The detection rule, designed to identify the use of container images that are not on a predefined allowlist in Kubernetes environments, utilizes telemetry data from Cisco Isovalent/Tetragon. Adversaries often deploy untrusted images for malicious purposes, making this rule crucial for monitoring container integrity. The rule alerts on containers that pull images from unauthorized registries or utilize unverified software. Dynamic analysis through the `cisco_isovalent_process_exec` data source reveals attempts to run images outside the expected naming conventions. The setup involves maintaining a robust allowlist, using the macro `cisco_isovalent_allowed_images`, to define trusted image sources such as specific registry paths. The implementation requires proper configuration of Cisco Isovalent Runtime Security to collect necessary logs. The analytic allows for in-depth scrutiny of namespaces and pods that may exhibit suspicious behavior, particularly those deviating from standard operational parameters. Adjustments to the allowlist are necessary during deployments and must be coordinated with development teams to minimize false positives due to new legitimate images. Moreover, the rule links to pertinent resources that discuss the risks associated with Kubernetes security.