From ff0d36f844d1015a5c721be80981dbdda0d7dfb3 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 30 Sep 2025 15:54:51 -0700 Subject: [PATCH 1/6] adding new events --- datasets/cisco_isovalent/cisco_isovalent.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/cisco_isovalent/cisco_isovalent.log b/datasets/cisco_isovalent/cisco_isovalent.log index 8c8ec2b8..ebf9636c 100644 --- a/datasets/cisco_isovalent/cisco_isovalent.log +++ b/datasets/cisco_isovalent/cisco_isovalent.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:394615d79fe94d4cbb71865f3753f8841e939f5d0575107e4729d49babb11834 -size 176662 +oid sha256:ede4e4aeacceeefedd74be4fc39a4eb8a5b1cc285fc3877e16caf9d985a2165d +size 183173 From 8d1145980df00e12b798d643caab309c867bee83 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 12:20:35 -0700 Subject: [PATCH 2/6] adding another event --- datasets/cisco_isovalent/cisco_isovalent.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/cisco_isovalent/cisco_isovalent.log b/datasets/cisco_isovalent/cisco_isovalent.log index ebf9636c..233d308f 100644 --- a/datasets/cisco_isovalent/cisco_isovalent.log +++ b/datasets/cisco_isovalent/cisco_isovalent.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:ede4e4aeacceeefedd74be4fc39a4eb8a5b1cc285fc3877e16caf9d985a2165d -size 183173 +oid sha256:2cb7e1ad95df218a8823f7f7d517be3f57ee067716c7efb35edc9bb0e1fa7914 +size 187448 From fd822737ec144594ead56bd7647280c89c7fbb3c Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 15:15:32 -0700 Subject: [PATCH 3/6] adding new escape dataset --- .../cisco_isovalent_k8_escape/cisco_isovalent.log | 0 .../cisco_isovalent_k8_escape/cisco_isovalent.yml | 13 +++++++++++++ 2 files changed, 13 insertions(+) create mode 100644 datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.log create mode 100644 datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.yml diff --git a/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.log b/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.log new file mode 100644 index 00000000..e69de29b diff --git a/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.yml b/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.yml new file mode 100644 index 00000000..c5b720a6 --- /dev/null +++ b/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.yml @@ -0,0 +1,13 @@ +author: Bhavin Patel, Splunk +id: b5484a09-fc58-4817-9d42-cdbb2691147b +date: '2025-10-01' +description: | + Generated datasets for Cisco Isovalent Process Exec EventType. Contains simulations for the escaping from host. +environment: manual simulations in a K8s cluster running Tetragon +mitre_technique: +- T1611 +datasets: +- name: cisco_isovalent + path: /datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.log + sourcetype: cisco:isovalent + source: cisco_isovalent \ No newline at end of file From a6259ca6049b07a536cb63d7e24c65fb607435e9 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 15:37:55 -0700 Subject: [PATCH 4/6] updating --- datasets/cisco_isovalent/cisco_isovalent.yml | 4 ++++ datasets/cisco_isovalent/kprobe_spike.log | 3 +++ 2 files changed, 7 insertions(+) create mode 100644 datasets/cisco_isovalent/kprobe_spike.log diff --git a/datasets/cisco_isovalent/cisco_isovalent.yml b/datasets/cisco_isovalent/cisco_isovalent.yml index 6b262eee..1b8e242d 100644 --- a/datasets/cisco_isovalent/cisco_isovalent.yml +++ b/datasets/cisco_isovalent/cisco_isovalent.yml @@ -15,4 +15,8 @@ datasets: - name: delayed_shell path: /datasets/cisco_isovalent/cisco_isovalent_process_exec_delayed_shell.log sourcetype: cisco:isovalent:processExec + source: cisco_isovalent +- name: kprobe_spike + path: /datasets/cisco_isovalent/kprobe_spike.log + sourcetype: cisco:isovalent:processExec source: cisco_isovalent \ No newline at end of file diff --git a/datasets/cisco_isovalent/kprobe_spike.log b/datasets/cisco_isovalent/kprobe_spike.log new file mode 100644 index 00000000..ad24adb4 --- /dev/null +++ b/datasets/cisco_isovalent/kprobe_spike.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d10d308e5840fae4cf7a7f720d7f7c0cb6a5aa41f7962c4fbdac1ba0df246a0e +size 50652 From a4d54fcd08554b4163942021f4691027ed30858e Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 15:38:00 -0700 Subject: [PATCH 5/6] direc --- datasets/cisco_isovalent/cisco_isovalent.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/datasets/cisco_isovalent/cisco_isovalent.yml b/datasets/cisco_isovalent/cisco_isovalent.yml index 1b8e242d..98af8ebd 100644 --- a/datasets/cisco_isovalent/cisco_isovalent.yml +++ b/datasets/cisco_isovalent/cisco_isovalent.yml @@ -2,10 +2,9 @@ author: Bhavin Patel, Splunk id: 1fc537db-5e0b-4a2e-a768-27e08eff0c70 date: '2025-08-15' description: | - Generated datasets for Cisco Isovalent Process Exec EventType. Contains simulations for the following detections: - * Cisco Isovalent - Detect Shell Execution - * Cisco Isovalent - Curl Execution With Insecure Flags + Generated datasets for Cisco Isovalent Process Exec EventType by manual /atomic-red team simulations in a K8s cluster running Tetragon environment: manual simulations in a K8s cluster running Tetragon +directory: cisco_isovalent mitre_technique: [] datasets: - name: cisco_isovalent From 265da862ffb86cbeafdd8f9f0a15b8d4f143da47 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Oct 2025 15:49:25 -0700 Subject: [PATCH 6/6] adding directory --- .../T1611/cisco_isovalent_k8_escape/cisco_isovalent.yml | 1 + datasets/cisco_isovalent/cisco_isovalent.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.yml b/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.yml index c5b720a6..a80097ff 100644 --- a/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.yml +++ b/datasets/attack_techniques/T1611/cisco_isovalent_k8_escape/cisco_isovalent.yml @@ -4,6 +4,7 @@ date: '2025-10-01' description: | Generated datasets for Cisco Isovalent Process Exec EventType. Contains simulations for the escaping from host. environment: manual simulations in a K8s cluster running Tetragon +directory: cisco_isovalent_k8_escape mitre_technique: - T1611 datasets: diff --git a/datasets/cisco_isovalent/cisco_isovalent.yml b/datasets/cisco_isovalent/cisco_isovalent.yml index 98af8ebd..74217612 100644 --- a/datasets/cisco_isovalent/cisco_isovalent.yml +++ b/datasets/cisco_isovalent/cisco_isovalent.yml @@ -17,5 +17,5 @@ datasets: source: cisco_isovalent - name: kprobe_spike path: /datasets/cisco_isovalent/kprobe_spike.log - sourcetype: cisco:isovalent:processExec + sourcetype: cisco:isovalent source: cisco_isovalent \ No newline at end of file