml @@ -74,7 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec diff --git a/detections/endpoint/linux_add_user_account.yml b/detections/endpoint/linux_add_user_account.yml index 5a59e33989..62d963c655 100644 --- a/detections/endpoint/linux_add_user_account.yml +++ b/detections/endpoint/linux_add_user_account.yml @@ -58,6 +58,6 @@ tests: sourcetype: sysmon:linux - name: True Positive Test - Cisco Isovalent attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec \ No newline at end of file diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index 7429512f38..a1a5157105 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -64,6 +64,6 @@ tests: sourcetype: sysmon:linux - name: True Positive Test - Cisco Isovalent attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index 96369a721a..c20814610a 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -85,6 +85,6 @@ tests: sourcetype: sysmon:linux - name: True Positive Test - Cisco Isovalent attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec \ No newline at end of file diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index f0d5c5b02a..63040aa5c2 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -82,6 +82,6 @@ tests: sourcetype: sysmon:linux - name: True Positive Test - Cisco Isovalent attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml index e6d99a4b9e..9cd23acac0 100644 --- a/detections/endpoint/linux_curl_upload_file.yml +++ b/detections/endpoint/linux_curl_upload_file.yml @@ -91,6 +91,6 @@ tests: sourcetype: sysmon:linux - name: True Positive Test - Cisco Isovalent attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index 65b2b3e66e..47cf46a587 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -93,6 +93,6 @@ tests: sourcetype: sysmon:linux - name: True Positive Test - Cisco Isovalent attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_isovalent/cisco_isovalent.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log source: not_applicable sourcetype: cisco:isovalent:processExec From bcb0184072c4661d5bccd266fe9bfd92deb53fa1 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 17:14:44 -0700 Subject: [PATCH 26/37] fixing data source app --- data_sources/cisco_isovalent_process_exec.yml | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/data_sources/cisco_isovalent_process_exec.yml b/data_sources/cisco_isovalent_process_exec.yml index 40ead012c5..4d15bdf55e 100644 --- a/data_sources/cisco_isovalent_process_exec.yml +++ b/data_sources/cisco_isovalent_process_exec.yml @@ -11,19 +11,10 @@ mitre_components: source: not_applicable sourcetype: cisco:isovalent:processExec supported_TA: -- name: Cisco Networks Add-on - url: https://splunkbase.splunk.com/app/1467 - version: 2.7.8 +- name: Cisco Security Cloud + url: https://splunkbase.splunk.com/app/7404 + version: 3.4.1 fields: -- _bkt -- _cd -- _eventtype_color -- _indextime -- _raw -- _serial -- _si -- _sourcetype -- _subsecond - _time - cluster_name - dest_ip From e10390ccce623503758a56947a2806cc47bc4665 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 17:19:14 -0700 Subject: [PATCH 27/37] adding correct fields and output fields --- data_sources/cisco_isovalent_process_exec.yml | 122 +++++------------- 1 file changed, 29 insertions(+), 93 deletions(-) diff --git a/data_sources/cisco_isovalent_process_exec.yml b/data_sources/cisco_isovalent_process_exec.yml index 4d15bdf55e..dae4682bc4 100644 --- a/data_sources/cisco_isovalent_process_exec.yml +++ b/data_sources/cisco_isovalent_process_exec.yml @@ -17,26 +17,27 @@ supported_TA: fields: - _time - cluster_name -- dest_ip -- dest_port -- duration +- container_id - eventtype - host - index - linecount - node_labels.alpha.eksctl.io/cluster-name -- node_labels.alpha.eksctl.io/instance-id - node_labels.alpha.eksctl.io/nodegroup-name - node_labels.beta.kubernetes.io/arch - node_labels.beta.kubernetes.io/instance-type - node_labels.beta.kubernetes.io/os +- node_labels.eks.amazonaws.com/capacityType +- node_labels.eks.amazonaws.com/nodegroup +- node_labels.eks.amazonaws.com/nodegroup-image +- node_labels.eks.amazonaws.com/sourceLaunchTemplateId +- node_labels.eks.amazonaws.com/sourceLaunchTemplateVersion - node_labels.failure-domain.beta.kubernetes.io/region - node_labels.failure-domain.beta.kubernetes.io/zone - node_labels.k8s.io/cloud-provider-aws - node_labels.kubernetes.io/arch - node_labels.kubernetes.io/hostname - node_labels.kubernetes.io/os -- node_labels.node-lifecycle - node_labels.node.kubernetes.io/instance-type - node_labels.topology.k8s.aws/zone-id - node_labels.topology.kubernetes.io/region @@ -47,89 +48,10 @@ fields: - parent_process_id - parent_process_name - parent_process_path +- pod_image_name +- pod_name +- pod_namespace - process -- process_connect.destination_ip -- process_connect.destination_pod.name -- process_connect.destination_pod.namespace -- process_connect.destination_pod.pod_labels.app.kubernetes.io/component -- process_connect.destination_pod.pod_labels.app.kubernetes.io/instance -- process_connect.destination_pod.pod_labels.app.kubernetes.io/managed-by -- process_connect.destination_pod.pod_labels.app.kubernetes.io/name -- process_connect.destination_pod.pod_labels.app.kubernetes.io/part-of -- process_connect.destination_pod.pod_labels.app.kubernetes.io/version -- process_connect.destination_pod.pod_labels.apps.kubernetes.io/pod-index -- process_connect.destination_pod.pod_labels.controller-revision-hash -- process_connect.destination_pod.pod_labels.eks.amazonaws.com/component -- process_connect.destination_pod.pod_labels.helm.sh/chart -- process_connect.destination_pod.pod_labels.k8s-app -- process_connect.destination_pod.pod_labels.pod-template-hash -- process_connect.destination_pod.pod_labels.statefulset.kubernetes.io/pod-name -- process_connect.destination_pod.workload -- process_connect.destination_pod.workload_kind -- process_connect.destination_port -- process_connect.parent.arguments -- process_connect.parent.auid -- process_connect.parent.binary -- process_connect.parent.cwd -- process_connect.parent.docker -- process_connect.parent.exec_id -- process_connect.parent.flags -- process_connect.parent.in_init_tree -- process_connect.parent.parent_exec_id -- process_connect.parent.pid -- process_connect.parent.pod.container.id -- process_connect.parent.pod.container.image.id -- process_connect.parent.pod.container.image.name -- process_connect.parent.pod.container.name -- process_connect.parent.pod.container.pid -- process_connect.parent.pod.container.start_time -- process_connect.parent.pod.name -- process_connect.parent.pod.namespace -- process_connect.parent.pod.pod_labels.app.kubernetes.io/instance -- process_connect.parent.pod.pod_labels.app.kubernetes.io/name -- process_connect.parent.pod.pod_labels.controller-revision-hash -- process_connect.parent.pod.pod_labels.k8s-app -- process_connect.parent.pod.pod_labels.pod-template-generation -- process_connect.parent.pod.workload -- process_connect.parent.pod.workload_kind -- process_connect.parent.start_time -- process_connect.parent.tid -- process_connect.parent.uid -- process_connect.process.arguments -- process_connect.process.auid -- process_connect.process.binary -- process_connect.process.cwd -- process_connect.process.docker -- process_connect.process.exec_id -- process_connect.process.flags -- process_connect.process.in_init_tree -- process_connect.process.parent_exec_id -- process_connect.process.pid -- process_connect.process.pod.container.id -- process_connect.process.pod.container.image.id -- process_connect.process.pod.container.image.name -- process_connect.process.pod.container.maybe_exec_probe -- process_connect.process.pod.container.name -- process_connect.process.pod.container.pid -- process_connect.process.pod.container.start_time -- process_connect.process.pod.name -- process_connect.process.pod.namespace -- process_connect.process.pod.pod_labels.app.kubernetes.io/instance -- process_connect.process.pod.pod_labels.app.kubernetes.io/name -- process_connect.process.pod.pod_labels.controller-revision-hash -- process_connect.process.pod.pod_labels.eks.amazonaws.com/component -- process_connect.process.pod.pod_labels.k8s-app -- process_connect.process.pod.pod_labels.pod-template-generation -- process_connect.process.pod.pod_labels.pod-template-hash -- process_connect.process.pod.workload -- process_connect.process.pod.workload_kind -- process_connect.process.start_time -- process_connect.process.tid -- process_connect.process.uid -- process_connect.protocol -- process_connect.sock_cookie -- process_connect.source_ip -- process_connect.source_port - process_current_directory - process_exec - process_exec.ancestors{}.arguments @@ -141,6 +63,7 @@ fields: - process_exec.ancestors{}.in_init_tree - process_exec.ancestors{}.parent_exec_id - process_exec.ancestors{}.pid +- process_exec.ancestors{}.refcnt - process_exec.ancestors{}.start_time - process_exec.ancestors{}.tid - process_exec.ancestors{}.uid @@ -148,11 +71,26 @@ fields: - process_exec.parent.auid - process_exec.parent.binary - process_exec.parent.cwd +- process_exec.parent.docker - process_exec.parent.exec_id - process_exec.parent.flags - process_exec.parent.in_init_tree - process_exec.parent.parent_exec_id - process_exec.parent.pid +- process_exec.parent.pod.container.id +- process_exec.parent.pod.container.image.id +- process_exec.parent.pod.container.image.name +- process_exec.parent.pod.container.name +- process_exec.parent.pod.container.pid +- process_exec.parent.pod.container.security_context.privileged +- process_exec.parent.pod.container.start_time +- process_exec.parent.pod.name +- process_exec.parent.pod.namespace +- process_exec.parent.pod.pod_labels.controller-revision-hash +- process_exec.parent.pod.pod_labels.k8s-app +- process_exec.parent.pod.pod_labels.pod-template-generation +- process_exec.parent.pod.workload +- process_exec.parent.pod.workload_kind - process_exec.parent.start_time - process_exec.parent.tid - process_exec.parent.uid @@ -172,6 +110,7 @@ fields: - process_exec.process.pod.container.maybe_exec_probe - process_exec.process.pod.container.name - process_exec.process.pod.container.pid +- process_exec.process.pod.container.security_context.privileged - process_exec.process.pod.container.start_time - process_exec.process.pod.name - process_exec.process.pod.namespace @@ -188,20 +127,17 @@ fields: - process_id - process_name - punct -- session_id - source - sourcetype - splunk_server - splunk_server_group -- src -- src_ip -- src_port - tag - tag::eventtype - time -- transport - user_id - vendor_product -output_fields: [] +output_fields: +- process_name +- process example_log: | {"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk5MjQ2MDAwNDozNTAyOTE0","pid":3502914,"uid":0,"cwd":"/app","binary":"/app/grpc-health-probe","arguments":"-addr=:50051 -connect-timeout=5s -rpc-timeout=5s","flags":"execve clone","start_time":"2025-08-14T20:42:47.459946745Z","auid":4294967295,"pod":{"namespace":"kube-system","name":"aws-node-9twpn","container":{"id":"containerd://dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","name":"aws-node","image":{"id":"sha256:0b48ad70935c9dea3627854c46a5d12028b941334ad82bf7be6a6fcddd4a2674","name":"066635153087.dkr.ecr.il-central-1.amazonaws.com/amazon-k8s-cni:v1.19.2"},"start_time":"2025-07-28T22:21:44Z","pid":3635324,"maybe_exec_probe":true,"security_context":{}},"pod_labels":{"app.kubernetes.io/instance":"aws-vpc-cni","app.kubernetes.io/name":"aws-node","controller-revision-hash":"dfddff8c5","k8s-app":"aws-node","pod-template-generation":"1"},"workload":"aws-node","workload_kind":"DaemonSet"},"docker":"dc5b541d139c38ec01e485712f0eec3","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","tid":3502914,"in_init_tree":false},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","pid":3502900,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/log.json --log-format json --systemd-cgroup exec --process /tmp/runc-process2848112653 --detach --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/939f032732ee71076b86175deba715fc56e5cacb6047fb3602069bdbbfd21e45.pid dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","flags":"execve clone","start_time":"2025-08-14T20:42:47.439585277Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","tid":3502900,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","pid":3059,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe -address /run/containerd/containerd.sock","flags":"procFS auid","start_time":"2025-07-28T22:21:34.807485194Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":3059,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-14T20:42:47.459945318Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}} \ No newline at end of file From 36d6a7543e46264687da22d3634b06a90039adc4 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 17:42:42 -0700 Subject: [PATCH 28/37] inspect error --- detections/endpoint/linux_auditd_auditd_daemon_abort.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/linux_auditd_auditd_daemon_abort.yml b/detections/endpoint/linux_auditd_auditd_daemon_abort.yml index 8799c43d13..0a4ee0eb82 100644 --- a/detections/endpoint/linux_auditd_auditd_daemon_abort.yml +++ b/detections/endpoint/linux_auditd_auditd_daemon_abort.yml @@ -5,7 +5,7 @@ date: '2025-06-06' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the abnormal termination of the Linux audit daemon (auditd) by identifying DAEMON_ABORT events in audit logs. These terminations suggest a serious failure of the auditing subsystem, potentially due to resource exhaustion, corruption, or malicious interference. Unlike a clean shutdown, DAEMON_ABORT implies that audit logging may have been disabled without system administrator intent. Alerts should be generated on detection and correlated with DAEMON_START, DAEMON_END, and system logs to determine root c ause. If no DAEMON_START follows soon after, or this pattern repeats, it indicates a high-severity issue that impacts log integrity and should be immediately investigated. +description: The following analytic detects the abnormal termination of the Linux audit daemon (auditd) by identifying DAEMON_ABORT events in audit logs. These terminations suggest a serious failure of the auditing subsystem, potentially due to resource exhaustion, corruption, or malicious interference. Unlike a clean shutdown, DAEMON_ABORT implies that audit logging may have been disabled without system administrator intent. Alerts should be generated on detection and correlated with DAEMON_START, DAEMON_END, and system logs to determine root cause. If no DAEMON_START follows soon after, or this pattern repeats, it indicates a high-severity issue that impacts log integrity and should be immediately investigated. data_source: - Linux Auditd Daemon Abort search: '`linux_auditd` type=DAEMON_ABORT From 794bcd4cfabd99324414bed4bb37803bf018d53d Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 17:43:32 -0700 Subject: [PATCH 29/37] incorrect change --- detections/endpoint/potential_password_in_username.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/potential_password_in_username.yml b/detections/endpoint/potential_password_in_username.yml index 81f86e1b3a..6b4097435d 100644 --- a/detections/endpoint/potential_password_in_username.yml +++ b/detections/endpoint/potential_password_in_username.yml @@ -51,7 +51,7 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: access - # manual_test: Due to an existing bug with eventtypes/tags in the splunk-add-on-for-unix-and-linux TA, this detection does not work with the latest version of the TA 10.0.0. You can refer to the following link for more information - https://splunk.atlassian.net/browse/ADDON-81872. This detection works as expected with TAs prior to 10.0.0. + manual_test: Due to an existing bug with eventtypes/tags in the splunk-add-on-for-unix-and-linux TA, this detection does not work with the latest version of the TA 10.0.0. You can refer to the following link for more information - https://splunk.atlassian.net/browse/ADDON-81872. This detection works as expected with TAs prior to 10.0.0. tests: - name: True Positive Test attack_data: From fd24e9d499e15ed66578691f4ae4ef0ecd12bde6 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 3 Oct 2025 10:37:16 -0700 Subject: [PATCH 30/37] updating path --- contentctl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contentctl.yml b/contentctl.yml index 81ea1064fc..dec3de0df4 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -46,7 +46,7 @@ apps: appid: CiscoSecurityCloud version: 3.4.1 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_341.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/CiscoSecurityCloud-develop_2025-10-03_18-23.tar.gz - uid: 6652 title: Add-on for Linux Sysmon appid: Splunk_TA_linux_sysmon From 4fc2c9d681c54cbca1cb7795072f383e25958685 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 6 Oct 2025 09:24:30 -0700 Subject: [PATCH 31/37] Update stories/cisco_isovalent_suspicious_activity.yml Co-authored-by: Nasreddine Bencherchali --- stories/cisco_isovalent_suspicious_activity.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/stories/cisco_isovalent_suspicious_activity.yml b/stories/cisco_isovalent_suspicious_activity.yml index 63559b51a8..eddc342747 100644 --- a/stories/cisco_isovalent_suspicious_activity.yml +++ b/stories/cisco_isovalent_suspicious_activity.yml @@ -6,8 +6,7 @@ author: Bhavin Patel, Splunk status: production description: This analytics story focuses on identifying suspicious activities and potential security threats within environments using Cisco Isovalent. It provides detection rules and guidance to help security teams recognize signs of adversary tactics such as unauthorized access attempts, unusual network activity, and other behaviors indicative of potential compromise. narrative: | - Cisco Isovalent with Tetragon delivers kernel-level, eBPF-powered visibility that traditional logs miss, correlating process execution, file access, and network flows with Kubernetes workload identity (namespace, labels, pod/container) and full process ancestry. This depth enables reliable detection of real-world Kubernetes threats, including container escapes (nsenter/host mounts), ServiceAccount token theft and API abuse, IMDS credential access, kubectl-in-container misuse, DGA/C2 beacons over trusted SaaS (GitHub, Pastebin, Discord), insecure curl usage (-k/--insecure), cron-based persistence, crypto‑mining, scanner/supply-chain image pulls, and privileged/hostPath abuse. - + Cisco Isovalent with Tetragon delivers kernel-level, eBPF-powered visibility that traditional logs miss, correlating process execution, file access, and network flows with Kubernetes workload identity (namespace, labels, pod/container) and full process ancestry. This depth enables reliable detection of real-world Kubernetes threats, including container escapes, ServiceAccount token theft and API abuse, IMDS credential access, kubectl-in-container misuse, DGA/C2 beacons over trusted SaaS (GitHub, Pastebin, Discord), insecure curl usage (-k/--insecure), cron-based persistence, crypto‑mining, scanner/supply-chain image pulls, privileged/hostPath abuse, and much more. By continuously observing process_exec and L7 DNS/HTTP activity tied to specific pods and deployments, these detections surface late process launches, anomalous shells, and suspicious outbound connections that deviate from normal workload behavior—accelerating triage and response, reducing dwell time, and shrinking blast radius across Kubernetes environments. references: - https://isovalent.com/blog/post/isovalent-splunk-better-together/ From ad8c286bc875f7157cf0213bdbe22c23d2f7e8c9 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 6 Oct 2025 09:24:57 -0700 Subject: [PATCH 32/37] Update detections/cloud/cisco_isovalent___detect_shell_execution.yml Co-authored-by: Nasreddine Bencherchali --- detections/cloud/cisco_isovalent___detect_shell_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/cisco_isovalent___detect_shell_execution.yml b/detections/cloud/cisco_isovalent___detect_shell_execution.yml index 468d408f5c..1ad3f9090a 100644 --- a/detections/cloud/cisco_isovalent___detect_shell_execution.yml +++ b/detections/cloud/cisco_isovalent___detect_shell_execution.yml @@ -1,4 +1,4 @@ -name: Cisco Isovalent - Detect Shell Execution +name: Cisco Isovalent - Shell Execution id: 12345678-abcd-1234-ef00-1234567890ab version: 1 date: '2025-09-17' From eff75624ea85b53048608e2950cf6bfadeeaf584 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 6 Oct 2025 10:15:19 -0700 Subject: [PATCH 33/37] remove detect from everywhere --- ...ct_kprobe_spike.yml => cisco_isovalent___kprobe_spike.yml} | 4 ++-- ...ution.yml => cisco_isovalent___late_process_execution.yml} | 4 ++-- ...ost.yml => cisco_isovalent___potential_escape_to_host.yml} | 4 ++-- ...ll_execution.yml => cisco_isovalent___shell_execution.yml} | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) rename detections/cloud/{cisco_isovalent___detect_kprobe_spike.yml => cisco_isovalent___kprobe_spike.yml} (94%) rename detections/cloud/{cisco_isovalent___detect_late_process_execution.yml => cisco_isovalent___late_process_execution.yml} (96%) rename detections/cloud/{cisco_isovalent___detect_potential_escape_to_host.yml => cisco_isovalent___potential_escape_to_host.yml} (97%) rename detections/cloud/{cisco_isovalent___detect_shell_execution.yml => cisco_isovalent___shell_execution.yml} (97%) diff --git a/detections/cloud/cisco_isovalent___detect_kprobe_spike.yml b/detections/cloud/cisco_isovalent___kprobe_spike.yml similarity index 94% rename from detections/cloud/cisco_isovalent___detect_kprobe_spike.yml rename to detections/cloud/cisco_isovalent___kprobe_spike.yml index d508382360..0db9dacbd7 100644 --- a/detections/cloud/cisco_isovalent___detect_kprobe_spike.yml +++ b/detections/cloud/cisco_isovalent___kprobe_spike.yml @@ -1,4 +1,4 @@ -name: Cisco Isovalent - Detect Kprobe Spike +name: Cisco Isovalent - Kprobe Spike id: 3df0e9a8-7d5e-4b2f-bcd7-bf93e671d1f2 version: 1 date: '2025-10-01' @@ -20,7 +20,7 @@ search: | values(process_kprobe.process.binary) as binaries values(process_kprobe.args{}.string_arg) as args by pod_name _time - | where kprobe_count > 10 | `cisco_isovalent___detect_kprobe_spike_filter` + | where kprobe_count > 10 | `cisco_isovalent___kprobe_spike_filter` how_to_implement: | Requires Cisco Isovalent Runtime Security with kprobe tracing enabled and logs forwarded into Splunk. Ensure that your Splunk Technology Add-on (TA) for Cisco diff --git a/detections/cloud/cisco_isovalent___detect_late_process_execution.yml b/detections/cloud/cisco_isovalent___late_process_execution.yml similarity index 96% rename from detections/cloud/cisco_isovalent___detect_late_process_execution.yml rename to detections/cloud/cisco_isovalent___late_process_execution.yml index 25e63373d0..3ed14eedc4 100644 --- a/detections/cloud/cisco_isovalent___detect_late_process_execution.yml +++ b/detections/cloud/cisco_isovalent___late_process_execution.yml @@ -1,4 +1,4 @@ -name: Cisco Isovalent - Detect Late Process Execution +name: Cisco Isovalent - Late Process Execution id: 7f4b9b8e-5d6a-4a21-9e3f-0f1e8f2d1c3a version: 1 date: '2025-08-22' @@ -22,7 +22,7 @@ search: | | where ProcessStartTime > ContainerTime5min | table node_name cluster_name, pod_name, container_id, process_name, process_exec, process, ProcessStartTime, ContainerTime5min | `security_content_ctime(ProcessStartTime)` | `security_content_ctime(ContainerTime5min)` - | `cisco_isovalent___detect_late_process_execution_filter` + | `cisco_isovalent___late_process_execution_filter` how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. references: diff --git a/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml b/detections/cloud/cisco_isovalent___potential_escape_to_host.yml similarity index 97% rename from detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml rename to detections/cloud/cisco_isovalent___potential_escape_to_host.yml index 35d88e6d58..37f33acb87 100644 --- a/detections/cloud/cisco_isovalent___detect_potential_escape_to_host.yml +++ b/detections/cloud/cisco_isovalent___potential_escape_to_host.yml @@ -1,4 +1,4 @@ -name: Cisco Isovalent - Detect Potential Escape to Host +name: Cisco Isovalent - Potential Escape to Host id: 2b8a7a21-bec6-4e1f-84c4-7b319f45d2ab version: 1 date: '2025-10-01' @@ -30,7 +30,7 @@ search: | | table _time cluster_name node_name pod_name total_events distinct_cmds duration_s firstTime lastTime process process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `cisco_isovalent___detect_potential_escape_to_host_filter` + | `cisco_isovalent___potential_escape_to_host_filter` how_to_implement: | This detection relies on process execution telemetry from Cisco Isovalent Runtime Security. Ensure Isovalent Runtime Security is deployed and configured in your Kubernetes environment diff --git a/detections/cloud/cisco_isovalent___detect_shell_execution.yml b/detections/cloud/cisco_isovalent___shell_execution.yml similarity index 97% rename from detections/cloud/cisco_isovalent___detect_shell_execution.yml rename to detections/cloud/cisco_isovalent___shell_execution.yml index 1ad3f9090a..815e2a2df8 100644 --- a/detections/cloud/cisco_isovalent___detect_shell_execution.yml +++ b/detections/cloud/cisco_isovalent___shell_execution.yml @@ -10,7 +10,7 @@ status: production description: The following analytic detects the execution of a shell inside a container namespace within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for the execution of a shell (sh or bash) inside a container namespace. This behavior is significant for a SOC as it could allow an attacker to gain shell access to the container, potentially leading to further compromise of the Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity. search: | `cisco_isovalent_process_exec` process_name IN ("sh", "bash", "pwsh", "zsh") - | stats count by cluster_name parent_process_name process_name process_exec process_id node_name | `cisco_isovalent___detect_shell_execution_filter` + | stats count by cluster_name parent_process_name process_name process_exec process_id node_name | `cisco_isovalent___shell_execution_filter` how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. references: From efc4ce82d70dfdc412aa4790b5627303aee5e288 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 6 Oct 2025 11:35:42 -0700 Subject: [PATCH 34/37] adding story --- detections/endpoint/linux_apt_get_privilege_escalation.yml | 1 + detections/endpoint/linux_at_application_execution.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index c20814610a..d91630c3cd 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -69,6 +69,7 @@ tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land + - Cisco Isovalent Process Exec asset_type: Endpoint mitre_attack_id: - T1548.003 diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index 63040aa5c2..76b9eef5c9 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -66,6 +66,7 @@ tags: - Linux Persistence Techniques - Linux Living Off The Land - Scheduled Tasks + - Cisco Isovalent Process Exec asset_type: Endpoint mitre_attack_id: - T1053.002 From 9d6e1e47a48ed0629987ebfeddff0bb2bf946a7b Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 6 Oct 2025 13:18:38 -0700 Subject: [PATCH 35/37] updating allowed images --- macros/cisco_isovalent_allowed_images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/macros/cisco_isovalent_allowed_images.yml b/macros/cisco_isovalent_allowed_images.yml index ec0138a771..4dee14b389 100644 --- a/macros/cisco_isovalent_allowed_images.yml +++ b/macros/cisco_isovalent_allowed_images.yml @@ -1,3 +1,3 @@ -definition: pod_image_name IN ("docker.io/library/ubuntu:22.04") +definition: pod_image_name IN ("docker.io/library/ubuntu:22.04","docker.io/grafana/grafana:12.0.1", "quay.io/isovalent-dev/tetragon-ci*" ,"quay.io/isovalent/hubble-export-fluentd*") description: List of image names which are allowed to be used in the Cisco Isovalent environment. PLease customize this macro to your environment to allowlist the images you want to allow. name: cisco_isovalent_allowed_images \ No newline at end of file From ec6afbcd42869eb3a457cbfc8554790ce724b71e Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 6 Oct 2025 14:51:29 -0700 Subject: [PATCH 36/37] adding images --- macros/cisco_isovalent_allowed_images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/macros/cisco_isovalent_allowed_images.yml b/macros/cisco_isovalent_allowed_images.yml index 4dee14b389..3e399e0df4 100644 --- a/macros/cisco_isovalent_allowed_images.yml +++ b/macros/cisco_isovalent_allowed_images.yml @@ -1,3 +1,3 @@ -definition: pod_image_name IN ("docker.io/library/ubuntu:22.04","docker.io/grafana/grafana:12.0.1", "quay.io/isovalent-dev/tetragon-ci*" ,"quay.io/isovalent/hubble-export-fluentd*") +definition: pod_image_name IN ("docker.io/library/ubuntu:22.04","docker.io/grafana/grafana:12.0.1", "quay.io/isovalent-dev/tetragon-ci*",""quay.io/isovalent/tetragon-ci*","quay.io/isovalent/hubble-export-fluentd*") description: List of image names which are allowed to be used in the Cisco Isovalent environment. PLease customize this macro to your environment to allowlist the images you want to allow. name: cisco_isovalent_allowed_images \ No newline at end of file From 31e147ba44451d88ae1dac25354dbbfad9e2da73 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 6 Oct 2025 16:32:43 -0700 Subject: [PATCH 37/37] fixes and new data source --- data_sources/cisco_isovalent_process_exec.yml | 4 - .../cisco_isovalent_process_kprobe.yml | 121 ++++++++++++++++++ .../cloud/cisco_isovalent___kprobe_spike.yml | 3 +- .../linux_apt_get_privilege_escalation.yml | 2 +- .../linux_at_application_execution.yml | 2 +- 5 files changed, 125 insertions(+), 7 deletions(-) create mode 100644 data_sources/cisco_isovalent_process_kprobe.yml diff --git a/data_sources/cisco_isovalent_process_exec.yml b/data_sources/cisco_isovalent_process_exec.yml index dae4682bc4..50ca991b27 100644 --- a/data_sources/cisco_isovalent_process_exec.yml +++ b/data_sources/cisco_isovalent_process_exec.yml @@ -4,10 +4,6 @@ version: 1 date: '2025-08-12' author: Bhavin Patel, Splunk description: Logs process execution events within Cisco Isovalent environments, providing visibility into process exec ancestry and Kubernetes workload identity. -mitre_components: -- Process Execution -- Container Monitoring -- Kubernetes Monitoring source: not_applicable sourcetype: cisco:isovalent:processExec supported_TA: diff --git a/data_sources/cisco_isovalent_process_kprobe.yml b/data_sources/cisco_isovalent_process_kprobe.yml new file mode 100644 index 0000000000..16aebf01e8 --- /dev/null +++ b/data_sources/cisco_isovalent_process_kprobe.yml @@ -0,0 +1,121 @@ +name: Cisco Isovalent Process Kprobe +id: b2620ef2-fac6-467f-bdc8-253d65db1cb9 +version: 1 +date: '2025-10-06' +author: Bhavin Patel, Splunk +description: Captures kernel probe (kprobe) telemetry from Cisco Isovalent Runtime Security, including function name, arguments, and process context, enabling visibility into low-level kernel interactions that may indicate container escape attempts or system tampering. +source: not_applicable +sourcetype: cisco:isovalent +supported_TA: +- name: Cisco Security Cloud + url: https://splunkbase.splunk.com/app/7404 + version: 3.4.2 +fields: +- _time +- app +- cluster_name +- description +- duration +- eventtype +- host +- id +- index +- linecount +- node_labels.alpha.eksctl.io/cluster-name +- node_labels.alpha.eksctl.io/nodegroup-name +- node_labels.beta.kubernetes.io/arch +- node_labels.beta.kubernetes.io/instance-type +- node_labels.beta.kubernetes.io/os +- node_labels.eks.amazonaws.com/capacityType +- node_labels.eks.amazonaws.com/nodegroup +- node_labels.eks.amazonaws.com/nodegroup-image +- node_labels.eks.amazonaws.com/sourceLaunchTemplateId +- node_labels.eks.amazonaws.com/sourceLaunchTemplateVersion +- node_labels.failure-domain.beta.kubernetes.io/region +- node_labels.failure-domain.beta.kubernetes.io/zone +- node_labels.k8s.io/cloud-provider-aws +- node_labels.kubernetes.io/arch +- node_labels.kubernetes.io/hostname +- node_labels.kubernetes.io/os +- node_labels.node.kubernetes.io/instance-type +- node_labels.topology.k8s.aws/zone-id +- node_labels.topology.kubernetes.io/region +- node_labels.topology.kubernetes.io/zone +- node_name +- process_kprobe.action +- process_kprobe.args{}.bytes_arg +- process_kprobe.args{}.int_arg +- process_kprobe.args{}.label +- process_kprobe.args{}.size_arg +- process_kprobe.args{}.string_arg +- process_kprobe.function_name +- process_kprobe.parent.arguments +- process_kprobe.parent.auid +- process_kprobe.parent.binary +- process_kprobe.parent.cwd +- process_kprobe.parent.docker +- process_kprobe.parent.exec_id +- process_kprobe.parent.flags +- process_kprobe.parent.in_init_tree +- process_kprobe.parent.parent_exec_id +- process_kprobe.parent.pid +- process_kprobe.parent.pod.container.id +- process_kprobe.parent.pod.container.image.id +- process_kprobe.parent.pod.container.image.name +- process_kprobe.parent.pod.container.name +- process_kprobe.parent.pod.container.pid +- process_kprobe.parent.pod.container.start_time +- process_kprobe.parent.pod.name +- process_kprobe.parent.pod.namespace +- process_kprobe.parent.pod.pod_labels.run +- process_kprobe.parent.pod.workload +- process_kprobe.parent.pod.workload_kind +- process_kprobe.parent.start_time +- process_kprobe.parent.tid +- process_kprobe.parent.uid +- process_kprobe.policy_name +- process_kprobe.process.arguments +- process_kprobe.process.auid +- process_kprobe.process.binary +- process_kprobe.process.cwd +- process_kprobe.process.docker +- process_kprobe.process.exec_id +- process_kprobe.process.flags +- process_kprobe.process.in_init_tree +- process_kprobe.process.parent_exec_id +- process_kprobe.process.pid +- process_kprobe.process.pod.container.id +- process_kprobe.process.pod.container.image.id +- process_kprobe.process.pod.container.image.name +- process_kprobe.process.pod.container.name +- process_kprobe.process.pod.container.pid +- process_kprobe.process.pod.container.start_time +- process_kprobe.process.pod.name +- process_kprobe.process.pod.namespace +- process_kprobe.process.pod.pod_labels.run +- process_kprobe.process.pod.workload +- process_kprobe.process.pod.workload_kind +- process_kprobe.process.refcnt +- process_kprobe.process.start_time +- process_kprobe.process.tid +- process_kprobe.process.uid +- process_kprobe.return_action +- punct +- severity +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_type +- tag +- tag::app +- tag::eventtype +- time +- vendor_region +output_fields: +- pod_name +example_log: | + {"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyNjA5NjE5NjIwOTk3MjEyOjEwNTYwNDc=","pid":1056047,"uid":0,"cwd":"/","binary":"/usr/sbin/logrotate","arguments":"/etc/logrotate.conf","flags":"execve","start_time":"2025-10-06T00:00:46.054215601Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyNjA5NjE5NTA2MTI3NjQ4OjEwNTYwNDI=","refcnt":1,"tid":1056047,"in_init_tree":false},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyNjA5NjE5NTA2MTI3NjQ4OjEwNTYwNDI=","pid":1056042,"uid":0,"cwd":"/","binary":"/usr/sbin/logrotate","arguments":"/etc/logrotate.conf","flags":"execve rootcwd clone","start_time":"2025-10-06T00:00:45.939345635Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDozOTUzMzQzODExNjox","tid":1056042,"in_init_tree":false},"function_name":"__arm64_sys_execve","args":[{"string_arg":"/bin/gzip","label":"filename"},{"bytes_arg":"","label":"argv"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-10-06T00:00:46.054335518Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}} + + diff --git a/detections/cloud/cisco_isovalent___kprobe_spike.yml b/detections/cloud/cisco_isovalent___kprobe_spike.yml index 0db9dacbd7..9a67b2499b 100644 --- a/detections/cloud/cisco_isovalent___kprobe_spike.yml +++ b/detections/cloud/cisco_isovalent___kprobe_spike.yml @@ -4,7 +4,8 @@ version: 1 date: '2025-10-01' author: Bhavin Patel, Splunk type: Hunting -data_source: [] +data_source: +- Cisco Isovalent Process Kprobe status: production description: | This analytic detects excessive kernel probe (kprobe) events in a Kubernetes diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index d91630c3cd..f18569a6ac 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -69,7 +69,7 @@ tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land - - Cisco Isovalent Process Exec + - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - T1548.003 diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index 76b9eef5c9..dc4d54ac93 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -66,7 +66,7 @@ tags: - Linux Persistence Techniques - Linux Living Off The Land - Scheduled Tasks - - Cisco Isovalent Process Exec + - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - T1053.002