Cisco
Login
Search
Software Secure Workload
Activity Configure

Configure and Monitor Forensic Events Forensic Configuration Forensic Rules Default Secure Workload Rules

Last updated: Jun 09, 2025

Default Secure Workload Rules

Default Secure Workload rules are provided to help the users to construct rules that are meaningful in their environment. These rules are displayed in the forensic config page and they are not editable. The rules are available in all root scopes.

Figure 1: Default Rules

The Secure Workload forensic rules:

  1. NameSecure Workload - Privilege Escalation

    Clause EventType = Privilege Escalation and ( ProcessInfo - ExecPath doesn’t contain sudo and ProcessInfo - ExecPath doesn’t contain ping and Privilege Escalation Is ̸= Type - Suid Binary)

    Description. This rule reports privilege escalation events that are not generated by setuid binaries. To reliably filter out the setuid binaries, it also filters out sudo and ping based on “ProcessInfo - ExecPath”. Secure Workload users can also filter out other setuid binaries by defining their own rules.

  2. Name Tetration - Unseen Command

    Clause EventType = Unseen Command and Unseen Command - Parent Uptime (microseconds) >= 60000000 or ProcessInfo - ExecPath contains /bash or ProcessInfo - ExecPath contains /sh or ProcessInfo - ExecPath contains /ksh or Parent - ExecPath contains httpd or Parent - ExecPath contains apache or Parent - ExecPath contains nginx or Parent - ExecPath contains haproxy

    Description. This rule reports unseen command events that match one of the following criteria:

    1. Process parent is alive for more than 60,000,000 microseconds.

    2. Process ExecPath contains some type of shell, for example, /bash, /sh, and /ksh.

    3. Process parent ExecPath contains some type of server application, for example, httpd, apache, nginx, and haproxy.

  3. Name Tetration - Raw Socket

    Clause EventType = Raw Socket Creation and (Raw Socket - ExecPath doesn’t contain ping and Raw Socket - ExecPath doesn’t contain iptables and Raw Socket - ExecPath doesn’t contain xtables-multi)

    Description This rule reports raw socket creation events that are not generated by ping and iptables. Secure Workload users can also filter out other binaries by defining their own rules.

  4. Name Tetration - Network Anomaly with Unseen Command

    Clause EventType = Network Anomaly and Network Anomaly - Unseen Command Count > 3 and Network Anomaly - Non-seasonal Deviation > 0

    Description This rule reports network anomaly events that match the following criteria:

    1. There are more than 3 Unseen Command events on the same workload within 15 minutes.

    2. The Non-seasonal PCR Deviation is greater than 0 (which also means it is greater than or equal to 6.0 because 6.0 is the minimum reported deviation for all network anomaly events).

  5. Name Tetration - Anomalous Unseen Command

    Clause EventType = Unseen Command and Unseen Command - Anomaly - Score < 0.6

    Description This rule reports unseen command events whose anomaly score is less than 0.6. This means that only highly anomalous events whose commands do not look similar to previously observed commands are reported. The threshold 0.6 is decided based on Secure Workload’s experiments on how similar commands are at different thresholds. See Unseen Command for a detailed explanation of the score.

  6. Name Tetration - Unusual Parent of smss

    Clause EventType = Follow Process and ProcessInfo - ExecPath contains smss.exe and (Follow Process - ParentExecPath doesn’t contain smss.exe and Follow Process - ParentExecPath doesn’t contain System)

    Description This rule is specific for windows. This rule alerts if smss.exe has a parent that is different from another instance of smss.exe or the System process.

  7. Name Tetration - Unusual Parent of wininit

    Clause EventType = Follow Process and ProcessInfo - ExecPath contains wininit.exe and Follow Process - ParentExecPath doesn’t contain smss.exe

    Description This rule is specific for windows. This rule alerts if wininit.exe has a parent that is different from smss.exe.

  8. Name Tetration - Unusual Parent of RuntimeBroker

    Clause EventType = Follow Process and ProcessInfo - ExecPath contains RuntimeBroker.exe and Follow Process - ParentExecPath doesn’t contain svchost.exe

    Description This rule is specific for windows. This rule alerts if RuntimeBroker.exe has a parent that is different from svchost.exe.

  9. Name Tetration - Unusual Parent of services

    Clause EventType = Follow Process and ProcessInfo - ExecPath contains services.exe and Follow Process - ParentExecPath doesn’t contain wininit.exe

    Description This rule is specific for windows. This rule alerts if services.exe has a parent that is different from wininit.exe.

  10. Name Tetration - Unusual Parent of lsaio

    Clause EventType = Follow Process and ProcessInfo - ExecPath contains lsaio.exe and Follow Process - ParentExecPath doesn’t contain wininit.exe

    Description This rule is specific for windows. This rule alerts if lsaio.exe has a parent that is different from wininit.exe.

  11. Name Tetration - Unusual Child of lsass

    Clause ( EventType = Follow Process and ProcessInfo - ExecPath doesn’t contain efsui.exe and ProcessInfo - ExecPath doesn’t contain werfault.exe ) with ancestor Process Info - ExecPath contains lsass.exe

    Description This rule is specific for windows. This rule alerts if lsass.exe has any descendants that are not efsui.exe or werfault.exe.

Previous topic Basic Forensic Rule Composition Next topic Default MITRE ATT&amp;CK Rules