This detection rule focuses on analyzing the network I/O behavior of Kubernetes containers by observing the inbound to outbound network I/O ratios. It employs process metrics harvested via an OpenTelemetry (OTEL) collector and Kubelet Stats Receiver, integrating data from the Splunk Observability Cloud. Specifically, it calculates the average and standard deviation of network I/O ratios and flags anomalies when the observed behavior significantly deviates from baseline statistics over an extended period (exceeding an hour). Such detection is critical as it could indicate potential security incidents, including data exfiltration or compromised container activity, ultimately threatening data integrity and system availability within Kubernetes clusters. The rule outlines precise implementation procedures including OTEL deployment, metrics ingestion, and Splunk configurations required for effective anomaly detection.