Analytics Story: Cisco Isovalent Suspicious Activity

Date: 2025-11-18 ID: 245ac99a-1355-44fe-9ef7-a7e826e20c6f Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

This analytics story focuses on identifying suspicious activities and potential security threats within environments using Cisco Isovalent in Kubernetes. It provides detection analytics and guidance to help security teams recognize signs of adversary tactics such as unauthorized access attempts, unusual network activity, and other behaviors indicative of potential compromise in their Kubernetes environments.

Why it matters

Cisco Isovalent, leveraging Tetragon and powered by Cilium's advanced eBPF technology, provides unparalleled, real-time visibility directly from the Linux kernel—a depth unattainable with traditional logging or agent-based approaches. Cilium underpins Kubernetes networking with high-performance, identity-aware security, enabling deep inspection and enforcement of network, process, and workload interactions. Tetragon extends this with actionable, runtime observability, correlating every process execution, file access, and network flow with rich Kubernetes context—such as pod, namespace, and deployment labels—while preserving the full ancestry of each process. This unique combination allows security teams to detect and trace sophisticated attack techniques—like container escapes, ServiceAccount token abuse, in-cluster lateral movement, metadata credential harvesting (IMDS access), misused kubectl, hidden C2 channels, or abused cloud and SaaS services—often before they can escalate.

This powerful, kernel-level telemetry enables security analytics to observe subtle deviations from baseline workload behavior and surface indicators of compromise that otherwise go undetected. By continuously monitoring granular audit events such as process_exec, process_connect, and custom kprobes mapped to application or system activity, analysts gain the context needed to identify late process launches, unexpected shells, suspicious outbound connections, crypto-mining, malicious persistence mechanisms, and adversary tradecraft targeting the Kubernetes control and data plane. The result is accelerated detection and response, minimized attacker dwell time, and containment of breaches before they can propagate across your cloud-native infrastructure.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Cisco Isovalent - Access To Cloud Metadata Service	Cloud Instance Metadata API	Anomaly
Cisco Isovalent - Cron Job Creation	Cron, Container Orchestration Job	Anomaly
Cisco Isovalent - Curl Execution With Insecure Flags	Ingress Tool Transfer	Anomaly
Cisco Isovalent - Kprobe Spike	Exploitation for Privilege Escalation	Hunting
Cisco Isovalent - Late Process Execution	Create or Modify System Process	Anomaly
Cisco Isovalent - Non Allowlisted Image Use	Malicious Image	Anomaly
Cisco Isovalent - Nsenter Usage in Kubernetes Pod	Create or Modify System Process	Anomaly
Cisco Isovalent - Pods Running Offensive Tools	Malicious Image	Anomaly
Cisco Isovalent - Potential Escape to Host	Escape to Host	Anomaly
Cisco Isovalent - Shell Execution	Create or Modify System Process	Anomaly
Linux Add User Account	Local Account	Hunting
Linux Adding Crontab Using List Parameter	Cron	Hunting
Linux apt-get Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux At Application Execution	At	Anomaly
Linux Decode Base64 to Shell	Obfuscated Files or Information, Unix Shell	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Cisco Isovalent Process Connect	Other	`cisco:isovalent:processConnect`	`not_applicable`
Cisco Isovalent Process Exec	Other	`cisco:isovalent:processExec`	`not_applicable`
Cisco Isovalent Process Kprobe	Other	`cisco:isovalent`	`not_applicable`
Sysmon for Linux EventID 1	Linux	`sysmon:linux`	`Syslog:Linux-Sysmon/Operational`

References

Source: GitHub | Version: 1