Cisco Isovalent

Date: 2025-08-15 ID: 1fc537db-5e0b-4a2e-a768-27e08eff0c70 Author: Bhavin Patel, Splunk Environment: manual simulations in a K8s cluster running Tetragon Directory: cisco_isovalent

Description

Generated datasets for Cisco Isovalent Process Exec EventType by manual /atomic-red team simulations in a K8s cluster running Tetragon

MITRE ATT&CK Techniques

No MITRE techniques specified for this dataset.

Environment Details

Field	Value
Environment	manual simulations in a K8s cluster running Tetragon
Directory	cisco_isovalent
Test Date	2025-08-15

Datasets

The following datasets were collected during this attack simulation:

Cisco_isovalent

Path: /datasets/cisco_isovalent/cisco_isovalent.log
Sourcetype: cisco:isovalent
Source: cisco_isovalent

Delayed_shell

Path: /datasets/cisco_isovalent/cisco_isovalent_process_exec_delayed_shell.log
Sourcetype: cisco:isovalent:processExec
Source: cisco_isovalent

Kprobe_spike

Path: /datasets/cisco_isovalent/kprobe_spike.log
Sourcetype: cisco:isovalent
Source: cisco_isovalent

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Cisco Isovalent - Non Allowlisted Image Use	`Anomaly`	Endpoint	T1204.003	Cisco Isovalent Suspicious Activity
Cisco Isovalent - Cron Job Creation	`Anomaly`	Endpoint	T1053.003, T1053.007	Cisco Isovalent Suspicious Activity
Cisco Isovalent - Shell Execution	`Anomaly`	Endpoint	T1543	Cisco Isovalent Suspicious Activity
Linux Add User Account	`Hunting`	Endpoint	T1136.001	Linux Privilege Escalation, Linux Persistence Techniques, Cisco Isovalent Suspicious Activity
Linux Decode Base64 to Shell	`TTP`	Endpoint	T1027, T1059.004	Linux Living Off The Land, Cisco Isovalent Suspicious Activity
Linux Adding Crontab Using List Parameter	`Hunting`	Endpoint	T1053.003	Cisco Isovalent Suspicious Activity, Industroyer2, Linux Privilege Escalation, Linux Living Off The Land, Data Destruction, Linux Persistence Techniques, Scheduled Tasks, Gomir
Cisco Isovalent - Nsenter Usage in Kubernetes Pod	`Anomaly`	Endpoint	T1543	Cisco Isovalent Suspicious Activity
Cisco Isovalent - Curl Execution With Insecure Flags	`Anomaly`	Endpoint	T1105	Cisco Isovalent Suspicious Activity
Cisco Isovalent - Pods Running Offensive Tools	`Anomaly`	Endpoint	T1204.003	Cisco Isovalent Suspicious Activity
Linux At Application Execution	`Anomaly`	Endpoint	T1053.002	Linux Privilege Escalation, Linux Persistence Techniques, Linux Living Off The Land, Scheduled Tasks, Cisco Isovalent Suspicious Activity
Linux Curl Upload File	`TTP`	Endpoint	T1105	Linux Living Off The Land, Data Exfiltration, Ingress Tool Transfer, NPM Supply Chain Compromise
Linux apt-get Privilege Escalation	`Anomaly`	Endpoint	T1548.003	Linux Privilege Escalation, Linux Living Off The Land, Cisco Isovalent Suspicious Activity
Cisco Isovalent - Kprobe Spike	`Hunting`	Endpoint	T1068	Cisco Isovalent Suspicious Activity
Cisco Isovalent - Late Process Execution	`Anomaly`	Endpoint	T1543	Cisco Isovalent Suspicious Activity
Cisco Isovalent - Potential Escape to Host	`Anomaly`	Endpoint	T1611	Cisco Isovalent Suspicious Activity

Usage Instructions

Replay with Splunk Attack Data

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/cisco_isovalent/cisco_isovalent.log --index attack_data

Manual Import

Download the dataset files from the paths listed above
Configure your Splunk instance with the appropriate sourcetypes
Import the logs using the Splunk Add Data wizard

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0