LoFP / new legitimate images during rollouts or blue/green deployments may appear until the allowlist is updated. coordinate with platform/devops teams to synchronize allowlist changes.

Techniques

• T1204.003

Sample rules

Cisco Isovalent - Non Allowlisted Image Use

• source: splunk
• technicques:
  • T1204.003

Description

The following analytic detects use of container images that fall outside an approved allowlist, leveraging Cisco Isovalent/Tetragon runtime telemetry (image name and workload identity). Adversaries commonly introduce untrusted or newly published images to deploy tooling, establish persistence, or abuse supply‑chain trust. This behavior may indicate image pulls from unauthorized registries, execution of unvetted software, or a drift from established deployment baselines. Extra scrutiny is warranted for namespaces and workloads that normally source images from restricted registries, and for pods that suddenly begin running images outside expected prefixes. Maintain an environment‑specific allowlist via the macro cisco_isovalent_allowed_images (for example, allow trusted registries/prefixes such as ImageName=“gcr.io/org/”, “registry.local/”, or “myco/*”) and keep it updated as new baseline images are introduced. This analytic alerts on images NOT matching the allowlist.

Detection logic

`cisco_isovalent_process_exec` pod_name!=""

| search NOT `cisco_isovalent_allowed_images`

| stats count 
        min(_time) as firstTime 
        max(_time) as lastTime 
    by pod_image_name pod_namespace pod_name process_name cluster_name

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_isovalent___non_allowlisted_image_use_filter`