splApache-2.0from splunk/security_content
Cisco Isovalent - Late Process Execution
Detects process executions that occur well after a container has initialized, which can indicate suspicious activity (e.g., interactive shells, injected binaries, or post-compromise tooling). The analytic compares the process start time to the container start time and flags processes launched more than 5 minutes (300 seconds) after initialization.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/cisco_isovalent___late_process_execution.yml
`cisco_isovalent_process_exec` process_name="sh"
| rename process_exec.process.start_time as ProcessStartTime
| rename process_exec.process.pod.container.start_time as ContainerStartTime
| eval ProcessStartTime=strptime(ProcessStartTime, "%Y-%m-%dT%H:%M:%S.%3Q")
| eval ContainerStartTime=strptime(ContainerStartTime, "%Y-%m-%dT%H:%M:%S.%9Q")
| eval ContainerTime5min=relative_time(ContainerStartTime, "+5m")
| where ProcessStartTime > ContainerTime5min
| table node_name cluster_name, pod_name, container_id, process_name, process_exec, process, ProcessStartTime, ContainerTime5min | `security_content_ctime(ProcessStartTime)`
| `security_content_ctime(ContainerTime5min)`
| `cisco_isovalent___late_process_execution_filter`