← Library
splApache-2.0from splunk/security_content

Cisco Isovalent - Cron Job Creation

The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/cisco_isovalent___cron_job_creation.yml
`cisco_isovalent_process_exec` process_name IN ("crond","cron","crontab")
| search pod_name!=""
| stats count
        min(_time) as firstTime
        max(_time) as lastTime
        values(process) as process
    by cluster_name pod_name parent_process_name process_name process_exec process_id node_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___cron_job_creation_filter`