Cisco Isovalent - new detections batch 1

[patel-bhavin]

New Analytic Story - [1]

• Cisco Isovalent Suspicious Activity

New Analytics - [10]

• Cisco Isovalent - Access To Cloud Metadata Service
• Cisco Isovalent - Cron Job Creation
• Cisco Isovalent - Curl Execution With Insecure Flags
• Cisco Isovalent - Kprobe Spike
• Cisco Isovalent - Late Process Execution
• Cisco Isovalent - Nsenter Usage in Kubernetes Pod
• Cisco Isovalent - Pods Running Offensive Tools
• Cisco Isovalent - Potential Escape to Host
• Cisco Isovalent - Shell Execution
• Cisco Isovalent - Suspicious Image Use

Updated Analytics - [6]

• Linux Add User Account
• Linux Adding Crontab Using List Parameter
• Linux At Application Execution
• Linux Curl Upload File
• Linux Decode Base64 to Shell
• Linux apt-get Privilege Escalation

Macros Added - [3]

• cisco_isovalent
• cisco_isovalent_allowed_images
• cisco_isovalent_process_connect.yml
• cisco_isovalent_process_exec
• excluded_cloud_binaries.yml
• linux_offsec_tool_processes.yml

Data Sources Added [3]

• Cisco Isovalent Process Connect
• Cisco Isovalent Process Exec
• Cisco Isovalent Process Kprobe

[Copilot]

Pull Request Overview

This pull request introduces comprehensive Cisco Isovalent Runtime Security detection capabilities for Kubernetes environments. It adds a new analytic story with 9 new cloud detections, updates 6 existing Linux endpoint detections to support Isovalent telemetry, and defines 3 data sources and 3 macros for the Cisco Isovalent integration.

• Adds detection analytics for suspicious Kubernetes activity including container escapes, offensive tools, metadata service access, and late process execution
• Updates existing Linux detections to support Cisco Isovalent data source alongside Sysmon
• Introduces macros for Cisco Isovalent data source filtering and allowed image management

Reviewed Changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 25 comments.

Show a summary per file

File	Description
stories/cisco_isovalent_suspicious_activity.yml	New analytic story defining the Cisco Isovalent threat detection framework
macros/cisco_isovalent_process_exec.yml	Macro defining sourcetype filter for process execution events
macros/cisco_isovalent_process_connect.yml	Macro defining sourcetype filter for process connection events
macros/cisco_isovalent_allowed_images.yml	Macro defining allowlist for approved container images
macros/cisco_isovalent.yml	Base macro defining general Cisco Isovalent sourcetype
detections/endpoint/linux_decode_base64_to_shell.yml	Updated to add Cisco Isovalent data source and test coverage
detections/endpoint/linux_curl_upload_file.yml	Updated to add Cisco Isovalent data source and test coverage
detections/endpoint/linux_at_application_execution.yml	Updated to add Cisco Isovalent analytic story and test coverage
detections/endpoint/linux_apt_get_privilege_escalation.yml	Updated to add Cisco Isovalent data source and test coverage
detections/endpoint/linux_adding_crontab_using_list_parameter.yml	Updated to add Cisco Isovalent analytic story and test coverage
detections/endpoint/linux_add_user_account.yml	Updated to add Cisco Isovalent data source and test coverage
detections/cloud/cisco_isovalent___suspicious_image_use.yml	New detection for non-allowlisted container images
detections/cloud/cisco_isovalent___shell_execution.yml	New detection for shell execution inside containers
detections/cloud/cisco_isovalent___potential_escape_to_host.yml	New detection for container escape attempts via command clustering
detections/cloud/cisco_isovalent___pods_running_offensive_tools.yml	New detection for offensive security tools in pods
detections/cloud/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml	New detection for nsenter-based privilege escalation
detections/cloud/cisco_isovalent___late_process_execution.yml	New detection for suspicious late process launches
detections/cloud/cisco_isovalent___kprobe_spike.yml	New hunting detection for excessive kernel probe activity
detections/cloud/cisco_isovalent___curl_execution_with_insecure_flags.yml	New detection for insecure curl usage
detections/cloud/cisco_isovalent___cron_job_creation.yml	New detection for cron job creation in pods
detections/cloud/cisco_isovalent___access_to_cloud_metadata_service.yml	New detection for cloud metadata service access
data_sources/cisco_isovalent_process_kprobe.yml	Data source definition for kernel probe telemetry
data_sources/cisco_isovalent_process_exec.yml	Data source definition for process execution events
data_sources/cisco_isovalent_process_connect.yml	Data source definition for process connection events
contentctl.yml	Updated Cisco Security Cloud TA version from 3.4.2 to 3.5.0

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[nasbench]

@patel-bhavin I think you should move the analytics to the endpoint folder. Since this telemetry stems from an endpoint.

[nasbench]

Just as a reminder, please coordinate with the CSC team to make sure this version goes live before the next release to not find ourselves in an issue.

[nasbench]

@patel-bhavin seems like 5.1 is up on Splunkbase - https://splunkbase.splunk.com/app/7404

[ljstella]

@patel-bhavin I think you should move the analytics to the endpoint folder. Since this telemetry stems from an endpoint.

I will say then that if we're moving things out of cloud/, it's probably worth evaluating the use of pod_name and cluster_name in the stats commands, as well as null checks on them, as most of those can likely be applicable to non-k8s use cases as well.

edit: Part of why it made sense to keep them in cloud was because they specifically required the use of k8s, and all the k8s detections are in cloud/

[patel-bhavin]

Will ship these in the endpoint directory for now as these logs are originating from an endpoint and these isovalent logs are not like the standard type of cloud/ logs that we have. Likely considering moving them into a containers directory in the future!