diff --git a/contentctl.yml b/contentctl.yml index 3676956e1d..6c8bb42c9e 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -44,9 +44,9 @@ apps: - uid: 7404 title: Cisco Security Cloud appid: CiscoSecurityCloud - version: 3.4.2 + version: 3.5.0 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_342.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/CiscoSecurityCloud-3.5.0.tar.gz - uid: 6652 title: Add-on for Linux Sysmon appid: Splunk_TA_linux_sysmon @@ -254,4 +254,4 @@ apps: githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd test_data_caches: - base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/ - base_directory_name: external_repos/attack_data + base_directory_name: external_repos/attack_data \ No newline at end of file diff --git a/data_sources/cisco_isovalent_process_connect.yml b/data_sources/cisco_isovalent_process_connect.yml new file mode 100644 index 0000000000..7d6ae5ce1a --- /dev/null +++ b/data_sources/cisco_isovalent_process_connect.yml @@ -0,0 +1,151 @@ +name: Cisco Isovalent Process Connect +id: bf8c76a1-6066-4759-ab77-d3f0a375519e +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +description: Captures detailed process connection events—including source and destination process metadata, execution lineage (ancestry), and Kubernetes workload context—generated by Cisco Isovalent instrumentation. Enables technical analysis of inter-process communications, container-level activity, and workload-specific network flows in cloud-native environments. +source: not_applicable +sourcetype: cisco:isovalent:processConnect +supported_TA: +- name: Cisco Security Cloud + url: https://splunkbase.splunk.com/app/7404 + version: 3.4.1 +fields: +- _time +- app +- cluster_name +- container_id +- dest +- dest_ip +- dest_port +- eventtype +- host +- index +- linecount +- node_labels.alpha.eksctl.io/cluster-name +- node_labels.alpha.eksctl.io/nodegroup-name +- node_labels.beta.kubernetes.io/arch +- node_labels.beta.kubernetes.io/instance-type +- node_labels.beta.kubernetes.io/os +- node_labels.eks.amazonaws.com/capacityType +- node_labels.eks.amazonaws.com/nodegroup +- node_labels.eks.amazonaws.com/nodegroup-image +- node_labels.eks.amazonaws.com/sourceLaunchTemplateId +- node_labels.eks.amazonaws.com/sourceLaunchTemplateVersion +- node_labels.failure-domain.beta.kubernetes.io/region +- node_labels.failure-domain.beta.kubernetes.io/zone +- node_labels.k8s.io/cloud-provider-aws +- node_labels.kubernetes.io/arch +- node_labels.kubernetes.io/hostname +- node_labels.kubernetes.io/os +- node_labels.node.kubernetes.io/instance-type +- node_labels.topology.k8s.aws/zone-id +- node_labels.topology.kubernetes.io/region +- node_labels.topology.kubernetes.io/zone +- node_name +- pod_image_name +- pod_name +- pod_namespace +- process_connect.destination_ip +- process_connect.destination_pod.name +- process_connect.destination_pod.namespace +- process_connect.destination_pod.pod_labels.app.kubernetes.io/component +- process_connect.destination_pod.pod_labels.app.kubernetes.io/instance +- process_connect.destination_pod.pod_labels.app.kubernetes.io/managed-by +- process_connect.destination_pod.pod_labels.app.kubernetes.io/name +- process_connect.destination_pod.pod_labels.app.kubernetes.io/part-of +- process_connect.destination_pod.pod_labels.app.kubernetes.io/version +- process_connect.destination_pod.pod_labels.eks.amazonaws.com/component +- process_connect.destination_pod.pod_labels.helm.sh/chart +- process_connect.destination_pod.pod_labels.k8s-app +- process_connect.destination_pod.pod_labels.pod-template-hash +- process_connect.destination_pod.workload +- process_connect.destination_pod.workload_kind +- process_connect.destination_port +- process_connect.parent.arguments +- process_connect.parent.auid +- process_connect.parent.binary +- process_connect.parent.cwd +- process_connect.parent.docker +- process_connect.parent.exec_id +- process_connect.parent.flags +- process_connect.parent.in_init_tree +- process_connect.parent.parent_exec_id +- process_connect.parent.pid +- process_connect.parent.pod.container.id +- process_connect.parent.pod.container.image.id +- process_connect.parent.pod.container.image.name +- process_connect.parent.pod.container.name +- process_connect.parent.pod.container.pid +- process_connect.parent.pod.container.start_time +- process_connect.parent.pod.name +- process_connect.parent.pod.namespace +- process_connect.parent.pod.pod_labels.app.kubernetes.io/instance +- process_connect.parent.pod.pod_labels.app.kubernetes.io/name +- process_connect.parent.pod.pod_labels.controller-revision-hash +- process_connect.parent.pod.pod_labels.k8s-app +- process_connect.parent.pod.pod_labels.pod-template-generation +- process_connect.parent.pod.workload +- process_connect.parent.pod.workload_kind +- process_connect.parent.start_time +- process_connect.parent.tid +- process_connect.parent.uid +- process_connect.process.arguments +- process_connect.process.auid +- process_connect.process.binary +- process_connect.process.cwd +- process_connect.process.docker +- process_connect.process.exec_id +- process_connect.process.flags +- process_connect.process.in_init_tree +- process_connect.process.parent_exec_id +- process_connect.process.pid +- process_connect.process.pod.container.id +- process_connect.process.pod.container.image.id +- process_connect.process.pod.container.image.name +- process_connect.process.pod.container.maybe_exec_probe +- process_connect.process.pod.container.name +- process_connect.process.pod.container.pid +- process_connect.process.pod.container.start_time +- process_connect.process.pod.name +- process_connect.process.pod.namespace +- process_connect.process.pod.pod_labels.app.kubernetes.io/instance +- process_connect.process.pod.pod_labels.app.kubernetes.io/name +- process_connect.process.pod.pod_labels.controller-revision-hash +- process_connect.process.pod.pod_labels.eks.amazonaws.com/component +- process_connect.process.pod.pod_labels.k8s-app +- process_connect.process.pod.pod_labels.pod-template-generation +- process_connect.process.pod.pod_labels.pod-template-hash +- process_connect.process.pod.workload +- process_connect.process.pod.workload_kind +- process_connect.process.start_time +- process_connect.process.tid +- process_connect.process.uid +- process_connect.protocol +- process_connect.sock_cookie +- process_connect.source_ip +- process_connect.source_port +- process_id +- punct +- session_id +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_ip +- src_port +- tag +- tag::app +- tag::eventtype +- time +- transport +- vendor_product +output_fields: +- dest_ip +- pod_name +- pod_namespace +- cluster_name +- node_name +example_log: | + {"process_connect":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMjQ5MDAwMDAwMDoxNjQ1","pid":1645,"uid":0,"cwd":"/","binary":"/usr/bin/kubelet","arguments":"--config-dir=/etc/kubernetes/kubelet/config.json.d --kubeconfig=/var/lib/kubelet/kubeconfig --image-credential-provider-bin-dir=/etc/eks/image-credential-provider --image-credential-provider-config=/etc/eks/image-credential-provider/config.json --node-ip=192.168.89.64 --cloud-provider=external --hostname-override=ip-192-168-89-64.us-west-2.compute.internal --config=/etc/kubernetes/kubelet/config.json --node-labels=eks.amazonaws.com/sourceLaunchTemplateVersion=1,alpha.eksctl.io/cluster-name=k8s-goat-cluster,alpha.eksctl.io/nodegroup-name=ng-a99d40b1,eks.amazonaws.com/nodegroup-image=ami-0339636baccc3c183,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup=ng-a99d40b1,eks.amazonaws.com/sourceLaunchTemplateId=lt-0da0169006f2a7c39","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.923218536Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1645,"in_init_tree":false},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false},"source_ip":"192.168.89.64","source_port":38106,"destination_ip":"192.168.88.89","destination_port":3000,"sock_cookie":"18446462614959565760","destination_pod":{"namespace":"tetragon","name":"tetragon-grafana-77b4f6f864-tjl29","pod_labels":{"app.kubernetes.io/instance":"tetragon","app.kubernetes.io/name":"grafana","app.kubernetes.io/version":"12.0.1","helm.sh/chart":"grafana-9.2.2","pod-template-hash":"77b4f6f864"},"workload":"tetragon-grafana","workload_kind":"Deployment"},"protocol":"TCP"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-11-04T23:32:55.401779Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}} \ No newline at end of file diff --git a/data_sources/cisco_isovalent_process_exec.yml b/data_sources/cisco_isovalent_process_exec.yml new file mode 100644 index 0000000000..f09e53976f --- /dev/null +++ b/data_sources/cisco_isovalent_process_exec.yml @@ -0,0 +1,139 @@ +name: Cisco Isovalent Process Exec +id: 87654321-dcba-4321-00fe-0987654321ba +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +description: Logs process execution events within Cisco Isovalent environments, providing visibility into process exec ancestry and Kubernetes workload identity. +source: not_applicable +sourcetype: cisco:isovalent:processExec +supported_TA: +- name: Cisco Security Cloud + url: https://splunkbase.splunk.com/app/7404 + version: 3.4.1 +fields: +- _time +- cluster_name +- container_id +- eventtype +- host +- index +- linecount +- node_labels.alpha.eksctl.io/cluster-name +- node_labels.alpha.eksctl.io/nodegroup-name +- node_labels.beta.kubernetes.io/arch +- node_labels.beta.kubernetes.io/instance-type +- node_labels.beta.kubernetes.io/os +- node_labels.eks.amazonaws.com/capacityType +- node_labels.eks.amazonaws.com/nodegroup +- node_labels.eks.amazonaws.com/nodegroup-image +- node_labels.eks.amazonaws.com/sourceLaunchTemplateId +- node_labels.eks.amazonaws.com/sourceLaunchTemplateVersion +- node_labels.failure-domain.beta.kubernetes.io/region +- node_labels.failure-domain.beta.kubernetes.io/zone +- node_labels.k8s.io/cloud-provider-aws +- node_labels.kubernetes.io/arch +- node_labels.kubernetes.io/hostname +- node_labels.kubernetes.io/os +- node_labels.node.kubernetes.io/instance-type +- node_labels.topology.k8s.aws/zone-id +- node_labels.topology.kubernetes.io/region +- node_labels.topology.kubernetes.io/zone +- node_name +- parent_process +- parent_process_exec +- parent_process_id +- parent_process_name +- parent_process_path +- pod_image_name +- pod_name +- pod_namespace +- process +- process_current_directory +- process_exec +- process_exec.ancestors{}.arguments +- process_exec.ancestors{}.auid +- process_exec.ancestors{}.binary +- process_exec.ancestors{}.cwd +- process_exec.ancestors{}.exec_id +- process_exec.ancestors{}.flags +- process_exec.ancestors{}.in_init_tree +- process_exec.ancestors{}.parent_exec_id +- process_exec.ancestors{}.pid +- process_exec.ancestors{}.refcnt +- process_exec.ancestors{}.start_time +- process_exec.ancestors{}.tid +- process_exec.ancestors{}.uid +- process_exec.parent.arguments +- process_exec.parent.auid +- process_exec.parent.binary +- process_exec.parent.cwd +- process_exec.parent.docker +- process_exec.parent.exec_id +- process_exec.parent.flags +- process_exec.parent.in_init_tree +- process_exec.parent.parent_exec_id +- process_exec.parent.pid +- process_exec.parent.pod.container.id +- process_exec.parent.pod.container.image.id +- process_exec.parent.pod.container.image.name +- process_exec.parent.pod.container.name +- process_exec.parent.pod.container.pid +- process_exec.parent.pod.container.security_context.privileged +- process_exec.parent.pod.container.start_time +- process_exec.parent.pod.name +- process_exec.parent.pod.namespace +- process_exec.parent.pod.pod_labels.controller-revision-hash +- process_exec.parent.pod.pod_labels.k8s-app +- process_exec.parent.pod.pod_labels.pod-template-generation +- process_exec.parent.pod.workload +- process_exec.parent.pod.workload_kind +- process_exec.parent.start_time +- process_exec.parent.tid +- process_exec.parent.uid +- process_exec.process.arguments +- process_exec.process.auid +- process_exec.process.binary +- process_exec.process.cwd +- process_exec.process.docker +- process_exec.process.exec_id +- process_exec.process.flags +- process_exec.process.in_init_tree +- process_exec.process.parent_exec_id +- process_exec.process.pid +- process_exec.process.pod.container.id +- process_exec.process.pod.container.image.id +- process_exec.process.pod.container.image.name +- process_exec.process.pod.container.maybe_exec_probe +- process_exec.process.pod.container.name +- process_exec.process.pod.container.pid +- process_exec.process.pod.container.security_context.privileged +- process_exec.process.pod.container.start_time +- process_exec.process.pod.name +- process_exec.process.pod.namespace +- process_exec.process.pod.pod_labels.app.kubernetes.io/instance +- process_exec.process.pod.pod_labels.app.kubernetes.io/name +- process_exec.process.pod.pod_labels.controller-revision-hash +- process_exec.process.pod.pod_labels.k8s-app +- process_exec.process.pod.pod_labels.pod-template-generation +- process_exec.process.pod.workload +- process_exec.process.pod.workload_kind +- process_exec.process.start_time +- process_exec.process.tid +- process_exec.process.uid +- process_id +- process_name +- punct +- source +- sourcetype +- splunk_server +- splunk_server_group +- tag +- tag::eventtype +- time +- user_id +- vendor_product +output_fields: +- process_name +- process +example_log: | + {"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk5MjQ2MDAwNDozNTAyOTE0","pid":3502914,"uid":0,"cwd":"/app","binary":"/app/grpc-health-probe","arguments":"-addr=:50051 -connect-timeout=5s -rpc-timeout=5s","flags":"execve clone","start_time":"2025-08-14T20:42:47.459946745Z","auid":4294967295,"pod":{"namespace":"kube-system","name":"aws-node-9twpn","container":{"id":"containerd://dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","name":"aws-node","image":{"id":"sha256:0b48ad70935c9dea3627854c46a5d12028b941334ad82bf7be6a6fcddd4a2674","name":"066635153087.dkr.ecr.il-central-1.amazonaws.com/amazon-k8s-cni:v1.19.2"},"start_time":"2025-07-28T22:21:44Z","pid":3635324,"maybe_exec_probe":true,"security_context":{}},"pod_labels":{"app.kubernetes.io/instance":"aws-vpc-cni","app.kubernetes.io/name":"aws-node","controller-revision-hash":"dfddff8c5","k8s-app":"aws-node","pod-template-generation":"1"},"workload":"aws-node","workload_kind":"DaemonSet"},"docker":"dc5b541d139c38ec01e485712f0eec3","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","tid":3502914,"in_init_tree":false},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","pid":3502900,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/log.json --log-format json --systemd-cgroup exec --process /tmp/runc-process2848112653 --detach --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/939f032732ee71076b86175deba715fc56e5cacb6047fb3602069bdbbfd21e45.pid dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","flags":"execve clone","start_time":"2025-08-14T20:42:47.439585277Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","tid":3502900,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","pid":3059,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe -address /run/containerd/containerd.sock","flags":"procFS auid","start_time":"2025-07-28T22:21:34.807485194Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":3059,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-14T20:42:47.459945318Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}} \ No newline at end of file diff --git a/data_sources/cisco_isovalent_process_kprobe.yml b/data_sources/cisco_isovalent_process_kprobe.yml new file mode 100644 index 0000000000..d2f08110c4 --- /dev/null +++ b/data_sources/cisco_isovalent_process_kprobe.yml @@ -0,0 +1,121 @@ +name: Cisco Isovalent Process Kprobe +id: b2620ef2-fac6-467f-bdc8-253d65db1cb9 +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +description: Captures kernel probe (kprobe) telemetry from Cisco Isovalent Runtime Security, including function name, arguments, and process context, enabling visibility into low-level kernel interactions that may indicate container escape attempts or system tampering. +source: not_applicable +sourcetype: cisco:isovalent +supported_TA: +- name: Cisco Security Cloud + url: https://splunkbase.splunk.com/app/7404 + version: 3.4.2 +fields: +- _time +- app +- cluster_name +- description +- duration +- eventtype +- host +- id +- index +- linecount +- node_labels.alpha.eksctl.io/cluster-name +- node_labels.alpha.eksctl.io/nodegroup-name +- node_labels.beta.kubernetes.io/arch +- node_labels.beta.kubernetes.io/instance-type +- node_labels.beta.kubernetes.io/os +- node_labels.eks.amazonaws.com/capacityType +- node_labels.eks.amazonaws.com/nodegroup +- node_labels.eks.amazonaws.com/nodegroup-image +- node_labels.eks.amazonaws.com/sourceLaunchTemplateId +- node_labels.eks.amazonaws.com/sourceLaunchTemplateVersion +- node_labels.failure-domain.beta.kubernetes.io/region +- node_labels.failure-domain.beta.kubernetes.io/zone +- node_labels.k8s.io/cloud-provider-aws +- node_labels.kubernetes.io/arch +- node_labels.kubernetes.io/hostname +- node_labels.kubernetes.io/os +- node_labels.node.kubernetes.io/instance-type +- node_labels.topology.k8s.aws/zone-id +- node_labels.topology.kubernetes.io/region +- node_labels.topology.kubernetes.io/zone +- node_name +- process_kprobe.action +- process_kprobe.args{}.bytes_arg +- process_kprobe.args{}.int_arg +- process_kprobe.args{}.label +- process_kprobe.args{}.size_arg +- process_kprobe.args{}.string_arg +- process_kprobe.function_name +- process_kprobe.parent.arguments +- process_kprobe.parent.auid +- process_kprobe.parent.binary +- process_kprobe.parent.cwd +- process_kprobe.parent.docker +- process_kprobe.parent.exec_id +- process_kprobe.parent.flags +- process_kprobe.parent.in_init_tree +- process_kprobe.parent.parent_exec_id +- process_kprobe.parent.pid +- process_kprobe.parent.pod.container.id +- process_kprobe.parent.pod.container.image.id +- process_kprobe.parent.pod.container.image.name +- process_kprobe.parent.pod.container.name +- process_kprobe.parent.pod.container.pid +- process_kprobe.parent.pod.container.start_time +- process_kprobe.parent.pod.name +- process_kprobe.parent.pod.namespace +- process_kprobe.parent.pod.pod_labels.run +- process_kprobe.parent.pod.workload +- process_kprobe.parent.pod.workload_kind +- process_kprobe.parent.start_time +- process_kprobe.parent.tid +- process_kprobe.parent.uid +- process_kprobe.policy_name +- process_kprobe.process.arguments +- process_kprobe.process.auid +- process_kprobe.process.binary +- process_kprobe.process.cwd +- process_kprobe.process.docker +- process_kprobe.process.exec_id +- process_kprobe.process.flags +- process_kprobe.process.in_init_tree +- process_kprobe.process.parent_exec_id +- process_kprobe.process.pid +- process_kprobe.process.pod.container.id +- process_kprobe.process.pod.container.image.id +- process_kprobe.process.pod.container.image.name +- process_kprobe.process.pod.container.name +- process_kprobe.process.pod.container.pid +- process_kprobe.process.pod.container.start_time +- process_kprobe.process.pod.name +- process_kprobe.process.pod.namespace +- process_kprobe.process.pod.pod_labels.run +- process_kprobe.process.pod.workload +- process_kprobe.process.pod.workload_kind +- process_kprobe.process.refcnt +- process_kprobe.process.start_time +- process_kprobe.process.tid +- process_kprobe.process.uid +- process_kprobe.return_action +- punct +- severity +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_type +- tag +- tag::app +- tag::eventtype +- time +- vendor_region +output_fields: +- pod_name +example_log: | + {"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyNjA5NjE5NjIwOTk3MjEyOjEwNTYwNDc=","pid":1056047,"uid":0,"cwd":"/","binary":"/usr/sbin/logrotate","arguments":"/etc/logrotate.conf","flags":"execve","start_time":"2025-10-06T00:00:46.054215601Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyNjA5NjE5NTA2MTI3NjQ4OjEwNTYwNDI=","refcnt":1,"tid":1056047,"in_init_tree":false},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyNjA5NjE5NTA2MTI3NjQ4OjEwNTYwNDI=","pid":1056042,"uid":0,"cwd":"/","binary":"/usr/sbin/logrotate","arguments":"/etc/logrotate.conf","flags":"execve rootcwd clone","start_time":"2025-10-06T00:00:45.939345635Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDozOTUzMzQzODExNjox","tid":1056042,"in_init_tree":false},"function_name":"__arm64_sys_execve","args":[{"string_arg":"/bin/gzip","label":"filename"},{"bytes_arg":"","label":"argv"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-10-06T00:00:46.054335518Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}} + + diff --git a/detections/cloud/cisco_isovalent___access_to_cloud_metadata_service.yml b/detections/cloud/cisco_isovalent___access_to_cloud_metadata_service.yml new file mode 100644 index 0000000000..76a4a39283 --- /dev/null +++ b/detections/cloud/cisco_isovalent___access_to_cloud_metadata_service.yml @@ -0,0 +1,69 @@ +name: Cisco Isovalent - Access To Cloud Metadata Service +id: 7f2e1a9a-1e8e-4d2e-8b7c-5f2c3d6a9b21 +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Connect +status: production +description: The following analytic detects workloads accessing the cloud instance metadata service at 169.254.169.254. This IP is used by AWS, GCP and Azure metadata endpoints and is frequently abused in SSRF or lateral movement scenarios to obtain credentials and sensitive environment details. Monitor unexpected access to this service from application pods or namespaces where such behavior is atypical. +search: | + `cisco_isovalent_process_connect` | rename process_connect.parent.binary as binary | `excluded_cloud_binaries` + | stats count + min(_time) as firstTime + max(_time) as lastTime + values(dest_port) as dest_port + values(src_ip) as src_ip + by cluster_name pod_name pod_image_name pod_namespace node_name dest_ip + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___access_to_cloud_metadata_service_filter` +how_to_implement: This detection relies on Cisco Isovalent Runtime Security process_connect telemetry. Deploy Isovalent Runtime Security and the Cisco Security Cloud TA to collect these logs via HEC and normalize them. Optionally, a similar variant can be built with process_exec by looking for command-lines that reference 169.254.169.254 (for example curl or wget invocations from within pods). Please update a macro named `excluded_cloud_binaries` that returns true for binaries that are known to access the cloud metadata service. +known_false_positives: Legitimate platform components and node agents may query the metadata service. Validate by namespace, labels and workload identity; suppress expected sources and alert on atypical pods or namespaces. +references: +- https://attack.mitre.org/techniques/T1552/005/ +- https://hackerone.com/reports/341876 +- https://docs.isovalent.com/user-guide/sec-ops-visibility/lateral-movement/index.html +drilldown_searches: +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Pod $pod_name$ accessed the cloud metadata service ($dest_ip$) in cluster $cluster_name$ + risk_objects: + - field: pod_name + type: system + score: 50 + threat_objects: + - field: src_ip + type: ip_address +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Kubernetes + mitre_attack_id: + - T1552.005 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/process_connect.log + source: not_applicable + sourcetype: cisco:isovalent:processConnect + + diff --git a/detections/cloud/cisco_isovalent___cron_job_creation.yml b/detections/cloud/cisco_isovalent___cron_job_creation.yml new file mode 100644 index 0000000000..51f5aad9cf --- /dev/null +++ b/detections/cloud/cisco_isovalent___cron_job_creation.yml @@ -0,0 +1,68 @@ +name: Cisco Isovalent - Cron Job Creation +id: 94531a31-a041-4777-909f-cd92ed3b71ad +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information. +search: | + `cisco_isovalent_process_exec` process_name IN ("crond","cron","crontab") + | search pod_name!="" + | stats count + min(_time) as firstTime + max(_time) as lastTime + values(process) as process + by cluster_name pod_name parent_process_name process_name process_exec process_id node_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___cron_job_creation_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. +references: +- https://attack.mitre.org/techniques/T1053/003/ +- https://medium.com/@bag0zathev2/cronjobs-for-hackers-bugbounty-article-7d51588d0fd5 +- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ +drilldown_searches: +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: cron job creation detected in pod $pod_name$ in the cluster $cluster_name$ + risk_objects: + - field: pod_name + type: system + score: 50 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Kubernetes + mitre_attack_id: + - T1053.003 + - T1053.007 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml new file mode 100644 index 0000000000..fcbab04e9a --- /dev/null +++ b/detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -0,0 +1,64 @@ +name: Cisco Isovalent - Curl Execution With Insecure Flags +id: c16c4899-d3f7-461b-92c2-cc0ef5758855 +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information. +search: | + `cisco_isovalent_process_exec` process_name="curl" + | regex process="(?i)(? 10 | `cisco_isovalent___kprobe_spike_filter` +how_to_implement: | + Requires Cisco Isovalent Runtime Security with kprobe tracing enabled and logs + forwarded into Splunk. Ensure that your Splunk Technology Add-on (TA) for Cisco + Security Cloud parses the kprobe JSON correctly. Tune the threshold based on + your workload baseline. +known_false_positives: | + Busy or noisy pods may legitimately produce bursts of kprobe events during normal + operation. Tune thresholds and filter by function_name to reduce false positives. +references: +- https://docs.isovalent.com/user-guide/sec-ops-visibility/process-execution/index.html +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1068 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/kprobe_spike.log + source: not_applicable + sourcetype: cisco:isovalent \ No newline at end of file diff --git a/detections/cloud/cisco_isovalent___late_process_execution.yml b/detections/cloud/cisco_isovalent___late_process_execution.yml new file mode 100644 index 0000000000..b85b1a0178 --- /dev/null +++ b/detections/cloud/cisco_isovalent___late_process_execution.yml @@ -0,0 +1,69 @@ +name: Cisco Isovalent - Late Process Execution +id: 7f4b9b8e-5d6a-4a21-9e3f-0f1e8f2d1c3a +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: | + Detects process executions that occur well after a container has initialized, which can indicate + suspicious activity (e.g., interactive shells, injected binaries, or post-compromise tooling). + The analytic compares the process start time to the container start time and flags processes + launched more than 5 minutes (300 seconds) after initialization. +search: | + `cisco_isovalent_process_exec` process_name="sh" + | rename process_exec.process.start_time as ProcessStartTime + | rename process_exec.process.pod.container.start_time as ContainerStartTime + | eval ProcessStartTime=strptime(ProcessStartTime, "%Y-%m-%dT%H:%M:%S.%3Q") + | eval ContainerStartTime=strptime(ContainerStartTime, "%Y-%m-%dT%H:%M:%S.%9Q") + | eval ContainerTime5min=relative_time(ContainerStartTime, "+5m") + | where ProcessStartTime > ContainerTime5min + | table node_name cluster_name, pod_name, container_id, process_name, process_exec, process, ProcessStartTime, ContainerTime5min | `security_content_ctime(ProcessStartTime)` + | `security_content_ctime(ContainerTime5min)` + | `cisco_isovalent___late_process_execution_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. +references: +- https://docs.isovalent.com/user-guide/sec-ops-visibility/process-execution/index.html +drilldown_searches: +- name: View the detection results for pod - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Late process execution ($process_name$) detected in pod $pod_name$ + risk_objects: + - field: pod_name + type: system + score: 45 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1543 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent_process_exec_delayed_shell.log + source: not_applicable + sourcetype: cisco:isovalent:processExec \ No newline at end of file diff --git a/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml new file mode 100644 index 0000000000..7cce771e81 --- /dev/null +++ b/detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml @@ -0,0 +1,70 @@ +name: Cisco Isovalent - Nsenter Usage in Kubernetes Pod +id: cd07120d-4265-481a-ba0f-3b91fbc5a02f +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: | + This analytic detects the execution of the nsenter utility from within a container, a technique often used for exploitation and container escape. Nsenter allows an attacker to enter the namespaces of another process—such as the host's init process (PID 1)—and execute a shell or other binaries with elevated privileges. For example, an attacker may use docker exec to gain a shell in a container, enumerate the PID of a target container or the host, and then use nsenter to access all namespaces (mount, UTS, IPC, net, pid) of the host or another container. Example to escape to the host: `nsenter --target 1 --mount --uts --ipc --net --pid -- bash`. The WorkloadAncestorsBinary field is used to track the ancestry of the process, this is useful to understand the context of the nsenter usage. + + The options -m -u -n -i -p correspond to the various Linux namespaces. Adversaries exploit nsenter when pods are misconfigured with excessive privileges (e.g., privileged, hostPID, or broad hostPath mounts), enabling them to interact with the underlying node filesystem and processes. This can be an indicator of a container escape attempt or privilege escalation. Security teams should pay close attention to any nsenter invocation from within containers, especially outside of normal maintenance activity or in workloads with elevated privileges. +search: | + `cisco_isovalent_process_exec` process_name="nsenter" + | eval WorkloadAncestorsBinary=mvjoin(parent_process_name, " <- ") + | stats count + min(_time) as firstTime + max(_time) as lastTime + values(process) as process + values(WorkloadAncestorsBinary) as WorkloadAncestorsBinary + by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___nsenter_usage_in_kubernetes_pod_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: It is highly unlikely that nsenter will be used in a legitimate way, investigate the alert in context to rule out benign operations. +references: +- https://isovalent.com/blog/post/2021-11-container-escape/ +- https://kubehound.io/reference/attacks/CE_NSENTER/ +drilldown_searches: +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An nsenter escape attempt has been detected by user on container pod - $pod_name$ + risk_objects: + - field: pod_name + type: system + score: 50 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1543 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml new file mode 100644 index 0000000000..c856cd6b24 --- /dev/null +++ b/detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml @@ -0,0 +1,66 @@ +name: Cisco Isovalent - Pods Running Offensive Tools +id: e9d0b9e6-2f3c-4a8a-9d61-2b6f4a9c1c2e +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: The following analytic detects execution of known offensive tooling from within Kubernetes pods, including network scanners and post-exploitation frameworks (e.g., nmap, masscan, zmap, impacket-*, hashcat, john, SharpHound, kube-hunter, peirates). We have created a macro named `linux_offsec_tool_processes` that contains the list of known offensive tooling found on linux systems. Adversaries commonly introduce these tools into compromised workloads to conduct discovery, lateral movement, credential access, or cluster reconnaissance. This behavior may indicate a compromised container or supply-chain abuse. Extra scrutiny is warranted for namespaces that do not typically run diagnostic scanners and for pods that suddenly begin invoking these binaries outside of normal maintenance activity. +search: | + `cisco_isovalent_process_exec` `linux_offsec_tool_processes` + | stats count + min(_time) as firstTime + max(_time) as lastTime + values(process) as process + by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___pods_running_offensive_tools_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: Security testing, approved red team exercises, or sanctioned diagnostics can trigger this analytic. Coordinate allowlists and maintenance windows with platform/SecOps teams. Please update a macro named `linux_offsec_tool_processes` that contains the list of known offensive tooling found on linux systems if your environment has additional known offensive tools that are not included in the macro. +references: +- https://dev.to/thenjdevopsguy/attacking-a-kubernetes-cluster-enter-red-team-mode-2onj +- https://www.reddit.com/r/kubernetes/comments/l6e5yr/one_of_our_kubernetes_containers_was_compromised/ +drilldown_searches: +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Offensive tool execution ($process_name$) detected in pod $pod_name$ on cluster $cluster_name$ + risk_objects: + - field: pod_name + type: system + score: 48 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1204.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec + diff --git a/detections/cloud/cisco_isovalent___potential_escape_to_host.yml b/detections/cloud/cisco_isovalent___potential_escape_to_host.yml new file mode 100644 index 0000000000..35ae1e2e9f --- /dev/null +++ b/detections/cloud/cisco_isovalent___potential_escape_to_host.yml @@ -0,0 +1,87 @@ +name: Cisco Isovalent - Potential Escape to Host +id: 2b8a7a21-bec6-4e1f-84c4-7b319f45d2ab +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: | + This analytic detects potential container escape or reconnaissance attempts by monitoring for the rapid execution of multiple suspicious Linux commands (nsenter, mount, ps aux, and ls) within a short time window. The search aggregates process execution logs into 5-minute buckets and identifies when two or more distinct commands occur in quick succession. This behavior is noteworthy because attackers often chain these commands together to pivot from a container into the host, enumerate processes, or browse filesystems. For a SOC, catching these clustered command executions is important because it highlights possible adversary activity attempting to break isolation and escalate privileges inside a Kubernetes environment. +search: | + `cisco_isovalent_process_exec` + + ( + process_name IN ("nsenter","mount","ps","ls") + OR process="*nsenter*" OR process="*mount*" OR process="*ps aux*" OR process="*ps -ef*" + ) + | bin _time span=5m + | stats + count AS total_events + dc(process_name) AS distinct_cmds + min(_time) AS firstTime + max(_time) AS lastTime + values(process) AS process + values(process_name) AS process_name + BY cluster_name node_name pod_name _time + | eval duration_s = round(lastTime - firstTime, 0) + | where distinct_cmds >= 2 AND duration_s <= 120 + | table _time cluster_name node_name pod_name total_events distinct_cmds duration_s firstTime lastTime process process_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___potential_escape_to_host_filter` +how_to_implement: | + This detection relies on process execution telemetry from Cisco Isovalent Runtime Security. + Ensure Isovalent Runtime Security is deployed and configured in your Kubernetes environment + to generate process_exec events. Configure the Cisco Security Cloud TA to collect these logs + via HEC and normalize them into Splunk CIM. Privileged pods and hostPID configurations + should be closely monitored as they increase the risk of container escape attempts. +known_false_positives: | + Some legitimate administrative containers or troubleshooting workflows may use nsenter + or mount commands (e.g., debugging nodes with hostPID pods). Such activity should be + investigated in context to ensure it is not malicious. +references: +- https://attack.mitre.org/techniques/T1611/ +- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ +drilldown_searches: +- name: View the detection results for pod - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Escape-to-host attempt detected in pod $pod_name$ on cluster $cluster_name$ + risk_objects: + - field: pod_name + type: system + score: 70 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1611 + atomic_guid: [] + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec \ No newline at end of file diff --git a/detections/cloud/cisco_isovalent___shell_execution.yml b/detections/cloud/cisco_isovalent___shell_execution.yml new file mode 100644 index 0000000000..90a0de01b2 --- /dev/null +++ b/detections/cloud/cisco_isovalent___shell_execution.yml @@ -0,0 +1,57 @@ +name: Cisco Isovalent - Shell Execution +id: 12345678-abcd-1234-ef00-1234567890ab +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +type: Anomaly +data_source: +- Cisco Isovalent Process Exec +status: production +description: The following analytic detects the execution of a shell inside a container namespace within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for the execution of a shell (sh or bash) inside a container namespace. This behavior is significant for a SOC as it could allow an attacker to gain shell access to the container, potentially leading to further compromise of the Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity. +search: | + `cisco_isovalent_process_exec` process_name IN ("sh", "bash", "pwsh", "zsh") + | stats count by cluster_name parent_process_name process_name process_exec process_id node_name | `cisco_isovalent___shell_execution_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. +known_false_positives: This activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations. +references: +- https://www.sysdig.com/blog/mitre-attck-framework-for-container-runtime-security-with-sysdig-falco +drilldown_searches: +- name: View the detection results for - "$node_name$" + search: '%original_detection_search% | search node_name = "$node_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$node_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$node_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A shell execution has been detected by user on container pod namespace $node_name$ + risk_objects: + - field: node_name + type: system + score: 49 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Endpoint + mitre_attack_id: + - T1543 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/cloud/cisco_isovalent___suspicious_image_use.yml b/detections/cloud/cisco_isovalent___suspicious_image_use.yml new file mode 100644 index 0000000000..25b622eea3 --- /dev/null +++ b/detections/cloud/cisco_isovalent___suspicious_image_use.yml @@ -0,0 +1,79 @@ +name: Cisco Isovalent - Suspicious Image Use +id: 9f2b7b1d-6c2f-4f2d-9a8b-8a1d7c5f2e11 +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +status: production +type: Anomaly +description: | + The following analytic detects use of container images that fall outside an approved + allowlist, leveraging Cisco Isovalent/Tetragon runtime telemetry (image name and + workload identity). Adversaries commonly introduce untrusted or newly published + images to deploy tooling, establish persistence, or abuse supply‑chain trust. This + behavior may indicate image pulls from unauthorized registries, execution of + unvetted software, or a drift from established deployment baselines. Extra scrutiny + is warranted for namespaces and workloads that normally source images from restricted + registries, and for pods that suddenly begin running images outside expected + prefixes. + Maintain an environment‑specific allowlist via the macro `cisco_isovalent_allowed_images` + (for example, allow trusted registries/prefixes such as ImageName="gcr.io/org/*", + "registry.local/*", or "myco/*") and keep it updated as new baseline images are + introduced. This analytic alerts on images NOT matching the allowlist. +data_source: +- Cisco Isovalent Process Exec +search: | + `cisco_isovalent_process_exec` pod_name!="" + | search NOT `cisco_isovalent_allowed_images` + | stats count + min(_time) as firstTime + max(_time) as lastTime + by pod_image_name pod_namespace pod_name process_name cluster_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_isovalent___suspicious_image_use_filter` +how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. Create and maintain an environment‑specific macro named`cisco_isovalent_allowed_images` that returns true for approved images, for example:(ImageName="gcr.io/org/app:*" OR ImageName="registry.local/*" OR ImageName="myco/*"). The search alerts on images NOT matching that allowlist. Tune by namespace or team as needed. +known_false_positives: New legitimate images during rollouts or blue/green deployments may appear until the allowlist is updated. Coordinate with platform/DevOps teams to synchronize allowlist changes. +references: +- https://dev.to/thenjdevopsguy/attacking-a-kubernetes-cluster-enter-red-team-mode-2onj +- https://www.reddit.com/r/kubernetes/comments/l6e5yr/one_of_our_kubernetes_containers_was_compromised/ +drilldown_searches: +- name: View the detection results for - "$pod_name$" + search: '%original_detection_search% | search pod_name = "$pod_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$pod_name$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Suspicious (non‑allowlisted) image $pod_image_name$ used by pod $pod_name$ in namespace $Namespace$ in the cluster $cluster_name$ + risk_objects: + - field: pod_name + type: system + score: 45 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Cisco Isovalent Suspicious Activity + asset_type: Kubernetes + mitre_attack_id: + - T1204.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec + diff --git a/detections/endpoint/linux_add_user_account.yml b/detections/endpoint/linux_add_user_account.yml index 2443b5505f..62d963c655 100644 --- a/detections/endpoint/linux_add_user_account.yml +++ b/detections/endpoint/linux_add_user_account.yml @@ -1,8 +1,8 @@ name: Linux Add User Account id: 51fbcaf2-6259-11ec-b0f3-acde48001122 -version: 7 +version: 8 date: '2025-05-02' -author: Teoderick Contreras, Splunk +author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting description: The following analytic detects the creation of new user accounts on Linux @@ -14,6 +14,7 @@ description: The following analytic detects the creation of new user accounts on the system, posing a severe security risk. data_source: - Sysmon for Linux EventID 1 +- Cisco Isovalent Process Exec search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN ("useradd", "adduser") OR Processes.process IN ("*useradd *", "*adduser *") by Processes.action Processes.dest Processes.original_file_name @@ -40,6 +41,7 @@ tags: analytic_story: - Linux Privilege Escalation - Linux Persistence Techniques + - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - T1136.001 @@ -54,3 +56,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec \ No newline at end of file diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index 8d4713d014..a1a5157105 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -1,8 +1,8 @@ name: Linux Adding Crontab Using List Parameter id: 52f6d751-1fd4-4c74-a4c9-777ecfeb5c58 -version: 7 -date: '2025-05-02' -author: Teoderick Contreras, Splunk +version: 8 +date: '2025-09-17' +author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting description: The following analytic detects suspicious modifications to cron jobs @@ -40,6 +40,7 @@ references: - https://cert.gov.ua/article/39518 tags: analytic_story: + - Cisco Isovalent Suspicious Activity - Industroyer2 - Linux Privilege Escalation - Linux Living Off The Land @@ -61,3 +62,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index 528f624ef3..bde25b532a 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -1,8 +1,8 @@ name: Linux apt-get Privilege Escalation id: d870ce3b-e796-402f-b2af-cab4da1223f2 -version: 9 -date: '2025-05-02' -author: Gowthamaraj Rajendran, Splunk +version: 10 +date: '2025-11-18' +author: Gowthamaraj Rajendran, Bhavin Patel, Splunk status: production type: Anomaly description: The following analytic detects the execution of the 'apt-get' command @@ -15,6 +15,7 @@ description: The following analytic detects the execution of the 'apt-get' comma compromise the entire system. data_source: - Sysmon for Linux EventID 1 +- Cisco Isovalent Process Exec search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt-get*" AND Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" @@ -68,6 +69,7 @@ tags: analytic_story: - Linux Privilege Escalation - Linux Living Off The Land + - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - T1548.003 @@ -82,3 +84,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec \ No newline at end of file diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index 414ef6080d..dc4d54ac93 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -1,8 +1,8 @@ name: Linux At Application Execution id: bf0a378e-5f3c-11ec-a6de-acde48001122 -version: 8 +version: 9 date: '2025-05-02' -author: Teoderick Contreras, Splunk +author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Anomaly description: The following analytic detects the execution of the "At" application @@ -66,6 +66,7 @@ tags: - Linux Persistence Techniques - Linux Living Off The Land - Scheduled Tasks + - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - T1053.002 @@ -80,3 +81,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml index 8aa322d09b..9cd23acac0 100644 --- a/detections/endpoint/linux_curl_upload_file.yml +++ b/detections/endpoint/linux_curl_upload_file.yml @@ -1,7 +1,7 @@ name: Linux Curl Upload File id: c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-09-30' author: Michael Haag, Splunk status: production type: TTP @@ -15,6 +15,7 @@ description: The following analytic detects the use of the curl command with spe and potential compromise of AWS resources. data_source: - Sysmon for Linux EventID 1 +- Cisco Isovalent Process Exec search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN ("*-F *", "*--form *","*--upload-file *","*-T *","*-d *","*--data @@ -88,3 +89,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index a3f55ddc36..47cf46a587 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -1,7 +1,7 @@ name: Linux Decode Base64 to Shell id: 637b603e-1799-40fd-bf87-47ecbd551b66 -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-10-01' author: Michael Haag, Splunk status: production type: TTP @@ -17,6 +17,7 @@ description: The following analytic detects the behavior of decoding base64-enco unauthorized access, for data exfiltration, or perform other malicious actions. data_source: - Sysmon for Linux EventID 1 +- Cisco Isovalent Process Exec search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*|*" `linux_shells` by Processes.action Processes.dest Processes.original_file_name Processes.parent_process @@ -74,6 +75,7 @@ rba: tags: analytic_story: - Linux Living Off The Land + - Cisco Isovalent Suspicious Activity asset_type: Endpoint mitre_attack_id: - T1027 @@ -89,3 +91,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux +- name: True Positive Test - Cisco Isovalent + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log + source: not_applicable + sourcetype: cisco:isovalent:processExec diff --git a/macros/cisco_isovalent.yml b/macros/cisco_isovalent.yml new file mode 100644 index 0000000000..35754066eb --- /dev/null +++ b/macros/cisco_isovalent.yml @@ -0,0 +1,4 @@ +definition: sourcetype=cisco:isovalent +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: cisco_isovalent diff --git a/macros/cisco_isovalent_allowed_images.yml b/macros/cisco_isovalent_allowed_images.yml new file mode 100644 index 0000000000..4fd632bedd --- /dev/null +++ b/macros/cisco_isovalent_allowed_images.yml @@ -0,0 +1,3 @@ +definition: pod_image_name IN ("docker.io/library/ubuntu:22.04","docker.io/grafana/grafana:12.0.1", "quay.io/isovalent-dev/tetragon-ci*","quay.io/isovalent/tetragon-ci*","quay.io/isovalent/hubble-export-fluentd*") +description: List of image names which are allowed to be used in the Cisco Isovalent environment. Please customize this macro to your environment to allowlist the images you want to allow. +name: cisco_isovalent_allowed_images \ No newline at end of file diff --git a/macros/cisco_isovalent_process_connect.yml b/macros/cisco_isovalent_process_connect.yml new file mode 100644 index 0000000000..c69b09981f --- /dev/null +++ b/macros/cisco_isovalent_process_connect.yml @@ -0,0 +1,4 @@ +definition: sourcetype=cisco:isovalent:processConnect +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: cisco_isovalent_process_connect diff --git a/macros/cisco_isovalent_process_exec.yml b/macros/cisco_isovalent_process_exec.yml new file mode 100644 index 0000000000..f3442826c4 --- /dev/null +++ b/macros/cisco_isovalent_process_exec.yml @@ -0,0 +1,4 @@ +definition: sourcetype=cisco:isovalent:processExec +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: cisco_isovalent_process_exec diff --git a/macros/excluded_cloud_binaries.yml b/macros/excluded_cloud_binaries.yml new file mode 100644 index 0000000000..aa930a43f6 --- /dev/null +++ b/macros/excluded_cloud_binaries.yml @@ -0,0 +1,3 @@ +definition: search binary != "/app/aws-vpc-cni" AND binary != "/usr/bin/amazon-ssm-agent" AND binary != "/usr/bin/ssm-agent-worker" +description: This macro is intended to exclude binaries that are common in Kubernetes environments that are known to access the cloud metadata service. +name: excluded_cloud_binaries diff --git a/macros/linux_offsec_tool_processes.yml b/macros/linux_offsec_tool_processes.yml new file mode 100644 index 0000000000..c6a3682441 --- /dev/null +++ b/macros/linux_offsec_tool_processes.yml @@ -0,0 +1,24 @@ +definition: process_name IN ( + /* --- Network Scanning / Enumeration --- */ + "nmap", "masscan", "zmap", "amap", "netcat", "nc", "hping3", "ike-scan", + "dnsenum", "dnsrecon", "fierce", "theharvester", "sublist3r", + + /* --- Exploitation Frameworks --- */ + "metasploit", "msfconsole", "msfvenom", "empire", "pupy", "covenant", "havoc", + "sliver-client", "sliver-server", "poshc2", "mythic", "evilginx", "beef-xss", + + /* --- Credential Access / Cracking --- */ + "hydra", "medusa", "john", "hashcat", "crowbar", "patator", "mimikatz", + "impacket-", + + /* --- Reconnaissance / Enumeration --- */ + "ldapdomaindump", "enum4linux", "smbclient", "smbmap", "crackmapexec", + "bloodhound", "sharphound", "linpeas", "linenum", "pspy", "ldpreload", + + /* --- Privilege Escalation / Persistence --- */ + "peass-ng", "linpeas", "linux-exploit-suggester", "les", "exploitdb", + "persistence", "dirtycow", "dirtypipe", "sudo_killer") + +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: linux_offsec_tool_processes \ No newline at end of file diff --git a/stories/cisco_isovalent_suspicious_activity.yml b/stories/cisco_isovalent_suspicious_activity.yml new file mode 100644 index 0000000000..cb8fcca72e --- /dev/null +++ b/stories/cisco_isovalent_suspicious_activity.yml @@ -0,0 +1,25 @@ +name: Cisco Isovalent Suspicious Activity +id: 245ac99a-1355-44fe-9ef7-a7e826e20c6f +version: 1 +date: '2025-11-18' +author: Bhavin Patel, Splunk +status: production +description: This analytics story focuses on identifying suspicious activities and potential security threats within environments using Cisco Isovalent in Kubernetes. It provides detection analytics and guidance to help security teams recognize signs of adversary tactics such as unauthorized access attempts, unusual network activity, and other behaviors indicative of potential compromise in their Kubernetes environments. +narrative: | + Cisco Isovalent, leveraging Tetragon and powered by Cilium's advanced eBPF technology, provides unparalleled, real-time visibility directly from the Linux kernel—a depth unattainable with traditional logging or agent-based approaches. Cilium underpins Kubernetes networking with high-performance, identity-aware security, enabling deep inspection and enforcement of network, process, and workload interactions. Tetragon extends this with actionable, runtime observability, correlating every process execution, file access, and network flow with rich Kubernetes context—such as pod, namespace, and deployment labels—while preserving the full ancestry of each process. This unique combination allows security teams to detect and trace sophisticated attack techniques—like container escapes, ServiceAccount token abuse, in-cluster lateral movement, metadata credential harvesting (IMDS access), misused kubectl, hidden C2 channels, or abused cloud and SaaS services—often before they can escalate. + + This powerful, kernel-level telemetry enables security analytics to observe subtle deviations from baseline workload behavior and surface indicators of compromise that otherwise go undetected. By continuously monitoring granular audit events such as process_exec, process_connect, and custom kprobes mapped to application or system activity, analysts gain the context needed to identify late process launches, unexpected shells, suspicious outbound connections, crypto-mining, malicious persistence mechanisms, and adversary tradecraft targeting the Kubernetes control and data plane. The result is accelerated detection and response, minimized attacker dwell time, and containment of breaches before they can propagate across your cloud-native infrastructure. +references: +- https://isovalent.com/blog/post/isovalent-splunk-better-together/ +- https://isovalent.com/blog/post/mitre-attack-tetragon/ +- https://www.reddit.com/r/kubernetes/comments/l6e5yr/one_of_our_kubernetes_containers_was_compromised/ +- https://attack.mitre.org/matrices/enterprise/containers/ +tags: + category: + - Adversary Tactics + - Cloud Security + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file