Kubernetes newly seen TCP edge

name: Kubernetes newly seen TCP edge
id: 13f081d6-7052-428a-bbb0-892c79ca7c65
version: 9
date: '2026-03-10'
author: Matthew Moore, Splunk
status: experimental
type: Anomaly
description: The following analytic identifies newly seen TCP communication between source and destination workload pairs within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares network activity over the last hour with the past 30 days to spot new inter-workload communications. This is significant as new connections can indicate changes in application behavior or potential security threats. If malicious, unauthorized connections could lead to data breaches, privilege escalation, lateral movement, or disruption of critical services, compromising the application's integrity, availability, and confidentiality.
data_source: []
search: |-
    | mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name
    | eval current="True"
    | append [ mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name
    | eval current="false" ]
    | eventstats values(current) as current
      BY source.workload.name dest.workload.name
    | search current="true" current!="false"
    | rename k8s.cluster.name as host
    | `kubernetes_newly_seen_tcp_edge_filter`
how_to_implement: "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://help.splunk.com/en/splunk-observability-cloud/monitor-infrastructure/network-explorer/set-up-network-explorer-in-kubernetes#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head.  Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n * Metric Resolution 10000"
known_false_positives: No false positives have been identified at this time.
references:
    - https://github.com/signalfx/splunk-otel-collector-chart
rba:
    message: Kubernetes newly seen TCP edge in kubernetes cluster $host$
    risk_objects:
        - field: host
          type: system
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
    asset_type: Kubernetes
    mitre_attack_id:
        - T1204
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network