<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">cluster_name</span>
<span class="pill kill-chain">description</span>
<span class="pill kill-chain">duration</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">node_labels.alpha.eksctl.io/cluster-name</span>
<span class="pill kill-chain">node_labels.alpha.eksctl.io/nodegroup-name</span>
<span class="pill kill-chain">node_labels.beta.kubernetes.io/arch</span>
<span class="pill kill-chain">node_labels.beta.kubernetes.io/instance-type</span>
<span class="pill kill-chain">node_labels.beta.kubernetes.io/os</span>
<span class="pill kill-chain">node_labels.eks.amazonaws.com/capacityType</span>
<span class="pill kill-chain">node_labels.eks.amazonaws.com/nodegroup</span>
<span class="pill kill-chain">node_labels.eks.amazonaws.com/nodegroup-image</span>
<span class="pill kill-chain">node_labels.eks.amazonaws.com/sourceLaunchTemplateId</span>
<span class="pill kill-chain">node_labels.eks.amazonaws.com/sourceLaunchTemplateVersion</span>
<span class="pill kill-chain">node_labels.failure-domain.beta.kubernetes.io/region</span>
<span class="pill kill-chain">node_labels.failure-domain.beta.kubernetes.io/zone</span>
<span class="pill kill-chain">node_labels.k8s.io/cloud-provider-aws</span>
<span class="pill kill-chain">node_labels.kubernetes.io/arch</span>
<span class="pill kill-chain">node_labels.kubernetes.io/hostname</span>
<span class="pill kill-chain">node_labels.kubernetes.io/os</span>
<span class="pill kill-chain">node_labels.node.kubernetes.io/instance-type</span>
<span class="pill kill-chain">node_labels.topology.k8s.aws/zone-id</span>
<span class="pill kill-chain">node_labels.topology.kubernetes.io/region</span>
<span class="pill kill-chain">node_labels.topology.kubernetes.io/zone</span>
<span class="pill kill-chain">node_name</span>
<span class="pill kill-chain">process_kprobe.action</span>
<span class="pill kill-chain">process_kprobe.args{}.bytes_arg</span>
<span class="pill kill-chain">process_kprobe.args{}.int_arg</span>
<span class="pill kill-chain">process_kprobe.args{}.label</span>
<span class="pill kill-chain">process_kprobe.args{}.size_arg</span>
<span class="pill kill-chain">process_kprobe.args{}.string_arg</span>
<span class="pill kill-chain">process_kprobe.function_name</span>
<span class="pill kill-chain">process_kprobe.parent.arguments</span>
<span class="pill kill-chain">process_kprobe.parent.auid</span>
<span class="pill kill-chain">process_kprobe.parent.binary</span>
<span class="pill kill-chain">process_kprobe.parent.cwd</span>
<span class="pill kill-chain">process_kprobe.parent.docker</span>
<span class="pill kill-chain">process_kprobe.parent.exec_id</span>
<span class="pill kill-chain">process_kprobe.parent.flags</span>
<span class="pill kill-chain">process_kprobe.parent.in_init_tree</span>
<span class="pill kill-chain">process_kprobe.parent.parent_exec_id</span>
<span class="pill kill-chain">process_kprobe.parent.pid</span>
<span class="pill kill-chain">process_kprobe.parent.pod.container.id</span>
<span class="pill kill-chain">process_kprobe.parent.pod.container.image.id</span>
<span class="pill kill-chain">process_kprobe.parent.pod.container.image.name</span>
<span class="pill kill-chain">process_kprobe.parent.pod.container.name</span>
<span class="pill kill-chain">process_kprobe.parent.pod.container.pid</span>
<span class="pill kill-chain">process_kprobe.parent.pod.container.start_time</span>
<span class="pill kill-chain">process_kprobe.parent.pod.name</span>
<span class="pill kill-chain">process_kprobe.parent.pod.namespace</span>
<span class="pill kill-chain">process_kprobe.parent.pod.pod_labels.run</span>
<span class="pill kill-chain">process_kprobe.parent.pod.workload</span>
<span class="pill kill-chain">process_kprobe.parent.pod.workload_kind</span>
<span class="pill kill-chain">process_kprobe.parent.start_time</span>
<span class="pill kill-chain">process_kprobe.parent.tid</span>
<span class="pill kill-chain">process_kprobe.parent.uid</span>
<span class="pill kill-chain">process_kprobe.policy_name</span>
<span class="pill kill-chain">process_kprobe.process.arguments</span>
<span class="pill kill-chain">process_kprobe.process.auid</span>
<span class="pill kill-chain">process_kprobe.process.binary</span>
<span class="pill kill-chain">process_kprobe.process.cwd</span>
<span class="pill kill-chain">process_kprobe.process.docker</span>
<span class="pill kill-chain">process_kprobe.process.exec_id</span>
<span class="pill kill-chain">process_kprobe.process.flags</span>
<span class="pill kill-chain">process_kprobe.process.in_init_tree</span>
<span class="pill kill-chain">process_kprobe.process.parent_exec_id</span>
<span class="pill kill-chain">process_kprobe.process.pid</span>
<span class="pill kill-chain">process_kprobe.process.pod.container.id</span>
<span class="pill kill-chain">process_kprobe.process.pod.container.image.id</span>
<span class="pill kill-chain">process_kprobe.process.pod.container.image.name</span>
<span class="pill kill-chain">process_kprobe.process.pod.container.name</span>
<span class="pill kill-chain">process_kprobe.process.pod.container.pid</span>
<span class="pill kill-chain">process_kprobe.process.pod.container.start_time</span>
<span class="pill kill-chain">process_kprobe.process.pod.name</span>
<span class="pill kill-chain">process_kprobe.process.pod.namespace</span>
<span class="pill kill-chain">process_kprobe.process.pod.pod_labels.run</span>
<span class="pill kill-chain">process_kprobe.process.pod.workload</span>
<span class="pill kill-chain">process_kprobe.process.pod.workload_kind</span>
<span class="pill kill-chain">process_kprobe.process.refcnt</span>
<span class="pill kill-chain">process_kprobe.process.start_time</span>
<span class="pill kill-chain">process_kprobe.process.tid</span>
<span class="pill kill-chain">process_kprobe.process.uid</span>
<span class="pill kill-chain">process_kprobe.return_action</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">severity</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_type</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::app</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">time</span>
<span class="pill kill-chain">vendor_region</span>
</div>
Data Source: Cisco Isovalent Process Kprobe
Description
Captures kernel probe (kprobe) telemetry from Cisco Isovalent Runtime Security, including function name, arguments, and process context, enabling visibility into low-level kernel interactions that may indicate container escape attempts or system tampering.
Details
| Property | Value |
|---|---|
| Source | not_applicable |
| Sourcetype | cisco:isovalent |
Supported Apps
- Cisco Security Cloud (version 3.5.3)
Event Fields
Fields
Example Log
1{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyNjA5NjE5NjIwOTk3MjEyOjEwNTYwNDc=","pid":1056047,"uid":0,"cwd":"/","binary":"/usr/sbin/logrotate","arguments":"/etc/logrotate.conf","flags":"execve","start_time":"2025-10-06T00:00:46.054215601Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyNjA5NjE5NTA2MTI3NjQ4OjEwNTYwNDI=","refcnt":1,"tid":1056047,"in_init_tree":false},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyNjA5NjE5NTA2MTI3NjQ4OjEwNTYwNDI=","pid":1056042,"uid":0,"cwd":"/","binary":"/usr/sbin/logrotate","arguments":"/etc/logrotate.conf","flags":"execve rootcwd clone","start_time":"2025-10-06T00:00:45.939345635Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDozOTUzMzQzODExNjox","tid":1056042,"in_init_tree":false},"function_name":"__arm64_sys_execve","args":[{"string_arg":"/bin/gzip","label":"filename"},{"bytes_arg":"","label":"argv"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-10-06T00:00:46.054335518Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
Required Output Fields
- pod_name
Source: GitHub | Version: 1