<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">cluster_name</span>
<span class="pill kill-chain">container_id</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">node_labels.alpha.eksctl.io/cluster-name</span>
<span class="pill kill-chain">node_labels.alpha.eksctl.io/nodegroup-name</span>
<span class="pill kill-chain">node_labels.beta.kubernetes.io/arch</span>
<span class="pill kill-chain">node_labels.beta.kubernetes.io/instance-type</span>
<span class="pill kill-chain">node_labels.beta.kubernetes.io/os</span>
<span class="pill kill-chain">node_labels.eks.amazonaws.com/capacityType</span>
<span class="pill kill-chain">node_labels.eks.amazonaws.com/nodegroup</span>
<span class="pill kill-chain">node_labels.eks.amazonaws.com/nodegroup-image</span>
<span class="pill kill-chain">node_labels.eks.amazonaws.com/sourceLaunchTemplateId</span>
<span class="pill kill-chain">node_labels.eks.amazonaws.com/sourceLaunchTemplateVersion</span>
<span class="pill kill-chain">node_labels.failure-domain.beta.kubernetes.io/region</span>
<span class="pill kill-chain">node_labels.failure-domain.beta.kubernetes.io/zone</span>
<span class="pill kill-chain">node_labels.k8s.io/cloud-provider-aws</span>
<span class="pill kill-chain">node_labels.kubernetes.io/arch</span>
<span class="pill kill-chain">node_labels.kubernetes.io/hostname</span>
<span class="pill kill-chain">node_labels.kubernetes.io/os</span>
<span class="pill kill-chain">node_labels.node.kubernetes.io/instance-type</span>
<span class="pill kill-chain">node_labels.topology.k8s.aws/zone-id</span>
<span class="pill kill-chain">node_labels.topology.kubernetes.io/region</span>
<span class="pill kill-chain">node_labels.topology.kubernetes.io/zone</span>
<span class="pill kill-chain">node_name</span>
<span class="pill kill-chain">parent_process</span>
<span class="pill kill-chain">parent_process_exec</span>
<span class="pill kill-chain">parent_process_id</span>
<span class="pill kill-chain">parent_process_name</span>
<span class="pill kill-chain">parent_process_path</span>
<span class="pill kill-chain">pod_image_name</span>
<span class="pill kill-chain">pod_name</span>
<span class="pill kill-chain">pod_namespace</span>
<span class="pill kill-chain">process</span>
<span class="pill kill-chain">process_current_directory</span>
<span class="pill kill-chain">process_exec</span>
<span class="pill kill-chain">process_exec.ancestors{}.arguments</span>
<span class="pill kill-chain">process_exec.ancestors{}.auid</span>
<span class="pill kill-chain">process_exec.ancestors{}.binary</span>
<span class="pill kill-chain">process_exec.ancestors{}.cwd</span>
<span class="pill kill-chain">process_exec.ancestors{}.exec_id</span>
<span class="pill kill-chain">process_exec.ancestors{}.flags</span>
<span class="pill kill-chain">process_exec.ancestors{}.in_init_tree</span>
<span class="pill kill-chain">process_exec.ancestors{}.parent_exec_id</span>
<span class="pill kill-chain">process_exec.ancestors{}.pid</span>
<span class="pill kill-chain">process_exec.ancestors{}.refcnt</span>
<span class="pill kill-chain">process_exec.ancestors{}.start_time</span>
<span class="pill kill-chain">process_exec.ancestors{}.tid</span>
<span class="pill kill-chain">process_exec.ancestors{}.uid</span>
<span class="pill kill-chain">process_exec.parent.arguments</span>
<span class="pill kill-chain">process_exec.parent.auid</span>
<span class="pill kill-chain">process_exec.parent.binary</span>
<span class="pill kill-chain">process_exec.parent.cwd</span>
<span class="pill kill-chain">process_exec.parent.docker</span>
<span class="pill kill-chain">process_exec.parent.exec_id</span>
<span class="pill kill-chain">process_exec.parent.flags</span>
<span class="pill kill-chain">process_exec.parent.in_init_tree</span>
<span class="pill kill-chain">process_exec.parent.parent_exec_id</span>
<span class="pill kill-chain">process_exec.parent.pid</span>
<span class="pill kill-chain">process_exec.parent.pod.container.id</span>
<span class="pill kill-chain">process_exec.parent.pod.container.image.id</span>
<span class="pill kill-chain">process_exec.parent.pod.container.image.name</span>
<span class="pill kill-chain">process_exec.parent.pod.container.name</span>
<span class="pill kill-chain">process_exec.parent.pod.container.pid</span>
<span class="pill kill-chain">process_exec.parent.pod.container.security_context.privileged</span>
<span class="pill kill-chain">process_exec.parent.pod.container.start_time</span>
<span class="pill kill-chain">process_exec.parent.pod.name</span>
<span class="pill kill-chain">process_exec.parent.pod.namespace</span>
<span class="pill kill-chain">process_exec.parent.pod.pod_labels.controller-revision-hash</span>
<span class="pill kill-chain">process_exec.parent.pod.pod_labels.k8s-app</span>
<span class="pill kill-chain">process_exec.parent.pod.pod_labels.pod-template-generation</span>
<span class="pill kill-chain">process_exec.parent.pod.workload</span>
<span class="pill kill-chain">process_exec.parent.pod.workload_kind</span>
<span class="pill kill-chain">process_exec.parent.start_time</span>
<span class="pill kill-chain">process_exec.parent.tid</span>
<span class="pill kill-chain">process_exec.parent.uid</span>
<span class="pill kill-chain">process_exec.process.arguments</span>
<span class="pill kill-chain">process_exec.process.auid</span>
<span class="pill kill-chain">process_exec.process.binary</span>
<span class="pill kill-chain">process_exec.process.cwd</span>
<span class="pill kill-chain">process_exec.process.docker</span>
<span class="pill kill-chain">process_exec.process.exec_id</span>
<span class="pill kill-chain">process_exec.process.flags</span>
<span class="pill kill-chain">process_exec.process.in_init_tree</span>
<span class="pill kill-chain">process_exec.process.parent_exec_id</span>
<span class="pill kill-chain">process_exec.process.pid</span>
<span class="pill kill-chain">process_exec.process.pod.container.id</span>
<span class="pill kill-chain">process_exec.process.pod.container.image.id</span>
<span class="pill kill-chain">process_exec.process.pod.container.image.name</span>
<span class="pill kill-chain">process_exec.process.pod.container.maybe_exec_probe</span>
<span class="pill kill-chain">process_exec.process.pod.container.name</span>
<span class="pill kill-chain">process_exec.process.pod.container.pid</span>
<span class="pill kill-chain">process_exec.process.pod.container.security_context.privileged</span>
<span class="pill kill-chain">process_exec.process.pod.container.start_time</span>
<span class="pill kill-chain">process_exec.process.pod.name</span>
<span class="pill kill-chain">process_exec.process.pod.namespace</span>
<span class="pill kill-chain">process_exec.process.pod.pod_labels.app.kubernetes.io/instance</span>
<span class="pill kill-chain">process_exec.process.pod.pod_labels.app.kubernetes.io/name</span>
<span class="pill kill-chain">process_exec.process.pod.pod_labels.controller-revision-hash</span>
<span class="pill kill-chain">process_exec.process.pod.pod_labels.k8s-app</span>
<span class="pill kill-chain">process_exec.process.pod.pod_labels.pod-template-generation</span>
<span class="pill kill-chain">process_exec.process.pod.workload</span>
<span class="pill kill-chain">process_exec.process.pod.workload_kind</span>
<span class="pill kill-chain">process_exec.process.start_time</span>
<span class="pill kill-chain">process_exec.process.tid</span>
<span class="pill kill-chain">process_exec.process.uid</span>
<span class="pill kill-chain">process_id</span>
<span class="pill kill-chain">process_name</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">time</span>
<span class="pill kill-chain">user_id</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Cisco Isovalent Process Exec
Description
Logs process execution events within Cisco Isovalent environments, providing visibility into process exec ancestry and Kubernetes workload identity.
Details
| Property | Value |
|---|---|
| Source | not_applicable |
| Sourcetype | cisco:isovalent:processExec |
Related Detections
Supported Apps
- Cisco Security Cloud (version 3.6.3)
Event Fields
Fields
Example Log
1{"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk5MjQ2MDAwNDozNTAyOTE0","pid":3502914,"uid":0,"cwd":"/app","binary":"/app/grpc-health-probe","arguments":"-addr=:50051 -connect-timeout=5s -rpc-timeout=5s","flags":"execve clone","start_time":"2025-08-14T20:42:47.459946745Z","auid":4294967295,"pod":{"namespace":"kube-system","name":"aws-node-9twpn","container":{"id":"containerd://dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","name":"aws-node","image":{"id":"sha256:0b48ad70935c9dea3627854c46a5d12028b941334ad82bf7be6a6fcddd4a2674","name":"066635153087.dkr.ecr.il-central-1.amazonaws.com/amazon-k8s-cni:v1.19.2"},"start_time":"2025-07-28T22:21:44Z","pid":3635324,"maybe_exec_probe":true,"security_context":{}},"pod_labels":{"app.kubernetes.io/instance":"aws-vpc-cni","app.kubernetes.io/name":"aws-node","controller-revision-hash":"dfddff8c5","k8s-app":"aws-node","pod-template-generation":"1"},"workload":"aws-node","workload_kind":"DaemonSet"},"docker":"dc5b541d139c38ec01e485712f0eec3","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","tid":3502914,"in_init_tree":false},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2Mjg5OTk3MjA5OTEyODozNTAyOTAw","pid":3502900,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/log.json --log-format json --systemd-cgroup exec --process /tmp/runc-process2848112653 --detach --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873/939f032732ee71076b86175deba715fc56e5cacb6047fb3602069bdbbfd21e45.pid dc5b541d139c38ec01e485712f0eec3d11c0273ca03fccedc56881200c127873","flags":"execve clone","start_time":"2025-08-14T20:42:47.439585277Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","tid":3502900,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjczNDAwMDAwMDA6MzA1OQ==","pid":3059,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id ed66ffdf41f1a8120a25b8aee2609990a556109a17fb159597cb100f574b07fe -address /run/containerd/containerd.sock","flags":"procFS auid","start_time":"2025-07-28T22:21:34.807485194Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":3059,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-14T20:42:47.459945318Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
Required Output Fields
-
process_name
-
process
Source: GitHub | Version: 1