This analytic identifies newly observed TCP communication between workloads within a Kubernetes cluster, using Network Performance Monitoring (NPM) metrics collected via an OTEL collector and sourced from Splunk Observability Cloud. By comparing network activity in the past hour against the previous 30 days, the rule can detect anomalous inter-workload communications that have recently emerged. Newly established connections can signify alterations in application behavior, potentially signaling security risks such as unauthorized access, data breaches, privilege escalation, or lateral movements. This rule is critical for maintaining the integrity, availability, and confidentiality of Kubernetes applications. The detection logic utilizes a combination of metrics from the Kubernetes Cluster along with a specific search command designed to highlight unique TCP connections that were not present in historical data, thereby indicating abnormal activity that warrants investigation.