This detection rule identifies anomalous inbound network traffic from processes in containerized environments using Kubernetes. It leverages metrics related to TCP and UDP traffic collected by the OpenTelemetry (OTEL) collector, which are subsequently analyzed through the Splunk Observability Cloud. The rule compares real-time network performance metrics—specifically bytes and packet counts from both TCP and UDP protocols—gathered over the past hour against average values derived from a 30-day historical analysis. Significant deviations from the norm may indicate potential security threats such as unauthorized data reception, command and control activities, malware propagation, or other malicious operations. The detection aggregates alerts for any workload or process demonstrating substantial anomalous activity (calculated as more than three standard deviations from the average), thus alerting security teams to potentially compromised environments.