diff --git a/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.log b/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.log
new file mode 100644
index 00000000..e69de29b
diff --git a/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.yml b/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.yml
new file mode 100644
index 00000000..a80097ff
--- /dev/null
+++ b/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.yml
@@ -0,0 +1,14 @@
+author: Bhavin Patel, Splunk
+id: b5484a09-fc58-4817-9d42-cdbb2691147b
+date: '2025-10-01'
+description: |
+ Generated datasets for Cisco Isovalent Process Exec EventType. Contains simulations for the escaping from host.
+environment: manual simulations in a K8s cluster running Tetragon
+directory: cisco_isovalent_k8_escape
+mitre_technique:
+- T1611
+datasets:
+- name: cisco_isovalent
+  path: /datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.log
+  sourcetype: cisco:isovalent
+  source: cisco_isovalent
\ No newline at end of file
diff --git a/datasets/cisco_isovalent/cisco_isovalent.log b/datasets/cisco_isovalent/cisco_isovalent.log
index 8c8ec2b8..233d308f 100644
--- a/datasets/cisco_isovalent/cisco_isovalent.log
+++ b/datasets/cisco_isovalent/cisco_isovalent.log
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:394615d79fe94d4cbb71865f3753f8841e939f5d0575107e4729d49babb11834
-size 176662
+oid sha256:2cb7e1ad95df218a8823f7f7d517be3f57ee067716c7efb35edc9bb0e1fa7914
+size 187448
diff --git a/datasets/cisco_isovalent/cisco_isovalent.yml b/datasets/cisco_isovalent/cisco_isovalent.yml
index 6b262eee..74217612 100644
--- a/datasets/cisco_isovalent/cisco_isovalent.yml
+++ b/datasets/cisco_isovalent/cisco_isovalent.yml
@@ -2,10 +2,9 @@ author: Bhavin Patel, Splunk
 id: 1fc537db-5e0b-4a2e-a768-27e08eff0c70
 date: '2025-08-15'
 description: |
- Generated datasets for Cisco Isovalent Process Exec EventType. Contains simulations for the following detections:
-  * Cisco Isovalent - Detect Shell Execution
-  * Cisco Isovalent - Curl Execution With Insecure Flags
+ Generated datasets for Cisco Isovalent Process Exec EventType by manual /atomic-red team simulations in a K8s cluster running Tetragon
 environment: manual simulations in a K8s cluster running Tetragon
+directory: cisco_isovalent
 mitre_technique: []
 datasets:
 - name: cisco_isovalent
@@ -15,4 +14,8 @@ datasets:
 - name: delayed_shell
   path: /datasets/cisco_isovalent/cisco_isovalent_process_exec_delayed_shell.log
   sourcetype: cisco:isovalent:processExec
+  source: cisco_isovalent
+- name: kprobe_spike
+  path: /datasets/cisco_isovalent/kprobe_spike.log
+  sourcetype: cisco:isovalent
   source: cisco_isovalent
\ No newline at end of file
diff --git a/datasets/cisco_isovalent/kprobe_spike.log b/datasets/cisco_isovalent/kprobe_spike.log
new file mode 100644
index 00000000..ad24adb4
--- /dev/null
+++ b/datasets/cisco_isovalent/kprobe_spike.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d10d308e5840fae4cf7a7f720d7f7c0cb6a5aa41f7962c4fbdac1ba0df246a0e
+size 50652