Cisco Isovalent - Access To Cloud Metadata Service

name: Cisco Isovalent - Access To Cloud Metadata Service
id: 7f2e1a9a-1e8e-4d2e-8b7c-5f2c3d6a9b21
version: 4
date: '2026-03-10'
author: Bhavin Patel, Splunk
type: Anomaly
data_source:
    - Cisco Isovalent Process Connect
status: production
description: The following analytic detects workloads accessing the cloud instance metadata service at 169.254.169.254. This IP is used by AWS, GCP and Azure metadata endpoints and is frequently abused in SSRF or lateral movement scenarios to obtain credentials and sensitive environment details. Monitor unexpected access to this service from application pods or namespaces where such behavior is atypical.
search: |
    `cisco_isovalent_process_connect` | rename process_connect.parent.binary as binary | `excluded_cloud_binaries`
    | stats count
            min(_time) as firstTime
            max(_time) as lastTime
            values(dest_port) as dest_port
            values(src_ip) as src_ip
        by cluster_name pod_name pod_image_name pod_namespace node_name dest_ip
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `cisco_isovalent___access_to_cloud_metadata_service_filter`
how_to_implement: This detection relies on Cisco Isovalent Runtime Security process_connect telemetry. Deploy Isovalent Runtime Security and the Cisco Security Cloud TA to collect these logs via HEC and normalize them. Optionally, a similar variant can be built with process_exec by looking for command-lines that reference 169.254.169.254 (for example curl or wget invocations from within pods). Please update a macro named `excluded_cloud_binaries` that returns true for binaries that are known to access the cloud metadata service.
known_false_positives: Legitimate platform components and node agents may query the metadata service. Validate by namespace, labels and workload identity; suppress expected sources and alert on atypical pods or namespaces.
references:
    - https://attack.mitre.org/techniques/T1552/005/
    - https://hackerone.com/reports/341876
    - https://docs.isovalent.com/user-guide/sec-ops-visibility/lateral-movement/index.html
drilldown_searches:
    - name: View the detection results for - "$pod_name$"
      search: '%original_detection_search% | search pod_name = "$pod_name$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$pod_name$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Pod [$pod_name$] accessed the cloud metadata service [$dest_ip$] in cluster [$cluster_name$]
    risk_objects:
        - field: pod_name
          type: system
          score: 20
    threat_objects:
        - field: src_ip
          type: ip_address
tags:
    analytic_story:
        - Cisco Isovalent Suspicious Activity
        - VoidLink Cloud-Native Linux Malware
    asset_type: Kubernetes
    mitre_attack_id:
        - T1552.005
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.005/isovalent_cloud_metadata/process_connect.log
          source: not_applicable
          sourcetype: cisco:isovalent:processConnect