From 957e0f96797bb90eaf5e17f4354d1b5169e29eaa Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bpatel@splunk.com>
Date: Tue, 28 Oct 2025 10:10:16 -0700
Subject: [PATCH 1/3] adding new dataset

---
 datasets/attack_techniques/T1548/apt_get/apt_get.yml        | 6 +++++-
 .../attack_techniques/T1548/apt_get/cisco_isovalent.log     | 3 +++
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 datasets/attack_techniques/T1548/apt_get/cisco_isovalent.log

diff --git a/datasets/attack_techniques/T1548/apt_get/apt_get.yml b/datasets/attack_techniques/T1548/apt_get/apt_get.yml
index f364fc5a..dfc1b3be 100644
--- a/datasets/attack_techniques/T1548/apt_get/apt_get.yml
+++ b/datasets/attack_techniques/T1548/apt_get/apt_get.yml
@@ -1,6 +1,6 @@
 author: Gowthamaraj Rajendran, Splunk
 id: 626b6584-bdcf-4b12-9e72-6c63eda796c0
-date: '2022-08-12'
+date: '2025-10-28'
 description: apt-get linux living off the land and privilege escalation.
 environment: attack_range
 directory: apt_get
@@ -11,3 +11,7 @@ datasets:
   path: /datasets/attack_techniques/T1548/apt_get/sysmon_linux.log
   sourcetype: sysmon:linux
   source: Syslog:Linux-Sysmon/Operational
+- name: cisco_isovalent
+  path: /datasets/attack_techniques/T1548/apt_get/cisco_isovalent.log
+  sourcetype: cisco:isovalent:processExec
+  source: not_applicable
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1548/apt_get/cisco_isovalent.log b/datasets/attack_techniques/T1548/apt_get/cisco_isovalent.log
new file mode 100644
index 00000000..27aff0ff
--- /dev/null
+++ b/datasets/attack_techniques/T1548/apt_get/cisco_isovalent.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:40f1e95fcb0567995357804f746a23b3323aaa90752ca52bcaaa41e5706b6323
+size 8739

From 7312aecc25d647b1cd3d6c7e672f47386c5c4690 Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bpatel@splunk.com>
Date: Tue, 4 Nov 2025 15:49:56 -0800
Subject: [PATCH 2/3] access metadata service

---
 .../isovalent_cloud_metadata.yml                    | 13 +++++++++++++
 .../isovalent_cloud_metadata/process_connect.log    |  3 +++
 2 files changed, 16 insertions(+)
 create mode 100644 datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/isovalent_cloud_metadata.yml
 create mode 100644 datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/process_connect.log

diff --git a/datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/isovalent_cloud_metadata.yml b/datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/isovalent_cloud_metadata.yml
new file mode 100644
index 00000000..9f8d2b97
--- /dev/null
+++ b/datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/isovalent_cloud_metadata.yml
@@ -0,0 +1,13 @@
+author: Bhavin Patel, Splunk
+id: 04085959-2f4e-4804-bebc-64daff81d0c4
+date: '2025-10-28'
+description: This data is created in Cisco isovalent cloud metadata lateral movement simulation using simulation
+environment: not_applicable
+directory: isovalent_cloud_metadata
+mitre_technique:
+- T1552.005
+datasets:
+- name: process_connect
+  path: /datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/process_connect.log
+  sourcetype: cisco:isovalent:processConnect
+  source: not_applicable
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/process_connect.log b/datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/process_connect.log
new file mode 100644
index 00000000..7a61b4e0
--- /dev/null
+++ b/datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/process_connect.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d8de75328fd801d6516463f94b0bfd818b7ae731d97ced08feac0a7ecd628403
+size 15752

From 24a1d790e1e5202984d3801f0ade28034286323b Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bpatel@splunk.com>
Date: Tue, 4 Nov 2025 15:53:40 -0800
Subject: [PATCH 3/3] updating yaml

---
 .../isovalent_cloud_metadata/isovalent_cloud_metadata.yml       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/isovalent_cloud_metadata.yml b/datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/isovalent_cloud_metadata.yml
index 9f8d2b97..f2e0d971 100644
--- a/datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/isovalent_cloud_metadata.yml
+++ b/datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/isovalent_cloud_metadata.yml
@@ -1,7 +1,7 @@
 author: Bhavin Patel, Splunk
 id: 04085959-2f4e-4804-bebc-64daff81d0c4
 date: '2025-10-28'
-description: This data is created in Cisco isovalent cloud metadata lateral movement simulation using simulation
+description: This data is created in a K8s cluster running Tetragon and Cisco Isovalent Runtime Security to simulate accessing cloud metadata service.
 environment: not_applicable
 directory: isovalent_cloud_metadata
 mitre_technique: