Cisco Isovalent - new detections batch 1 #3706
Conversation
nasbench
left a comment
nasbench
left a comment
There was a problem hiding this comment.
@patel-bhavin I think you should move the analytics to the endpoint folder. Since this telemetry stems from an endpoint.
detections/cloud/cisco_isovalent___potential_escape_to_host.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
I will say then that if we're moving things out of cloud/, it's probably worth evaluating the use of pod_name and cluster_name in the stats commands, as well as null checks on them, as most of those can likely be applicable to non-k8s use cases as well. edit: Part of why it made sense to keep them in cloud was because they specifically required the use of k8s, and all the k8s detections are in |
|
Will ship these in the endpoint directory for now as these logs are originating from an endpoint and these isovalent logs are not like the standard type of cloud/ logs that we have. Likely considering moving them into a containers directory in the future! |
|
Holding off releasing this content until the CSC TA is fixed : targetting CSC TA 3.5.2 |
|
All detections passed using a test build provided by Pavlo : 
|
nasbench
left a comment
nasbench
left a comment
There was a problem hiding this comment.
One final review before merge.
| @@ -0,0 +1,79 @@ | |||
| name: Cisco Isovalent - Suspicious Image Use | |||
There was a problem hiding this comment.
Perhaps we should try and avoid the use of the word suspicious here. I like the word you used Non Allowlisted so let's use that. That way we can create a better picture for the end-user.
| name: Cisco Isovalent - Suspicious Image Use | |
| name: Cisco Isovalent - Non Allowlisted Image Use |
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| rba: | ||
| message: Suspicious (non‑allowlisted) image $pod_image_name$ used by pod $pod_name$ in namespace $Namespace$ in the cluster $cluster_name$ |
There was a problem hiding this comment.
| message: Suspicious (non‑allowlisted) image $pod_image_name$ used by pod $pod_name$ in namespace $Namespace$ in the cluster $cluster_name$ | |
| message: Non Allowlisted image $pod_image_name$ used by pod $pod_name$ in namespace $Namespace$ in the cluster $cluster_name$ |
| - field: process_name | ||
| type: process_name |
There was a problem hiding this comment.
Maybe we could add pod_image_name here?
| status: production | ||
| description: The following analytic detects the execution of a shell inside a container namespace within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for the execution of a shell (sh or bash) inside a container namespace. This behavior is significant for a SOC as it could allow an attacker to gain shell access to the container, potentially leading to further compromise of the Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity. | ||
| search: | | ||
| `cisco_isovalent_process_exec` process_name IN ("sh", "bash", "pwsh", "zsh") |
There was a problem hiding this comment.
I assume pwsh is a typo here (because its refereeing to powershell.
Since we cannot use the macro linux_shells directly. Let's at least use the same list
| `cisco_isovalent_process_exec` process_name IN ("sh", "bash", "pwsh", "zsh") | |
| `cisco_isovalent_process_exec` process_name IN ("sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh", "tcsh", "ion", "eshell") |
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| rba: | ||
| message: A shell execution has been detected by user on container pod namespace $node_name$ |
There was a problem hiding this comment.
| message: A shell execution has been detected by user on container pod namespace $node_name$ | |
| message: The shell $process_name$ was executed by $user$ on container pod namespace $node_name$ |
| process_name IN ("nsenter","mount","ps","ls") | ||
| OR process="*nsenter*" OR process="*mount*" OR process="*ps aux*" OR process="*ps -ef*" |
There was a problem hiding this comment.
This feels better to read.
I also wanted to point out that by saying process_name == ps it actually include all CLI options like ps -ef or ps aux so we actually do not need them, but I will leave them just in case there are is one but no the other.
| process_name IN ("nsenter","mount","ps","ls") | |
| OR process="*nsenter*" OR process="*mount*" OR process="*ps aux*" OR process="*ps -ef*" | |
| process_name IN ("nsenter","mount","ps","ls") | |
| OR | |
| process IN ("*nsenter*", "*mount*", "*ps aux*", "*ps -ef*") |
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| rba: | ||
| message: Escape-to-host attempt detected in pod $pod_name$ on cluster $cluster_name$ |
There was a problem hiding this comment.
Maybe we can add the executed command in the message for clarity and ease of triage.
| More than 10 kprobe events within 5 minutes may indicate suspicious activity, such as an attacker probing the kernel through repeated system calls (e.g., nsenter, mount, sethostname). | ||
| Such abnormal volume and frequency of kprobe usage within application pods or on nodes can signal container escape attempts or low-level tampering with the host, thereby representing a potential security threat. | ||
| search: | | ||
| `cisco_isovalent` "process_kprobe.action"!="" |
There was a problem hiding this comment.
| `cisco_isovalent` "process_kprobe.action"!="" | |
| `cisco_isovalent` process_kprobe.action!="" |
| @@ -0,0 +1,3 @@ | |||
| definition: search binary != "/app/aws-vpc-cni" AND binary != "/usr/bin/amazon-ssm-agent" AND binary != "/usr/bin/ssm-agent-worker" | |||
There was a problem hiding this comment.
To catch /usr/bin and /bin
Also does /app/aws-vpc-cni need a wildcard at the start?
| definition: search binary != "/app/aws-vpc-cni" AND binary != "/usr/bin/amazon-ssm-agent" AND binary != "/usr/bin/ssm-agent-worker" | |
| definition: search binary != "/app/aws-vpc-cni" AND binary != "*/bin/amazon-ssm-agent" AND binary != "*/bin/ssm-agent-worker" |
| sourcetype: cisco:isovalent:processConnect | ||
|
|
||
|
|
There was a problem hiding this comment.
| sourcetype: cisco:isovalent:processConnect | |
| sourcetype: cisco:isovalent:processConnect | |
3 participants
New Analytic Story - [1]
New Analytics - [10]
Updated Analytics - [6]
Macros Added - [3]
Data Sources Added [3]