Skip to content

Cisco Isovalent - new detections batch 1 #3706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 59 commits into
base: develop
Choose a base branch
from
+1,188 −18
Open

Cisco Isovalent - new detections batch 1 #3706

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
59 commits
Select commit Hold shift + click to select a range
9c53da8
adding 1 detection
patel-bhavin Aug 14, 2025
3fdd953
one more
patel-bhavin Aug 14, 2025
36aac51
not sure
patel-bhavin Aug 21, 2025
21b17fd
adding draft detections
patel-bhavin Aug 26, 2025
40c9732
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Aug 27, 2025
4f78689
stash a commit
patel-bhavin Sep 3, 2025
c9e8628
updating sourcetype and fields
patel-bhavin Sep 3, 2025
2a8d3e4
updating detections
patel-bhavin Sep 3, 2025
b54a8cc
textual updates
patel-bhavin Sep 3, 2025
fd21a77
new detection for sus images
patel-bhavin Sep 3, 2025
fd5f7c2
udpating fields
patel-bhavin Sep 3, 2025
ed3bc02
adding new search
patel-bhavin Sep 3, 2025
dff1a2c
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Sep 15, 2025
d602c7e
testing TA
patel-bhavin Sep 15, 2025
576fac3
space
patel-bhavin Sep 15, 2025
f21f9e4
fixing sourcetype
patel-bhavin Sep 15, 2025
a50280d
updating detection and dataset
patel-bhavin Sep 16, 2025
b6058aa
updates to all files
patel-bhavin Sep 17, 2025
f800a3b
updating isovalent detections
patel-bhavin Sep 17, 2025
be1c385
updating dataset
patel-bhavin Sep 17, 2025
f692117
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Sep 29, 2025
1bd337d
updating two detections
patel-bhavin Sep 30, 2025
e8d6292
yaml fixes
patel-bhavin Sep 30, 2025
4fbadb3
fixing mitre
patel-bhavin Sep 30, 2025
64dd230
added dataset for curl
patel-bhavin Oct 1, 2025
03ff337
add new detection
patel-bhavin Oct 1, 2025
a181580
new detection
patel-bhavin Oct 1, 2025
dfc80d9
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Oct 2, 2025
444abaf
updating links
patel-bhavin Oct 2, 2025
bcb0184
fixing data source app
patel-bhavin Oct 2, 2025
e10390c
adding correct fields and output fields
patel-bhavin Oct 2, 2025
36d6a75
inspect error
patel-bhavin Oct 2, 2025
794bcd4
incorrect change
patel-bhavin Oct 2, 2025
fd24e9d
updating path
patel-bhavin Oct 3, 2025
445a333
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Oct 6, 2025
4fc2c9d
Update stories/cisco_isovalent_suspicious_activity.yml
patel-bhavin Oct 6, 2025
ad8c286
Update detections/cloud/cisco_isovalent___detect_shell_execution.yml
patel-bhavin Oct 6, 2025
eff7562
remove detect from everywhere
patel-bhavin Oct 6, 2025
efc4ce8
adding story
patel-bhavin Oct 6, 2025
9d6e1e4
updating allowed images
patel-bhavin Oct 6, 2025
ec6afbc
adding images
patel-bhavin Oct 6, 2025
31e147b
fixes and new data source
patel-bhavin Oct 6, 2025
a324454
spl update
patel-bhavin Oct 9, 2025
74554de
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Oct 17, 2025
6187bc2
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Oct 27, 2025
15b31ea
testing new TA build
patel-bhavin Oct 27, 2025
82d08f7
fixes
patel-bhavin Oct 28, 2025
2629949
adding new dataset
patel-bhavin Oct 28, 2025
9aad614
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Oct 28, 2025
317b492
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Oct 30, 2025
1b4d121
new type of data source
patel-bhavin Nov 4, 2025
8a150c7
adding better text
patel-bhavin Nov 5, 2025
14e792b
story test
patel-bhavin Nov 5, 2025
64da5e6
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Nov 13, 2025
c3921e9
testing TA
patel-bhavin Nov 14, 2025
0cf1539
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Nov 14, 2025
e1a9cf5
chore: empty commit to trigger CI
patel-bhavin Nov 17, 2025
8b5c034
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Nov 17, 2025
d170342
Merge branch 'develop' into isovalent_batch_1
patel-bhavin Nov 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions contentctl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,9 @@ apps:
- uid: 7404
title: Cisco Security Cloud
appid: CiscoSecurityCloud
version: 3.4.2
version: 3.5.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_342.tgz
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/CiscoSecurityCloud-3.5.0.tar.gz
- uid: 6652
title: Add-on for Linux Sysmon
appid: Splunk_TA_linux_sysmon
Expand Down Expand Up @@ -254,4 +254,4 @@ apps:
githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd
test_data_caches:
- base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/
base_directory_name: external_repos/attack_data
base_directory_name: external_repos/attack_data
151 changes: 151 additions & 0 deletions data_sources/cisco_isovalent_process_connect.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
name: Cisco Isovalent Process Connect
id: bf8c76a1-6066-4759-ab77-d3f0a375519e
version: 1
date: '2025-08-12'
author: Bhavin Patel, Splunk
description: Captures detailed process connection events—including source and destination process metadata, execution lineage (ancestry), and Kubernetes workload context—generated by Cisco Isovalent instrumentation. Enables technical analysis of inter-process communications, container-level activity, and workload-specific network flows in cloud-native environments.
source: not_applicable
sourcetype: cisco:isovalent:processConnect
supported_TA:
- name: Cisco Security Cloud
url: https://splunkbase.splunk.com/app/7404
version: 3.4.1
fields:
- _time
- app
- cluster_name
- container_id
- dest
- dest_ip
- dest_port
- eventtype
- host
- index
- linecount
- node_labels.alpha.eksctl.io/cluster-name
- node_labels.alpha.eksctl.io/nodegroup-name
- node_labels.beta.kubernetes.io/arch
- node_labels.beta.kubernetes.io/instance-type
- node_labels.beta.kubernetes.io/os
- node_labels.eks.amazonaws.com/capacityType
- node_labels.eks.amazonaws.com/nodegroup
- node_labels.eks.amazonaws.com/nodegroup-image
- node_labels.eks.amazonaws.com/sourceLaunchTemplateId
- node_labels.eks.amazonaws.com/sourceLaunchTemplateVersion
- node_labels.failure-domain.beta.kubernetes.io/region
- node_labels.failure-domain.beta.kubernetes.io/zone
- node_labels.k8s.io/cloud-provider-aws
- node_labels.kubernetes.io/arch
- node_labels.kubernetes.io/hostname
- node_labels.kubernetes.io/os
- node_labels.node.kubernetes.io/instance-type
- node_labels.topology.k8s.aws/zone-id
- node_labels.topology.kubernetes.io/region
- node_labels.topology.kubernetes.io/zone
- node_name
- pod_image_name
- pod_name
- pod_namespace
- process_connect.destination_ip
- process_connect.destination_pod.name
- process_connect.destination_pod.namespace
- process_connect.destination_pod.pod_labels.app.kubernetes.io/component
- process_connect.destination_pod.pod_labels.app.kubernetes.io/instance
- process_connect.destination_pod.pod_labels.app.kubernetes.io/managed-by
- process_connect.destination_pod.pod_labels.app.kubernetes.io/name
- process_connect.destination_pod.pod_labels.app.kubernetes.io/part-of
- process_connect.destination_pod.pod_labels.app.kubernetes.io/version
- process_connect.destination_pod.pod_labels.eks.amazonaws.com/component
- process_connect.destination_pod.pod_labels.helm.sh/chart
- process_connect.destination_pod.pod_labels.k8s-app
- process_connect.destination_pod.pod_labels.pod-template-hash
- process_connect.destination_pod.workload
- process_connect.destination_pod.workload_kind
- process_connect.destination_port
- process_connect.parent.arguments
- process_connect.parent.auid
- process_connect.parent.binary
- process_connect.parent.cwd
- process_connect.parent.docker
- process_connect.parent.exec_id
- process_connect.parent.flags
- process_connect.parent.in_init_tree
- process_connect.parent.parent_exec_id
- process_connect.parent.pid
- process_connect.parent.pod.container.id
- process_connect.parent.pod.container.image.id
- process_connect.parent.pod.container.image.name
- process_connect.parent.pod.container.name
- process_connect.parent.pod.container.pid
- process_connect.parent.pod.container.start_time
- process_connect.parent.pod.name
- process_connect.parent.pod.namespace
- process_connect.parent.pod.pod_labels.app.kubernetes.io/instance
- process_connect.parent.pod.pod_labels.app.kubernetes.io/name
- process_connect.parent.pod.pod_labels.controller-revision-hash
- process_connect.parent.pod.pod_labels.k8s-app
- process_connect.parent.pod.pod_labels.pod-template-generation
- process_connect.parent.pod.workload
- process_connect.parent.pod.workload_kind
- process_connect.parent.start_time
- process_connect.parent.tid
- process_connect.parent.uid
- process_connect.process.arguments
- process_connect.process.auid
- process_connect.process.binary
- process_connect.process.cwd
- process_connect.process.docker
- process_connect.process.exec_id
- process_connect.process.flags
- process_connect.process.in_init_tree
- process_connect.process.parent_exec_id
- process_connect.process.pid
- process_connect.process.pod.container.id
- process_connect.process.pod.container.image.id
- process_connect.process.pod.container.image.name
- process_connect.process.pod.container.maybe_exec_probe
- process_connect.process.pod.container.name
- process_connect.process.pod.container.pid
- process_connect.process.pod.container.start_time
- process_connect.process.pod.name
- process_connect.process.pod.namespace
- process_connect.process.pod.pod_labels.app.kubernetes.io/instance
- process_connect.process.pod.pod_labels.app.kubernetes.io/name
- process_connect.process.pod.pod_labels.controller-revision-hash
- process_connect.process.pod.pod_labels.eks.amazonaws.com/component
- process_connect.process.pod.pod_labels.k8s-app
- process_connect.process.pod.pod_labels.pod-template-generation
- process_connect.process.pod.pod_labels.pod-template-hash
- process_connect.process.pod.workload
- process_connect.process.pod.workload_kind
- process_connect.process.start_time
- process_connect.process.tid
- process_connect.process.uid
- process_connect.protocol
- process_connect.sock_cookie
- process_connect.source_ip
- process_connect.source_port
- process_id
- punct
- session_id
- source
- sourcetype
- splunk_server
- splunk_server_group
- src
- src_ip
- src_port
- tag
- tag::app
- tag::eventtype
- time
- transport
- vendor_product
output_fields:
- dest_ip
- pod_name
- pod_namespace
- cluster_name
- node_name
example_log: |
{"process_connect":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMjQ5MDAwMDAwMDoxNjQ1","pid":1645,"uid":0,"cwd":"/","binary":"/usr/bin/kubelet","arguments":"--config-dir=/etc/kubernetes/kubelet/config.json.d --kubeconfig=/var/lib/kubelet/kubeconfig --image-credential-provider-bin-dir=/etc/eks/image-credential-provider --image-credential-provider-config=/etc/eks/image-credential-provider/config.json --node-ip=192.168.89.64 --cloud-provider=external --hostname-override=ip-192-168-89-64.us-west-2.compute.internal --config=/etc/kubernetes/kubelet/config.json --node-labels=eks.amazonaws.com/sourceLaunchTemplateVersion=1,alpha.eksctl.io/cluster-name=k8s-goat-cluster,alpha.eksctl.io/nodegroup-name=ng-a99d40b1,eks.amazonaws.com/nodegroup-image=ami-0339636baccc3c183,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup=ng-a99d40b1,eks.amazonaws.com/sourceLaunchTemplateId=lt-0da0169006f2a7c39","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.923218536Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1645,"in_init_tree":false},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false},"source_ip":"192.168.89.64","source_port":38106,"destination_ip":"192.168.88.89","destination_port":3000,"sock_cookie":"18446462614959565760","destination_pod":{"namespace":"tetragon","name":"tetragon-grafana-77b4f6f864-tjl29","pod_labels":{"app.kubernetes.io/instance":"tetragon","app.kubernetes.io/name":"grafana","app.kubernetes.io/version":"12.0.1","helm.sh/chart":"grafana-9.2.2","pod-template-hash":"77b4f6f864"},"workload":"tetragon-grafana","workload_kind":"Deployment"},"protocol":"TCP"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-11-04T23:32:55.401779Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
139 changes: 139 additions & 0 deletions data_sources/cisco_isovalent_process_exec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
name: Cisco Isovalent Process Exec
id: 87654321-dcba-4321-00fe-0987654321ba
version: 1
date: '2025-08-12'
author: Bhavin Patel, Splunk
description: Logs process execution events within Cisco Isovalent environments, providing visibility into process exec ancestry and Kubernetes workload identity.
source: not_applicable
sourcetype: cisco:isovalent:processExec
supported_TA:
- name: Cisco Security Cloud
url: https://splunkbase.splunk.com/app/7404
version: 3.4.1
fields:
- _time
- cluster_name
- container_id
- eventtype
- host
- index
- linecount
- node_labels.alpha.eksctl.io/cluster-name
- node_labels.alpha.eksctl.io/nodegroup-name
- node_labels.beta.kubernetes.io/arch
- node_labels.beta.kubernetes.io/instance-type
- node_labels.beta.kubernetes.io/os
- node_labels.eks.amazonaws.com/capacityType
- node_labels.eks.amazonaws.com/nodegroup
- node_labels.eks.amazonaws.com/nodegroup-image
- node_labels.eks.amazonaws.com/sourceLaunchTemplateId
- node_labels.eks.amazonaws.com/sourceLaunchTemplateVersion
- node_labels.failure-domain.beta.kubernetes.io/region
- node_labels.failure-domain.beta.kubernetes.io/zone
- node_labels.k8s.io/cloud-provider-aws
- node_labels.kubernetes.io/arch
- node_labels.kubernetes.io/hostname
- node_labels.kubernetes.io/os
- node_labels.node.kubernetes.io/instance-type
- node_labels.topology.k8s.aws/zone-id
- node_labels.topology.kubernetes.io/region
- node_labels.topology.kubernetes.io/zone
- node_name
- parent_process
- parent_process_exec
- parent_process_id
- parent_process_name
- parent_process_path
- pod_image_name
- pod_name
- pod_namespace
- process
- process_current_directory
- process_exec
- process_exec.ancestors{}.arguments
- process_exec.ancestors{}.auid
- process_exec.ancestors{}.binary
- process_exec.ancestors{}.cwd
- process_exec.ancestors{}.exec_id
- process_exec.ancestors{}.flags
- process_exec.ancestors{}.in_init_tree
- process_exec.ancestors{}.parent_exec_id
- process_exec.ancestors{}.pid
- process_exec.ancestors{}.refcnt
- process_exec.ancestors{}.start_time
- process_exec.ancestors{}.tid
- process_exec.ancestors{}.uid
- process_exec.parent.arguments
- process_exec.parent.auid
- process_exec.parent.binary
- process_exec.parent.cwd
- process_exec.parent.docker
- process_exec.parent.exec_id
- process_exec.parent.flags
- process_exec.parent.in_init_tree
- process_exec.parent.parent_exec_id
- process_exec.parent.pid
- process_exec.parent.pod.container.id
- process_exec.parent.pod.container.image.id
- process_exec.parent.pod.container.image.name
- process_exec.parent.pod.container.name
- process_exec.parent.pod.container.pid
- process_exec.parent.pod.container.security_context.privileged
- process_exec.parent.pod.container.start_time
- process_exec.parent.pod.name
- process_exec.parent.pod.namespace
- process_exec.parent.pod.pod_labels.controller-revision-hash
- process_exec.parent.pod.pod_labels.k8s-app
- process_exec.parent.pod.pod_labels.pod-template-generation
- process_exec.parent.pod.workload
- process_exec.parent.pod.workload_kind
- process_exec.parent.start_time
- process_exec.parent.tid
- process_exec.parent.uid
- process_exec.process.arguments
- process_exec.process.auid
- process_exec.process.binary
- process_exec.process.cwd
- process_exec.process.docker
- process_exec.process.exec_id
- process_exec.process.flags
- process_exec.process.in_init_tree
- process_exec.process.parent_exec_id
- process_exec.process.pid
- process_exec.process.pod.container.id
- process_exec.process.pod.container.image.id
- process_exec.process.pod.container.image.name
- process_exec.process.pod.container.maybe_exec_probe
- process_exec.process.pod.container.name
- process_exec.process.pod.container.pid
- process_exec.process.pod.container.security_context.privileged
- process_exec.process.pod.container.start_time
- process_exec.process.pod.name
- process_exec.process.pod.namespace
- process_exec.process.pod.pod_labels.app.kubernetes.io/instance
- process_exec.process.pod.pod_labels.app.kubernetes.io/name
- process_exec.process.pod.pod_labels.controller-revision-hash
- process_exec.process.pod.pod_labels.k8s-app
- process_exec.process.pod.pod_labels.pod-template-generation
- process_exec.process.pod.workload
- process_exec.process.pod.workload_kind
- process_exec.process.start_time
- process_exec.process.tid
- process_exec.process.uid
- process_id
- process_name
- punct
- source
- sourcetype
- splunk_server
- splunk_server_group
- tag
- tag::eventtype
- time
- user_id
- vendor_product
output_fields:
- process_name
- process
example_log: |
{"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk5MjQ2MDAwNDozNTAyOTE0","pid":3502914,"uid":0,"cwd":"/app","binary":"/app/grpc-health-probe","arguments":"-addr=:50051 -connect-timeout=5s -rpc-timeout=5s","flags":"execve clone","start_time":"2025-08-14T20:42:47.459946745Z","auid":4294967295,"pod":{"namespace":"kube-system","name":"aws-node-9twpn","container":{"id":"containerd://dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","name":"aws-node","image":{"id":"sha256:0b48ad70935c9dea3627854c46a5d12028b941334ad82bf7be6a6fcddd4a2674","name":"066635153087.dkr.ecr.il-central-1.amazonaws.com/amazon-k8s-cni:v1.19.2"},"start_time":"2025-07-28T22:21:44Z","pid":3635324,"maybe_exec_probe":true,"security_context":{}},"pod_labels":{"app.kubernetes.io/instance":"aws-vpc-cni","app.kubernetes.io/name":"aws-node","controller-revision-hash":"dfddff8c5","k8s-app":"aws-node","pod-template-generation":"1"},"workload":"aws-node","workload_kind":"DaemonSet"},"docker":"dc5b541d139c38ec01e485712f0eec3","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","tid":3502914,"in_init_tree":false},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","pid":3502900,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/log.json --log-format json --systemd-cgroup exec --process /tmp/runc-process2848112653 --detach --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/939f032732ee71076b86175deba715fc56e5cacb6047fb3602069bdbbfd21e45.pid dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","flags":"execve clone","start_time":"2025-08-14T20:42:47.439585277Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","tid":3502900,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","pid":3059,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe -address /run/containerd/containerd.sock","flags":"procFS auid","start_time":"2025-07-28T22:21:34.807485194Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":3059,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-14T20:42:47.459945318Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
Loading