From 6f7db68c64fb024c4af0dfb4661452844c18c177 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 15 Aug 2025 13:01:43 -0700 Subject: [PATCH 1/4] adding two events --- datasets/cisco_isovalent/cisco_isovalent.log | 3 +++ datasets/cisco_isovalent/cisco_isovalent.yml | 12 ++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 datasets/cisco_isovalent/cisco_isovalent.log create mode 100644 datasets/cisco_isovalent/cisco_isovalent.yml diff --git a/datasets/cisco_isovalent/cisco_isovalent.log b/datasets/cisco_isovalent/cisco_isovalent.log new file mode 100644 index 00000000..e759e95d --- /dev/null +++ b/datasets/cisco_isovalent/cisco_isovalent.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9c4819ae88000128304123cbb7e4120c780f9228904cbe9d6012c21a23f345c3 +size 9270 diff --git a/datasets/cisco_isovalent/cisco_isovalent.yml b/datasets/cisco_isovalent/cisco_isovalent.yml new file mode 100644 index 00000000..468193aa --- /dev/null +++ b/datasets/cisco_isovalent/cisco_isovalent.yml @@ -0,0 +1,12 @@ +author: Bhavin Patel, Splunk +id: 1fc537db-5e0b-4a2e-a768-27e08eff0c70 +date: '2025-08-15' +description: Generated datasets for Cisco Isovalent Process Exec EventType. +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log +sourcetypes: +- cisco:isovalent +references: +- https://docs.isovalent.com/operations-guide/tetragon/installation/helm.html +- https://docs.isovalent.com/user-guide/sec-ops-visibility/index.html +- https://isovalent.com/blog/post/isovalent-splunk-better-together/ From 8cecfe4f06379d9659721cfcc0226c268dbb4b18 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 15 Aug 2025 13:03:03 -0700 Subject: [PATCH 2/4] mention simulations --- datasets/cisco_isovalent/cisco_isovalent.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/datasets/cisco_isovalent/cisco_isovalent.yml b/datasets/cisco_isovalent/cisco_isovalent.yml index 468193aa..2224d175 100644 --- a/datasets/cisco_isovalent/cisco_isovalent.yml +++ b/datasets/cisco_isovalent/cisco_isovalent.yml @@ -1,7 +1,9 @@ author: Bhavin Patel, Splunk id: 1fc537db-5e0b-4a2e-a768-27e08eff0c70 date: '2025-08-15' -description: Generated datasets for Cisco Isovalent Process Exec EventType. +description: Generated datasets for Cisco Isovalent Process Exec EventType. Contains simulations for the following detections: + * Cisco Isovalent - Detect Shell Execution + * Cisco Isovalent - Curl Execution With Insecure Flags dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log sourcetypes: From bb267d6db2e285aeef1233928426b4b210187f07 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 19 Aug 2025 14:04:58 -0700 Subject: [PATCH 3/4] updating attack data yaml --- datasets/cisco_isovalent/cisco_isovalent.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/datasets/cisco_isovalent/cisco_isovalent.yml b/datasets/cisco_isovalent/cisco_isovalent.yml index 2224d175..abffeb65 100644 --- a/datasets/cisco_isovalent/cisco_isovalent.yml +++ b/datasets/cisco_isovalent/cisco_isovalent.yml @@ -4,11 +4,10 @@ date: '2025-08-15' description: Generated datasets for Cisco Isovalent Process Exec EventType. Contains simulations for the following detections: * Cisco Isovalent - Detect Shell Execution * Cisco Isovalent - Curl Execution With Insecure Flags -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log -sourcetypes: -- cisco:isovalent -references: -- https://docs.isovalent.com/operations-guide/tetragon/installation/helm.html -- https://docs.isovalent.com/user-guide/sec-ops-visibility/index.html -- https://isovalent.com/blog/post/isovalent-splunk-better-together/ +environment: manual simulations in a K8s cluster running Tetragon +mitre_technique: [] +datasets: +- name: cisco_isovalent + path: /datasets/cisco_isovalent/cisco_isovalent.log + sourcetype: cisco:isovalent + source: cisco_isovalent \ No newline at end of file From 1440db8120e48ddfc99e08e51ee750f3becd4ac9 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 19 Aug 2025 17:08:18 -0700 Subject: [PATCH 4/4] new yaml --- datasets/cisco_isovalent/cisco_isovalent.log | 4 ++-- datasets/cisco_isovalent/cisco_isovalent.yml | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/datasets/cisco_isovalent/cisco_isovalent.log b/datasets/cisco_isovalent/cisco_isovalent.log index e759e95d..81a1097c 100644 --- a/datasets/cisco_isovalent/cisco_isovalent.log +++ b/datasets/cisco_isovalent/cisco_isovalent.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:9c4819ae88000128304123cbb7e4120c780f9228904cbe9d6012c21a23f345c3 -size 9270 +oid sha256:a3b686ab456637b24d559663913862b9962c7a3ccbc0f64d8a53010f9a59ecb2 +size 15566 diff --git a/datasets/cisco_isovalent/cisco_isovalent.yml b/datasets/cisco_isovalent/cisco_isovalent.yml index abffeb65..90157a40 100644 --- a/datasets/cisco_isovalent/cisco_isovalent.yml +++ b/datasets/cisco_isovalent/cisco_isovalent.yml @@ -1,7 +1,8 @@ author: Bhavin Patel, Splunk id: 1fc537db-5e0b-4a2e-a768-27e08eff0c70 date: '2025-08-15' -description: Generated datasets for Cisco Isovalent Process Exec EventType. Contains simulations for the following detections: +description: | + Generated datasets for Cisco Isovalent Process Exec EventType. Contains simulations for the following detections: * Cisco Isovalent - Detect Shell Execution * Cisco Isovalent - Curl Execution With Insecure Flags environment: manual simulations in a K8s cluster running Tetragon