This detection rule identifies anomalous outbound network activity from processes running within containerized workloads in a Kubernetes environment by analyzing network performance monitoring (NPM) metrics. Leveraging data collected via an OpenTelemetry (OTEL) collector and pulled from Splunk Observability Cloud, the rule compares recent network metrics—such as TCP and UDP bytes, packets, and new sockets—over the last hour against the average metrics from the previous 30 days. Such deviations are critical as they could indicate potential data exfiltration, unauthorized modifications to processes, or compromise of containers. If such activity is confirmed to be malicious, it could lead to unauthorized data access and communication with potentially harmful entities inside the Kubernetes environment. The rule utilizes Splunk's MStats function to aggregate and evaluate the metrics, providing alerts on significant deviations by calculating standard deviations from the average metrics. This approach emphasizes the necessity for monitoring network interactions within containerized applications to ensure the security of Kubernetes environments.