diff --git a/data_sources/cisco_isovalent_process_exec.yml b/data_sources/cisco_isovalent_process_exec.yml new file mode 100644 index 0000000000..50ca991b27 --- /dev/null +++ b/data_sources/cisco_isovalent_process_exec.yml @@ -0,0 +1,139 @@ +name: Cisco Isovalent Process Exec +id: 87654321-dcba-4321-00fe-0987654321ba +version: 1 +date: '2025-08-12' +author: Bhavin Patel, Splunk +description: Logs process execution events within Cisco Isovalent environments, providing visibility into process exec ancestry and Kubernetes workload identity. +source: not_applicable +sourcetype: cisco:isovalent:processExec +supported_TA: +- name: Cisco Security Cloud + url: https://splunkbase.splunk.com/app/7404 + version: 3.4.1 +fields: +- _time +- cluster_name +- container_id +- eventtype +- host +- index +- linecount +- node_labels.alpha.eksctl.io/cluster-name +- node_labels.alpha.eksctl.io/nodegroup-name +- node_labels.beta.kubernetes.io/arch +- node_labels.beta.kubernetes.io/instance-type +- node_labels.beta.kubernetes.io/os +- node_labels.eks.amazonaws.com/capacityType +- node_labels.eks.amazonaws.com/nodegroup +- node_labels.eks.amazonaws.com/nodegroup-image +- node_labels.eks.amazonaws.com/sourceLaunchTemplateId +- node_labels.eks.amazonaws.com/sourceLaunchTemplateVersion +- node_labels.failure-domain.beta.kubernetes.io/region +- node_labels.failure-domain.beta.kubernetes.io/zone +- node_labels.k8s.io/cloud-provider-aws +- node_labels.kubernetes.io/arch +- node_labels.kubernetes.io/hostname +- node_labels.kubernetes.io/os +- node_labels.node.kubernetes.io/instance-type +- node_labels.topology.k8s.aws/zone-id +- node_labels.topology.kubernetes.io/region +- node_labels.topology.kubernetes.io/zone +- node_name +- parent_process +- parent_process_exec +- parent_process_id +- parent_process_name +- parent_process_path +- pod_image_name +- pod_name +- pod_namespace +- process +- process_current_directory +- process_exec +- process_exec.ancestors{}.arguments +- process_exec.ancestors{}.auid +- process_exec.ancestors{}.binary +- process_exec.ancestors{}.cwd +- process_exec.ancestors{}.exec_id +- process_exec.ancestors{}.flags +- process_exec.ancestors{}.in_init_tree +- process_exec.ancestors{}.parent_exec_id +- process_exec.ancestors{}.pid +- process_exec.ancestors{}.refcnt +- process_exec.ancestors{}.start_time +- process_exec.ancestors{}.tid +- process_exec.ancestors{}.uid +- process_exec.parent.arguments +- process_exec.parent.auid +- process_exec.parent.binary +- process_exec.parent.cwd +- process_exec.parent.docker +- process_exec.parent.exec_id +- process_exec.parent.flags +- process_exec.parent.in_init_tree +- process_exec.parent.parent_exec_id +- process_exec.parent.pid +- process_exec.parent.pod.container.id +- process_exec.parent.pod.container.image.id +- process_exec.parent.pod.container.image.name +- process_exec.parent.pod.container.name +- process_exec.parent.pod.container.pid +- process_exec.parent.pod.container.security_context.privileged +- process_exec.parent.pod.container.start_time +- process_exec.parent.pod.name +- process_exec.parent.pod.namespace +- process_exec.parent.pod.pod_labels.controller-revision-hash +- process_exec.parent.pod.pod_labels.k8s-app +- process_exec.parent.pod.pod_labels.pod-template-generation +- process_exec.parent.pod.workload +- process_exec.parent.pod.workload_kind +- process_exec.parent.start_time +- process_exec.parent.tid +- process_exec.parent.uid +- process_exec.process.arguments +- process_exec.process.auid +- process_exec.process.binary +- process_exec.process.cwd +- process_exec.process.docker +- process_exec.process.exec_id +- process_exec.process.flags +- process_exec.process.in_init_tree +- process_exec.process.parent_exec_id +- process_exec.process.pid +- process_exec.process.pod.container.id +- process_exec.process.pod.container.image.id +- process_exec.process.pod.container.image.name +- process_exec.process.pod.container.maybe_exec_probe +- process_exec.process.pod.container.name +- process_exec.process.pod.container.pid +- process_exec.process.pod.container.security_context.privileged +- process_exec.process.pod.container.start_time +- process_exec.process.pod.name +- process_exec.process.pod.namespace +- process_exec.process.pod.pod_labels.app.kubernetes.io/instance +- process_exec.process.pod.pod_labels.app.kubernetes.io/name +- process_exec.process.pod.pod_labels.controller-revision-hash +- process_exec.process.pod.pod_labels.k8s-app +- process_exec.process.pod.pod_labels.pod-template-generation +- process_exec.process.pod.workload +- process_exec.process.pod.workload_kind +- process_exec.process.start_time +- process_exec.process.tid +- process_exec.process.uid +- process_id +- process_name +- punct +- source +- sourcetype +- splunk_server +- splunk_server_group +- tag +- tag::eventtype +- time +- user_id +- vendor_product +output_fields: +- process_name +- process +example_log: | + {"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk5MjQ2MDAwNDozNTAyOTE0","pid":3502914,"uid":0,"cwd":"/app","binary":"/app/grpc-health-probe","arguments":"-addr=:50051 -connect-timeout=5s -rpc-timeout=5s","flags":"execve clone","start_time":"2025-08-14T20:42:47.459946745Z","auid":4294967295,"pod":{"namespace":"kube-system","name":"aws-node-9twpn","container":{"id":"containerd://dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","name":"aws-node","image":{"id":"sha256:0b48ad70935c9dea3627854c46a5d12028b941334ad82bf7be6a6fcddd4a2674","name":"066635153087.dkr.ecr.il-central-1.amazonaws.com/amazon-k8s-cni:v1.19.2"},"start_time":"2025-07-28T22:21:44Z","pid":3635324,"maybe_exec_probe":true,"security_context":{}},"pod_labels":{"app.kubernetes.io/instance":"aws-vpc-cni","app.kubernetes.io/name":"aws-node","controller-revision-hash":"dfddff8c5","k8s-app":"aws-node","pod-template-generation":"1"},"workload":"aws-node","workload_kind":"DaemonSet"},"docker":"dc5b541d139c38ec01e485712f0eec3","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","tid":3502914,"in_init_tree":false},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","pid":3502900,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/log.json --log-format json --systemd-cgroup exec --process /tmp/runc-process2848112653 --detach --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/939f032732ee71076b86175deba715fc56e5cacb6047fb3602069bdbbfd21e45.pid dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","flags":"execve clone","start_time":"2025-08-14T20:42:47.439585277Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","tid":3502900,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","pid":3059,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe -address /run/containerd/containerd.sock","flags":"procFS auid","start_time":"2025-07-28T22:21:34.807485194Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":3059,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-14T20:42:47.459945318Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}} \ No newline at end of file diff --git a/data_sources/cisco_isovalent_process_kprobe.yml b/data_sources/cisco_isovalent_process_kprobe.yml new file mode 100644 index 0000000000..16aebf01e8 --- /dev/null +++ b/data_sources/cisco_isovalent_process_kprobe.yml @@ -0,0 +1,121 @@ +name: Cisco Isovalent Process Kprobe +id: b2620ef2-fac6-467f-bdc8-253d65db1cb9 +version: 1 +date: '2025-10-06' +author: Bhavin Patel, Splunk +description: Captures kernel probe (kprobe) telemetry from Cisco Isovalent Runtime Security, including function name, arguments, and process context, enabling visibility into low-level kernel interactions that may indicate container escape attempts or system tampering. +source: not_applicable +sourcetype: cisco:isovalent +supported_TA: +- name: Cisco Security Cloud + url: https://splunkbase.splunk.com/app/7404 + version: 3.4.2 +fields: +- _time +- app +- cluster_name +- description +- duration +- eventtype +- host +- id +- index +- linecount +- node_labels.alpha.eksctl.io/cluster-name +- node_labels.alpha.eksctl.io/nodegroup-name +- node_labels.beta.kubernetes.io/arch +- node_labels.beta.kubernetes.io/instance-type +- node_labels.beta.kubernetes.io/os +- node_labels.eks.amazonaws.com/capacityType +- node_labels.eks.amazonaws.com/nodegroup +- node_labels.eks.amazonaws.com/nodegroup-image +- node_labels.eks.amazonaws.com/sourceLaunchTemplateId +- node_labels.eks.amazonaws.com/sourceLaunchTemplateVersion +- node_labels.failure-domain.beta.kubernetes.io/region +- node_labels.failure-domain.beta.kubernetes.io/zone +- node_labels.k8s.io/cloud-provider-aws +- node_labels.kubernetes.io/arch +- node_labels.kubernetes.io/hostname +- node_labels.kubernetes.io/os +- node_labels.node.kubernetes.io/instance-type +- node_labels.topology.k8s.aws/zone-id +- node_labels.topology.kubernetes.io/region +- node_labels.topology.kubernetes.io/zone +- node_name +- process_kprobe.action +- process_kprobe.args{}.bytes_arg +- process_kprobe.args{}.int_arg +- process_kprobe.args{}.label +- process_kprobe.args{}.size_arg +- process_kprobe.args{}.string_arg +- process_kprobe.function_name +- process_kprobe.parent.arguments +- process_kprobe.parent.auid +- process_kprobe.parent.binary +- process_kprobe.parent.cwd +- process_kprobe.parent.docker +- process_kprobe.parent.exec_id +- process_kprobe.parent.flags +- process_kprobe.parent.in_init_tree +- process_kprobe.parent.parent_exec_id +- process_kprobe.parent.pid +- process_kprobe.parent.pod.container.id +- process_kprobe.parent.pod.container.image.id +- process_kprobe.parent.pod.container.image.name +- process_kprobe.parent.pod.container.name +- process_kprobe.parent.pod.container.pid +- process_kprobe.parent.pod.container.start_time +- process_kprobe.parent.pod.name +- process_kprobe.parent.pod.namespace +- process_kprobe.parent.pod.pod_labels.run +- process_kprobe.parent.pod.workload +- process_kprobe.parent.pod.workload_kind +- process_kprobe.parent.start_time +- process_kprobe.parent.tid +- process_kprobe.parent.uid +- process_kprobe.policy_name +- process_kprobe.process.arguments +- process_kprobe.process.auid +- process_kprobe.process.binary +- process_kprobe.process.cwd +- process_kprobe.process.docker +- process_kprobe.process.exec_id +- process_kprobe.process.flags +- process_kprobe.process.in_init_tree +- process_kprobe.process.parent_exec_id +- process_kprobe.process.pid +- process_kprobe.process.pod.container.id +- process_kprobe.process.pod.container.image.id +- process_kprobe.process.pod.container.image.name +- process_kprobe.process.pod.container.name +- process_kprobe.process.pod.container.pid +- process_kprobe.process.pod.container.start_time +- process_kprobe.process.pod.name +- process_kprobe.process.pod.namespace +- process_kprobe.process.pod.pod_labels.run +- process_kprobe.process.pod.workload +- process_kprobe.process.pod.workload_kind +- process_kprobe.process.refcnt +- process_kprobe.process.start_time +- process_kprobe.process.tid +- process_kprobe.process.uid +- process_kprobe.return_action +- punct +- severity +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_type +- tag +- tag::app +- tag::eventtype +- time +- vendor_region +output_fields: +- pod_name +example_log: | + {"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyNjA5NjE5NjIwOTk3MjEyOjEwNTYwNDc=","pid":1056047,"uid":0,"cwd":"/","binary":"/usr/sbin/logrotate","arguments":"/etc/logrotate.conf","flags":"execve","start_time":"2025-10-06T00:00:46.054215601Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyNjA5NjE5NTA2MTI3NjQ4OjEwNTYwNDI=","refcnt":1,"tid":1056047,"in_init_tree":false},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyNjA5NjE5NTA2MTI3NjQ4OjEwNTYwNDI=","pid":1056042,"uid":0,"cwd":"/","binary":"/usr/sbin/logrotate","arguments":"/etc/logrotate.conf","flags":"execve rootcwd clone","start_time":"2025-10-06T00:00:45.939345635Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDozOTUzMzQzODExNjox","tid":1056042,"in_init_tree":false},"function_name":"__arm64_sys_execve","args":[{"string_arg":"/bin/gzip","label":"filename"},{"bytes_arg":"","label":"argv"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-10-06T00:00:46.054335518Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}} + + diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml new file mode 100644 index 0000000000..2f465ede6e --- /dev/null +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -0,0 +1,68 @@ +name: Cisco Isovalent - Cron Job Creation +id: 94531a31-a041-4777-909f-cd92ed3b71ad +version: 1 +date: '2025-08-12' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information. +search: | + `cisco_isovalent_process_exec` process_name IN ("crond","cron","crontab") + | search pod_name!="" + | stats count + min(_time) as firstTime + max(_time) as lastTime + values(process) as process + by cluster_name pod_name parent_process_name process_name process_exec process_id node_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___cron_job_creation_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. +references: +- https://attack.mitre.org/techniques/T1053/003/ +- https://medium.com/@bag0zathev2/cronjobs-for-hackers-bugbounty-article-7d51588d0fd5 +- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ +drilldown_searches: +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search user = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: cron job creation detected in pod $pod_name$ in the cluster $cluster_name$ + risk_objects: + - field: pod_name + type: system + score: 50 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Kubernetes + mitre_attack_id: + - T1053.003 + - T1053.007 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml new file mode 100644 index 0000000000..755771d1d3 --- /dev/null +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -0,0 +1,64 @@ +name: Cisco Isovalent - Curl Execution With Insecure Flags +id: c16c4899-d3f7-461b-92c2-cc0ef5758855 +version: 1 +date: '2025-08-12' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information. +search: | + `cisco_isovalent_process_exec` process_name="curl" + | regex process="(?i)(? 10 | `cisco_isovalent___kprobe_spike_filter` +how_to_implement: | + Requires Cisco Isovalent Runtime Security with kprobe tracing enabled and logs + forwarded into Splunk. Ensure that your Splunk Technology Add-on (TA) for Cisco + Security Cloud parses the kprobe JSON correctly. Tune the threshold based on + your workload baseline. +known_false_positives: | + Busy or noisy pods may legitimately produce bursts of kprobe events during normal + operation. Tune thresholds and filter by function_name to reduce false positives. +references: +- https://docs.isovalent.com/user-guide/sec-ops-visibility/process-execution/index.html +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1068 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/kprobe_spike.log + source: not_applicable + sourcetype: cisco:isovalent \ No newline at end of file diff --git a/detections/cloud/cisco_isovalent___late_process_execution.yml b/detections/cloud/cisco_isovalent___late_process_execution.yml new file mode 100644 index 0000000000..3ed14eedc4 --- /dev/null +++ b/detections/cloud/cisco_isovalent___late_process_execution.yml @@ -0,0 +1,69 @@ +name: Cisco Isovalent - Late Process Execution +id: 7f4b9b8e-5d6a-4a21-9e3f-0f1e8f2d1c3a +version: 1 +date: '2025-08-22' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: | + Detects process executions that occur well after a container has initialized, which can indicate + suspicious activity (e.g., interactive shells, injected binaries, or post-compromise tooling). + The analytic compares the process start time to the container start time and flags processes + launched more than 5 minutes (300 seconds) after initialization. +search: | + `cisco_isovalent_process_exec` process_name="sh" + | rename process_exec.process.start_time as ProcessStartTime + | rename process_exec.process.pod.container.start_time as ContainerStartTime + | eval ProcessStartTime=strptime(ProcessStartTime, "%Y-%m-%dT%H:%M:%S.%3Q") + | eval ContainerStartTime=strptime(ContainerStartTime, "%Y-%m-%dT%H:%M:%S.%9Q") + | eval ContainerTime5min=relative_time(ContainerStartTime, "+5m") + | where ProcessStartTime > ContainerTime5min + | table node_name cluster_name, pod_name, container_id, process_name, process_exec, process, ProcessStartTime, ContainerTime5min | `security_content_ctime(ProcessStartTime)` + | `security_content_ctime(ContainerTime5min)` + | `cisco_isovalent___late_process_execution_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. +references: +- https://docs.isovalent.com/user-guide/sec-ops-visibility/process-execution/index.html +drilldown_searches: +- name: View the detection results for pod - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Late process execution ($process_name$) detected in pod $pod_name$ + risk_objects: + - field: pod_name + type: system + score: 45 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1543 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent_process_exec_delayed_shell.log + source: not_applicable + sourcetype: cisco:isovalent \ No newline at end of file diff --git a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml new file mode 100644 index 0000000000..bdd0ec8a2a --- /dev/null +++ b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml @@ -0,0 +1,70 @@ +name: Cisco Isovalent - Nsenter Usage in Kubernetes Pod +id: cd07120d-4265-481a-ba0f-3b91fbc5a02f +version: 1 +date: '2025-08-12' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: | + This analytic detects the execution of the nsenter utility from within a container, a technique often used for exploitation and container escape. Nsenter allows an attacker to enter the namespaces of another process—such as the host's init process (PID 1)—and execute a shell or other binaries with elevated privileges. For example, an attacker may use docker exec to gain a shell in a container, enumerate the PID of a target container or the host, and then use nsenter to access all namespaces (mount, UTS, IPC, net, pid) of the host or another container. Example to escape to the host: `nsenter --target 1 --mount --uts --ipc --net --pid -- bash`. The WorkloadAncestorsBinary field is used to track the ancestry of the process, this is useful to understand the context of the nsenter usage. + + The options -m -u -n -i -p correspond to the various Linux namespaces. Adversaries exploit nsenter when pods are misconfigured with excessive privileges (e.g., privileged, hostPID, or broad hostPath mounts), enabling them to interact with the underlying node filesystem and processes. This can be an indicator of a container escape attempt or privilege escalation. Security teams should pay close attention to any nsenter invocation from within containers, especially outside of normal maintenance activity or in workloads with elevated privileges. +search: | + `cisco_isovalent_process_exec` process_name="nsenter" + | eval WorkloadAncestorsBinary=mvjoin(parent_process_name, " <- ") + | stats count + min(_time) as firstTime + max(_time) as lastTime + values(process) as process + values(WorkloadAncestorsBinary) as WorkloadAncestorsBinary + by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___nsenter_usage_in_kubernetes_pod_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: It is highly unlikely that nsenter will be used in a legitimate way, investigate the alert in context to rule out benign operations. +references: +- https://isovalent.com/blog/post/2021-11-container-escape/ +- https://kubehound.io/reference/attacks/CE_NSENTER/ +drilldown_searches: +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search user = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An nsenter escape attempt has been detected by user on container pod - $pod_name$ + risk_objects: + - field: pod_name + type: system + score: 50 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1543 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml new file mode 100644 index 0000000000..a9cd9e3116 --- /dev/null +++ b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml @@ -0,0 +1,66 @@ +name: Cisco Isovalent - Pods Running Offensive Tools +id: e9d0b9e6-2f3c-4a8a-9d61-2b6f4a9c1c2e +version: 1 +date: '2025-08-21' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: The following analytic detects execution of known offensive tooling from within Kubernetes pods, including network scanners and post-exploitation frameworks (e.g., nmap, masscan, zmap, impacket-*, hashcat, john, SharpHound, kube-hunter, peirates, and mimikatz.exe). Adversaries commonly introduce these tools into compromised workloads to conduct discovery, lateral movement, credential access, or cluster reconnaissance. This behavior may indicate a compromised container or supply-chain abuse. Extra scrutiny is warranted for namespaces that do not typically run diagnostic scanners and for pods that suddenly begin invoking these binaries outside of normal maintenance activity. +search: | + `cisco_isovalent_process_exec` process_name IN ("nmap","masscan","zmap","impacket-","hashcat","SharpHound","kube-hunter","peirates") + | stats count + min(_time) as firstTime + max(_time) as lastTime + values(process) as process + by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___pods_running_offensive_tools_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: Security testing, approved red team exercises, or sanctioned diagnostics can trigger this analytic. Coordinate allowlists and maintenance windows with platform/SecOps teams. +references: +- https://dev.to/thenjdevopsguy/attacking-a-kubernetes-cluster-enter-red-team-mode-2onj +- https://www.reddit.com/r/kubernetes/comments/l6e5yr/one_of_our_kubernetes_containers_was_compromised/ +drilldown_searches: +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Offensive tool execution ($process_name$) detected in pod $pod_name$ on cluster $cluster_name$ + risk_objects: + - field: pod_name + type: system + score: 48 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1204.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec + diff --git a/detections/cloud/cisco_isovalent___potential_escape_to_host.yml b/detections/cloud/cisco_isovalent___potential_escape_to_host.yml new file mode 100644 index 0000000000..37f33acb87 --- /dev/null +++ b/detections/cloud/cisco_isovalent___potential_escape_to_host.yml @@ -0,0 +1,87 @@ +name: Cisco Isovalent - Potential Escape to Host +id: 2b8a7a21-bec6-4e1f-84c4-7b319f45d2ab +version: 1 +date: '2025-10-01' +author: Bhavin Patel, Splunk +type: TTP +data_source: +- Cisco Isovalent Process Exec +status: production +description: | + This analytic detects potential container escape or reconnaissance attempts by monitoring for the rapid execution of multiple suspicious Linux commands (nsenter, mount, ps aux, and ls) within a short time window. The search aggregates process execution logs into 5-minute buckets and identifies when two or more distinct commands occur in quick succession. This behavior is noteworthy because attackers often chain these commands together to pivot from a container into the host, enumerate processes, or browse filesystems. For a SOC, catching these clustered command executions is important because it highlights possible adversary activity attempting to break isolation and escalate privileges inside a Kubernetes environment. +search: | + `cisco_isovalent_process_exec` + sourcetype=cisco:isovalent:processExec + ( + process_name IN ("nsenter","mount","ps","ls") + OR process="*nsenter*" OR process="*mount*" OR process="*ps aux*" OR process="*ps -ef*" + ) + | bin _time span=5m + | stats + count AS total_events + dc(process_name) AS distinct_cmds + min(_time) AS firstTime + max(_time) AS lastTime + values(process) AS process + values(process_name) AS process_name + BY cluster_name node_name pod_name _time + | eval duration_s = round(lastTime - firstTime, 0) + | where distinct_cmds >= 2 AND duration_s <= 120 + | table _time cluster_name node_name pod_name total_events distinct_cmds duration_s firstTime lastTime process process_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___potential_escape_to_host_filter` +how_to_implement: | + This detection relies on process execution telemetry from Cisco Isovalent Runtime Security. + Ensure Isovalent Runtime Security is deployed and configured in your Kubernetes environment + to generate process_exec events. Configure the Cisco Security Cloud TA to collect these logs + via HEC and normalize them into Splunk CIM. Privileged pods and hostPID configurations + should be closely monitored as they increase the risk of container escape attempts. +known_false_positives: | + Some legitimate administrative containers or troubleshooting workflows may use nsenter + or mount commands (e.g., debugging nodes with hostPID pods). Such activity should be + investigated in context to ensure it is not malicious. +references: +- https://attack.mitre.org/techniques/T1611/ +- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ +drilldown_searches: +- name: View the detection results for pod - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Escape-to-host attempt detected in pod $pod_name$ on cluster $cluster_name$ + risk_objects: + - field: pod_name + type: system + score: 70 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1611 + atomic_guid: [] + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec \ No newline at end of file diff --git a/detections/cloud/cisco_isovalent___shell_execution.yml b/detections/cloud/cisco_isovalent___shell_execution.yml new file mode 100644 index 0000000000..815e2a2df8 --- /dev/null +++ b/detections/cloud/cisco_isovalent___shell_execution.yml @@ -0,0 +1,57 @@ +name: Cisco Isovalent - Shell Execution +id: 12345678-abcd-1234-ef00-1234567890ab +version: 1 +date: '2025-09-17' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: The following analytic detects the execution of a shell inside a container namespace within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for the execution of a shell (sh or bash) inside a container namespace. This behavior is significant for a SOC as it could allow an attacker to gain shell access to the container, potentially leading to further compromise of the Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity. +search: | + `cisco_isovalent_process_exec` process_name IN ("sh", "bash", "pwsh", "zsh") + | stats count by cluster_name parent_process_name process_name process_exec process_id node_name | `cisco_isovalent___shell_execution_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. +references: +- https://www.sysdig.com/blog/mitre-attck-framework-for-container-runtime-security-with-sysdig-falco +drilldown_searches: +- name: View the detection results for - "$node_name$" + search: '%original_detection_search% | search node_name = "$node_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$node_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$node_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A shell execution has been detected by user on container pod namespace $node_name$ + risk_objects: + - field: node_name + type: system + score: 49 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1543 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___suspicious_image_use.yml b/detections/cloud/cisco_isovalent___suspicious_image_use.yml new file mode 100644 index 0000000000..0fd5c55e5e --- /dev/null +++ b/detections/cloud/cisco_isovalent___suspicious_image_use.yml @@ -0,0 +1,80 @@ +name: Cisco Isovalent - Suspicious Image Use +id: 9f2b7b1d-6c2f-4f2d-9a8b-8a1d7c5f2e11 +version: 1 +date: '2025-09-17' +author: Bhavin Patel, Splunk +status: production +type: Anomaly +description: | + The following analytic detects use of container images that fall outside an approved + allowlist, leveraging Cisco Isovalent/Tetragon runtime telemetry (image name and + workload identity). Adversaries commonly introduce untrusted or newly published + images to deploy tooling, establish persistence, or abuse supply‑chain trust. This + behavior may indicate image pulls from unauthorized registries, execution of + unvetted software, or a drift from established deployment baselines. Extra scrutiny + is warranted for namespaces and workloads that normally source images from restricted + registries, and for pods that suddenly begin running images outside expected + prefixes. + + Maintain an environment‑specific allowlist via the macro `cisco_isovalent_allowed_images` + (for example, allow trusted registries/prefixes such as ImageName="gcr.io/org/*", + "registry.local/*", or "myco/*") and keep it updated as new baseline images are + introduced. This analytic alerts on images NOT matching the allowlist. +data_source: +- Cisco Isovalent Process Exec +search: | + `cisco_isovalent_process_exec` pod_name!="" + | search NOT `cisco_isovalent_allowed_images` + | stats count + min(_time) as firstTime + max(_time) as lastTime + by pod_image_name pod_namespace pod_name process_name cluster_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___suspicious_image_use_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. Create and maintain an environment‑specific macro named`cisco_isovalent_allowed_images` that returns true for approved images, for example:(ImageName="gcr.io/org/app:*" OR ImageName="registry.local/*" OR ImageName="myco/*"). The search alerts on images NOT matching that allowlist. Tune by namespace or team as needed. +known_false_positives: New legitimate images during rollouts or blue/green deployments may appear until the allowlist is updated. Coordinate with platform/DevOps teams to synchronize allowlist changes. +references: +- https://dev.to/thenjdevopsguy/attacking-a-kubernetes-cluster-enter-red-team-mode-2onj +- https://www.reddit.com/r/kubernetes/comments/l6e5yr/one_of_our_kubernetes_containers_was_compromised/ +drilldown_searches: +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search user = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Suspicious (non‑allowlisted) image $pod_image_name$ used by pod $pod_name$ in namespace $Namespace$ in the cluster $cluster_name$ + risk_objects: + - field: pod_name + type: system + score: 45 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Kubernetes + mitre_attack_id: + - T1204.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec + diff --git a/detections/endpoint/linux_add_user_account.yml b/detections/endpoint/linux_add_user_account.yml index 2443b5505f..62d963c655 100644 --- a/detections/endpoint/linux_add_user_account.yml +++ b/detections/endpoint/linux_add_user_account.yml @@ -1,8 +1,8 @@ name: Linux Add User Account id: 51fbcaf2-6259-11ec-b0f3-acde48001122 -version: 7 +version: 8 date: '2025-05-02' -author: Teoderick Contreras, Splunk +author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting description: The following analytic detects the creation of new user accounts on Linux @@ -14,6 +14,7 @@ description: The following analytic detects the creation of new user accounts on the system, posing a severe security risk. data_source: - Sysmon for Linux EventID 1 +- Cisco Isovalent Process Exec search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN ("useradd", "adduser") OR Processes.process IN ("*useradd *", "*adduser *") by Processes.action Processes.dest Processes.original_file_name @@ -40,6 +41,7 @@ tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques + - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - T1136.001 @@ -54,3 +56,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec \ No newline at end of file diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index 8d4713d014..a1a5157105 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -1,8 +1,8 @@ name: Linux Adding Crontab Using List Parameter id: 52f6d751-1fd4-4c74-a4c9-777ecfeb5c58 -version: 7 -date: '2025-05-02' -author: Teoderick Contreras, Splunk +version: 8 +date: '2025-09-17' +author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting description: The following analytic detects suspicious modifications to cron jobs @@ -40,6 +40,7 @@ references: - https://cert.gov.ua/article/39518 tags: analytic_story: + - Cisco Isovalent Suspicious Activity - Industroyer2 - Linux Privilege Escalation - Linux Living Off The Land @@ -61,3 +62,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index 528f624ef3..f18569a6ac 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -1,8 +1,8 @@ name: Linux apt-get Privilege Escalation id: d870ce3b-e796-402f-b2af-cab4da1223f2 -version: 9 -date: '2025-05-02' -author: Gowthamaraj Rajendran, Splunk +version: 10 +date: '2025-09-17' +author: Gowthamaraj Rajendran, Bhavin Patel, Splunk status: production type: Anomaly description: The following analytic detects the execution of the 'apt-get' command @@ -15,6 +15,7 @@ description: The following analytic detects the execution of the 'apt-get' comma compromise the entire system. data_source: - Sysmon for Linux EventID 1 +- Cisco Isovalent Process Exec search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt-get*" AND Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" @@ -68,6 +69,7 @@ tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land + - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - T1548.003 @@ -82,3 +84,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec \ No newline at end of file diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index 414ef6080d..dc4d54ac93 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -1,8 +1,8 @@ name: Linux At Application Execution id: bf0a378e-5f3c-11ec-a6de-acde48001122 -version: 8 +version: 9 date: '2025-05-02' -author: Teoderick Contreras, Splunk +author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Anomaly description: The following analytic detects the execution of the "At" application @@ -66,6 +66,7 @@ tags: - Linux Persistence Techniques - Linux Living Off The Land - Scheduled Tasks + - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - T1053.002 @@ -80,3 +81,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml index 8aa322d09b..9cd23acac0 100644 --- a/detections/endpoint/linux_curl_upload_file.yml +++ b/detections/endpoint/linux_curl_upload_file.yml @@ -1,7 +1,7 @@ name: Linux Curl Upload File id: c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-09-30' author: Michael Haag, Splunk status: production type: TTP @@ -15,6 +15,7 @@ description: The following analytic detects the use of the curl command with spe and potential compromise of AWS resources. data_source: - Sysmon for Linux EventID 1 +- Cisco Isovalent Process Exec search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN ("*-F *", "*--form *","*--upload-file *","*-T *","*-d *","*--data @@ -88,3 +89,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index a3f55ddc36..47cf46a587 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -1,7 +1,7 @@ name: Linux Decode Base64 to Shell id: 637b603e-1799-40fd-bf87-47ecbd551b66 -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-10-01' author: Michael Haag, Splunk status: production type: TTP @@ -17,6 +17,7 @@ description: The following analytic detects the behavior of decoding base64-enco unauthorized access, for data exfiltration, or perform other malicious actions. data_source: - Sysmon for Linux EventID 1 +- Cisco Isovalent Process Exec search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*|*" `linux_shells` by Processes.action Processes.dest Processes.original_file_name Processes.parent_process @@ -74,6 +75,7 @@ rba: tags: analytic_story: - Linux Living Off The Land + - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - T1027 @@ -89,3 +91,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/macros/cisco_isovalent.yml b/macros/cisco_isovalent.yml new file mode 100644 index 0000000000..35754066eb --- /dev/null +++ b/macros/cisco_isovalent.yml @@ -0,0 +1,4 @@ +definition: sourcetype=cisco:isovalent +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: cisco_isovalent diff --git a/macros/cisco_isovalent_allowed_images.yml b/macros/cisco_isovalent_allowed_images.yml new file mode 100644 index 0000000000..3e399e0df4 --- /dev/null +++ b/macros/cisco_isovalent_allowed_images.yml @@ -0,0 +1,3 @@ +definition: pod_image_name IN ("docker.io/library/ubuntu:22.04","docker.io/grafana/grafana:12.0.1", "quay.io/isovalent-dev/tetragon-ci*",""quay.io/isovalent/tetragon-ci*","quay.io/isovalent/hubble-export-fluentd*") +description: List of image names which are allowed to be used in the Cisco Isovalent environment. PLease customize this macro to your environment to allowlist the images you want to allow. +name: cisco_isovalent_allowed_images \ No newline at end of file diff --git a/macros/cisco_isovalent_process_exec.yml b/macros/cisco_isovalent_process_exec.yml new file mode 100644 index 0000000000..f3442826c4 --- /dev/null +++ b/macros/cisco_isovalent_process_exec.yml @@ -0,0 +1,4 @@ +definition: sourcetype=cisco:isovalent:processExec +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: cisco_isovalent_process_exec diff --git a/stories/cisco_isovalent_suspicious_activity.yml b/stories/cisco_isovalent_suspicious_activity.yml new file mode 100644 index 0000000000..eddc342747 --- /dev/null +++ b/stories/cisco_isovalent_suspicious_activity.yml @@ -0,0 +1,24 @@ +name: Cisco Isovalent Suspicious Activity +id: 245ac99a-1355-44fe-9ef7-a7e826e20c6f +version: 1 +date: '2025-09-30' +author: Bhavin Patel, Splunk +status: production +description: This analytics story focuses on identifying suspicious activities and potential security threats within environments using Cisco Isovalent. It provides detection rules and guidance to help security teams recognize signs of adversary tactics such as unauthorized access attempts, unusual network activity, and other behaviors indicative of potential compromise. +narrative: | + Cisco Isovalent with Tetragon delivers kernel-level, eBPF-powered visibility that traditional logs miss, correlating process execution, file access, and network flows with Kubernetes workload identity (namespace, labels, pod/container) and full process ancestry. This depth enables reliable detection of real-world Kubernetes threats, including container escapes, ServiceAccount token theft and API abuse, IMDS credential access, kubectl-in-container misuse, DGA/C2 beacons over trusted SaaS (GitHub, Pastebin, Discord), insecure curl usage (-k/--insecure), cron-based persistence, crypto‑mining, scanner/supply-chain image pulls, privileged/hostPath abuse, and much more. + By continuously observing process_exec and L7 DNS/HTTP activity tied to specific pods and deployments, these detections surface late process launches, anomalous shells, and suspicious outbound connections that deviate from normal workload behavior—accelerating triage and response, reducing dwell time, and shrinking blast radius across Kubernetes environments. +references: +- https://isovalent.com/blog/post/isovalent-splunk-better-together/ +- https://isovalent.com/blog/post/mitre-attack-tetragon/ +- https://www.reddit.com/r/kubernetes/comments/l6e5yr/one_of_our_kubernetes_containers_was_compromised/ +- https://attack.mitre.org/matrices/enterprise/containers/ +tags: + category: + - Adversary Tactics + - Cloud Security + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file