This detection rule identifies anomalous UDP communication between previously unseen source and destination workloads in a Kubernetes cluster. By analyzing Network Performance Monitoring (NPM) metrics gathered by an OpenTelemetry (OTEL) collector and imported into the Splunk Observability Cloud, this rule compares network traffic from the past hour to data from the preceding 30 days. Anomalies in inter-workload communication may flag potential security risks, such as unauthorized access or malicious activity, which can consequently enable various attack vectors like data breaches, privilege elevation, lateral movement, or service disruption. The rule applies a Splunk query that aggregates packet counts, distinguishing current communications from historically observed patterns to isolate new network pairs.