← Library
splApache-2.0from splunk/security_content

Cisco Isovalent - Non Allowlisted Image Use

The following analytic detects use of container images that fall outside an approved allowlist, leveraging Cisco Isovalent/Tetragon runtime telemetry (image name and workload identity). Adversaries commonly introduce untrusted or newly published images to deploy tooling, establish persistence, or abuse supply‑chain trust. This behavior may indicate image pulls from unauthorized registries, execution of unvetted software, or a drift from established deployment baselines. Extra scrutiny is warranted for namespaces and workloads that normally source images from restricted registries, and for pods that suddenly begin running images outside expected prefixes. Maintain an environment‑specific allowlist via the macro `cisco_isovalent_allowed_images` (for example, allow trusted registries/prefixes such as ImageName="gcr.io/org/*", "registry.local/*", or "myco/*") and keep it updated as new baseline images are introduced. This analytic alerts on images NOT matching the allowlist.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/cisco_isovalent___non_allowlisted_image_use.yml
`cisco_isovalent_process_exec` pod_name!=""
| search NOT `cisco_isovalent_allowed_images`
| stats count
        min(_time) as firstTime
        max(_time) as lastTime
    by pod_image_name pod_namespace pod_name process_name cluster_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___non_allowlisted_image_use_filter`