Cisco Isovalent - Kprobe Spike

Status: production
Group by: _time, pod_name
Author: Bhavin Patel, Splunk
Source: github.com/splunk/security_content

This analytic detects excessive kernel probe (kprobe) events in a Kubernetes cluster over a short period of time. Kprobes are a Linux kernel debugging and instrumentation mechanism that allows dynamic monitoring and tracing of kernel functions and system calls. In containerized or cloud-native environments, kprobes are occasionally used for legitimate low-level diagnostics; however, monitoring a spike in kprobe activity is important because malware or attackers may abuse this mechanism to gain insights into the kernel, attempt privilege escalation, or tamper with host processes. More than 10 kprobe events within 5 minutes may indicate suspicious activity, such as an attacker probing the kernel through repeated system calls (e.g., nsenter, mount, sethostname). Such abnormal volume and frequency of kprobe usage within application pods or on nodes can signal container escape attempts or low-level tampering with the host, thereby representing a potential security threat.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1068` Exploitation for Privilege Escalation

Rule body splunk

name: Cisco Isovalent - Kprobe Spike
id: 3df0e9a8-7d5e-4b2f-bcd7-bf93e671d1f2
version: 4
creation_date: '2026-01-05'
modification_date: '2026-05-13'
author: Bhavin Patel, Splunk
status: production
type: Hunting
description: |
    This analytic detects excessive kernel probe (kprobe) events in a Kubernetes cluster over a short period of time.
    Kprobes are a Linux kernel debugging and instrumentation mechanism that allows dynamic monitoring and tracing of kernel functions and system calls.
    In containerized or cloud-native environments, kprobes are occasionally used for legitimate low-level diagnostics; however, monitoring a spike in kprobe activity is important because malware or attackers may abuse this mechanism to gain insights into the kernel, attempt privilege escalation, or tamper with host processes.
    More than 10 kprobe events within 5 minutes may indicate suspicious activity, such as an attacker probing the kernel through repeated system calls (e.g., nsenter, mount, sethostname).
    Such abnormal volume and frequency of kprobe usage within application pods or on nodes can signal container escape attempts or low-level tampering with the host, thereby representing a potential security threat.
data_source:
    - Cisco Isovalent Process Kprobe
search: |
    `cisco_isovalent` process_kprobe.action!=""
    | bin _time span=5m | rename process_kprobe.parent.pod.name as pod_name
    | stats count as kprobe_count
            values(process_kprobe.function_name) as functions
            values(process_kprobe.process.binary) as binaries
            values(process_kprobe.args{}.string_arg) as args
      by pod_name _time
    | where kprobe_count > 10 | `cisco_isovalent___kprobe_spike_filter`
how_to_implement: |
    Requires Cisco Isovalent Runtime Security with kprobe tracing enabled and logs
    forwarded into Splunk. Ensure that your Splunk Technology Add-on (TA) for Cisco
    Security Cloud parses the kprobe JSON correctly. Tune the threshold based on
    your workload baseline.
known_false_positives: |
    Busy or noisy pods may legitimately produce bursts of kprobe events during normal
    operation. Tune thresholds and filter by function_name to reduce false positives.
references:
    - https://docs.isovalent.com/user-guide/sec-ops-visibility/process-execution/index.html
analytic_story:
    - Cisco Isovalent Suspicious Activity
    - VoidLink Cloud-Native Linux Malware
asset_type: Endpoint
mitre_attack_id:
    - T1068
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/kprobe_spike.log
          source: not_applicable
          sourcetype: cisco:isovalent
      test_type: unit

Stages and Predicates

Stage 1: `search`

`cisco_isovalent` process_kprobe.action!=""

Stage 2: `bucket`

| bin _time span=5m

Stage 3: `rename`

| rename process_kprobe.parent.pod.name as pod_name

Stage 4: `stats`

| stats count as kprobe_count
        values(process_kprobe.function_name) as functions
        values(process_kprobe.process.binary) as binaries
        values(process_kprobe.args{}.string_arg) as args
  by pod_name _time

Stage 5: `where`

| where kprobe_count > 10

Stage 6: `search`

| `cisco_isovalent___kprobe_spike_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`kprobe_count`	gt	`10`
`process_kprobe.action`	ne	`""`
`sourcetype`	eq	`cisco:isovalent`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Cisco Isovalent - Kprobe Spike

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: `search`

Stage 2: `bucket`

Stage 3: `rename`

Stage 4: `stats`

Stage 5: `where`

Stage 6: `search`

Indicators

Keyboard shortcuts

Search operators

Cisco Isovalent - Kprobe Spike

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: search

Stage 2: bucket

Stage 3: rename

Stage 4: stats

Stage 5: where

Stage 6: search

Indicators

Stage 1: `search`

Stage 2: `bucket`

Stage 3: `rename`

Stage 4: `stats`

Stage 5: `where`

Stage 6: `search`