Data Source: Cisco Isovalent Process Connect

Date: 2025-11-18

ID: bf8c76a1-6066-4759-ab77-d3f0a375519e

Author: Bhavin Patel, Splunk

Description

Captures detailed process connection events—including source and destination process metadata, execution lineage (ancestry), and Kubernetes workload context—generated by Cisco Isovalent instrumentation. Enables technical analysis of inter-process communications, container-level activity, and workload-specific network flows in cloud-native environments.

Details

Property	Value
Source	`not_applicable`
Sourcetype	`cisco:isovalent:processConnect`

Supported Apps

Cisco Security Cloud (version 3.5.3)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">cluster_name</span>
  
  <span class="pill kill-chain">container_id</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">node_labels.alpha.eksctl.io/cluster-name</span>
  
  <span class="pill kill-chain">node_labels.alpha.eksctl.io/nodegroup-name</span>
  
  <span class="pill kill-chain">node_labels.beta.kubernetes.io/arch</span>
  
  <span class="pill kill-chain">node_labels.beta.kubernetes.io/instance-type</span>
  
  <span class="pill kill-chain">node_labels.beta.kubernetes.io/os</span>
  
  <span class="pill kill-chain">node_labels.eks.amazonaws.com/capacityType</span>
  
  <span class="pill kill-chain">node_labels.eks.amazonaws.com/nodegroup</span>
  
  <span class="pill kill-chain">node_labels.eks.amazonaws.com/nodegroup-image</span>
  
  <span class="pill kill-chain">node_labels.eks.amazonaws.com/sourceLaunchTemplateId</span>
  
  <span class="pill kill-chain">node_labels.eks.amazonaws.com/sourceLaunchTemplateVersion</span>
  
  <span class="pill kill-chain">node_labels.failure-domain.beta.kubernetes.io/region</span>
  
  <span class="pill kill-chain">node_labels.failure-domain.beta.kubernetes.io/zone</span>
  
  <span class="pill kill-chain">node_labels.k8s.io/cloud-provider-aws</span>
  
  <span class="pill kill-chain">node_labels.kubernetes.io/arch</span>
  
  <span class="pill kill-chain">node_labels.kubernetes.io/hostname</span>
  
  <span class="pill kill-chain">node_labels.kubernetes.io/os</span>
  
  <span class="pill kill-chain">node_labels.node.kubernetes.io/instance-type</span>
  
  <span class="pill kill-chain">node_labels.topology.k8s.aws/zone-id</span>
  
  <span class="pill kill-chain">node_labels.topology.kubernetes.io/region</span>
  
  <span class="pill kill-chain">node_labels.topology.kubernetes.io/zone</span>
  
  <span class="pill kill-chain">node_name</span>
  
  <span class="pill kill-chain">pod_image_name</span>
  
  <span class="pill kill-chain">pod_name</span>
  
  <span class="pill kill-chain">pod_namespace</span>
  
  <span class="pill kill-chain">process_connect.destination_ip</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.name</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.namespace</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.pod_labels.app.kubernetes.io/component</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.pod_labels.app.kubernetes.io/instance</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.pod_labels.app.kubernetes.io/managed-by</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.pod_labels.app.kubernetes.io/name</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.pod_labels.app.kubernetes.io/part-of</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.pod_labels.app.kubernetes.io/version</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.pod_labels.eks.amazonaws.com/component</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.pod_labels.helm.sh/chart</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.pod_labels.k8s-app</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.pod_labels.pod-template-hash</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.workload</span>
  
  <span class="pill kill-chain">process_connect.destination_pod.workload_kind</span>
  
  <span class="pill kill-chain">process_connect.destination_port</span>
  
  <span class="pill kill-chain">process_connect.parent.arguments</span>
  
  <span class="pill kill-chain">process_connect.parent.auid</span>
  
  <span class="pill kill-chain">process_connect.parent.binary</span>
  
  <span class="pill kill-chain">process_connect.parent.cwd</span>
  
  <span class="pill kill-chain">process_connect.parent.docker</span>
  
  <span class="pill kill-chain">process_connect.parent.exec_id</span>
  
  <span class="pill kill-chain">process_connect.parent.flags</span>
  
  <span class="pill kill-chain">process_connect.parent.in_init_tree</span>
  
  <span class="pill kill-chain">process_connect.parent.parent_exec_id</span>
  
  <span class="pill kill-chain">process_connect.parent.pid</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.container.id</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.container.image.id</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.container.image.name</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.container.name</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.container.pid</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.container.start_time</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.name</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.namespace</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.pod_labels.app.kubernetes.io/instance</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.pod_labels.app.kubernetes.io/name</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.pod_labels.controller-revision-hash</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.pod_labels.k8s-app</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.pod_labels.pod-template-generation</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.workload</span>
  
  <span class="pill kill-chain">process_connect.parent.pod.workload_kind</span>
  
  <span class="pill kill-chain">process_connect.parent.start_time</span>
  
  <span class="pill kill-chain">process_connect.parent.tid</span>
  
  <span class="pill kill-chain">process_connect.parent.uid</span>
  
  <span class="pill kill-chain">process_connect.process.arguments</span>
  
  <span class="pill kill-chain">process_connect.process.auid</span>
  
  <span class="pill kill-chain">process_connect.process.binary</span>
  
  <span class="pill kill-chain">process_connect.process.cwd</span>
  
  <span class="pill kill-chain">process_connect.process.docker</span>
  
  <span class="pill kill-chain">process_connect.process.exec_id</span>
  
  <span class="pill kill-chain">process_connect.process.flags</span>
  
  <span class="pill kill-chain">process_connect.process.in_init_tree</span>
  
  <span class="pill kill-chain">process_connect.process.parent_exec_id</span>
  
  <span class="pill kill-chain">process_connect.process.pid</span>
  
  <span class="pill kill-chain">process_connect.process.pod.container.id</span>
  
  <span class="pill kill-chain">process_connect.process.pod.container.image.id</span>
  
  <span class="pill kill-chain">process_connect.process.pod.container.image.name</span>
  
  <span class="pill kill-chain">process_connect.process.pod.container.maybe_exec_probe</span>
  
  <span class="pill kill-chain">process_connect.process.pod.container.name</span>
  
  <span class="pill kill-chain">process_connect.process.pod.container.pid</span>
  
  <span class="pill kill-chain">process_connect.process.pod.container.start_time</span>
  
  <span class="pill kill-chain">process_connect.process.pod.name</span>
  
  <span class="pill kill-chain">process_connect.process.pod.namespace</span>
  
  <span class="pill kill-chain">process_connect.process.pod.pod_labels.app.kubernetes.io/instance</span>
  
  <span class="pill kill-chain">process_connect.process.pod.pod_labels.app.kubernetes.io/name</span>
  
  <span class="pill kill-chain">process_connect.process.pod.pod_labels.controller-revision-hash</span>
  
  <span class="pill kill-chain">process_connect.process.pod.pod_labels.eks.amazonaws.com/component</span>
  
  <span class="pill kill-chain">process_connect.process.pod.pod_labels.k8s-app</span>
  
  <span class="pill kill-chain">process_connect.process.pod.pod_labels.pod-template-generation</span>
  
  <span class="pill kill-chain">process_connect.process.pod.pod_labels.pod-template-hash</span>
  
  <span class="pill kill-chain">process_connect.process.pod.workload</span>
  
  <span class="pill kill-chain">process_connect.process.pod.workload_kind</span>
  
  <span class="pill kill-chain">process_connect.process.start_time</span>
  
  <span class="pill kill-chain">process_connect.process.tid</span>
  
  <span class="pill kill-chain">process_connect.process.uid</span>
  
  <span class="pill kill-chain">process_connect.protocol</span>
  
  <span class="pill kill-chain">process_connect.sock_cookie</span>
  
  <span class="pill kill-chain">process_connect.source_ip</span>
  
  <span class="pill kill-chain">process_connect.source_port</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">session_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::app</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">time</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1{"process_connect":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMjQ5MDAwMDAwMDoxNjQ1","pid":1645,"uid":0,"cwd":"/","binary":"/usr/bin/kubelet","arguments":"--config-dir=/etc/kubernetes/kubelet/config.json.d --kubeconfig=/var/lib/kubelet/kubeconfig --image-credential-provider-bin-dir=/etc/eks/image-credential-provider --image-credential-provider-config=/etc/eks/image-credential-provider/config.json --node-ip=192.168.89.64 --cloud-provider=external --hostname-override=ip-192-168-89-64.us-west-2.compute.internal --config=/etc/kubernetes/kubelet/config.json --node-labels=eks.amazonaws.com/sourceLaunchTemplateVersion=1,alpha.eksctl.io/cluster-name=k8s-goat-cluster,alpha.eksctl.io/nodegroup-name=ng-a99d40b1,eks.amazonaws.com/nodegroup-image=ami-0339636baccc3c183,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup=ng-a99d40b1,eks.amazonaws.com/sourceLaunchTemplateId=lt-0da0169006f2a7c39","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.923218536Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1645,"in_init_tree":false},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false},"source_ip":"192.168.89.64","source_port":38106,"destination_ip":"192.168.88.89","destination_port":3000,"sock_cookie":"18446462614959565760","destination_pod":{"namespace":"tetragon","name":"tetragon-grafana-77b4f6f864-tjl29","pod_labels":{"app.kubernetes.io/instance":"tetragon","app.kubernetes.io/name":"grafana","app.kubernetes.io/version":"12.0.1","helm.sh/chart":"grafana-9.2.2","pod-template-hash":"77b4f6f864"},"workload":"tetragon-grafana","workload_kind":"Deployment"},"protocol":"TCP"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-11-04T23:32:55.401779Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}

Required Output Fields

dest_ip
pod_name
pod_namespace
cluster_name
node_name

Source: GitHub | Version: 1