splunk_escuAnomaly

Kubernetes newly seen UDP edge

The following analytic detects UDP communication between a newly seen source and destination workload pair within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. This detection compares network activity over the last hour with the past 30 days to identify new inter-workload communication. Such changes in network behavior can indicate potential security threats or anomalies. If confirmed malicious, unauthorized connections may enable attackers to infiltrate the application ecosystem, leading to data breaches, privilege escalation, lateral movement, or disruption of critical services.

Detection Query

| mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name
| eval current="True"
| append [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name
| eval current="false" ]
| eventstats values(current) as current
  BY source.workload.name dest.workload.name
| search current="true" current!="false"
| rename k8s.cluster.name as host
| `kubernetes_newly_seen_udp_edge_filter`

Author

Matthew Moore, Splunk

References

https://github.com/signalfx/splunk-otel-collector-chart

Raw Content

name: Kubernetes newly seen UDP edge
id: 49b7daca-4e3c-4899-ba15-9a175e056fa9
version: 10
creation_date: '2024-01-30'
modification_date: '2026-05-13'
author: Matthew Moore, Splunk
status: experimental
type: Anomaly
description: The following analytic detects UDP communication between a newly seen source and destination workload pair within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. This detection compares network activity over the last hour with the past 30 days to identify new inter-workload communication. Such changes in network behavior can indicate potential security threats or anomalies. If confirmed malicious, unauthorized connections may enable attackers to infiltrate the application ecosystem, leading to data breaches, privilege escalation, lateral movement, or disruption of critical services.
data_source: []
search: |-
    | mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name
    | eval current="True"
    | append [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name
    | eval current="false" ]
    | eventstats values(current) as current
      BY source.workload.name dest.workload.name
    | search current="true" current!="false"
    | rename k8s.cluster.name as host
    | `kubernetes_newly_seen_udp_edge_filter`
how_to_implement: "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://help.splunk.com/en/splunk-observability-cloud/monitor-infrastructure/network-explorer/set-up-network-explorer-in-kubernetes#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head.  Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n * Metric Resolution 10000"
known_false_positives: No false positives have been identified at this time.
references:
    - https://github.com/signalfx/splunk-otel-collector-chart
intermediate_findings:
    entities:
        - field: host
          type: system
          score: 20
          message: Kubernetes newly seen UDP edge in kubernetes cluster $host$
analytic_story:
    - Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
asset_type: Kubernetes
mitre_attack_id:
    - T1204
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: network