Traditional firewalls are useless against modern botnets. Why? Because today's malware doesn't talk to a suspicious IP; it talks to github.com. I classify these as "Git-Native" botnets, and they blend perfectly into your developer traffic. To catch them, we don't need signature matching; we need behavioral mathematics.

This session demonstrates how to turn OpenSearch into a next-generation SIEM for Kubernetes. We will ignore standard logs and focus on high-fidelity "Meta-Signals."

We will build a live detection pipeline that flags:

"Repo Jitter": Using OpenSearch Aggregations to detect the mathematically precise "heartbeat" of a bot polling a Git repository (e.g., exactly every 600s), which looks distinct from human jitter.

User-Agent Anomalies: Correlating API Server logs to spot "Imposter" Git clients (like go-git or libgit2) running inside pods that should not be pulling code.

The Kill Chain: How to visualize the correlation between a "Git Pull" event and a sudden spike in CPU usage (mining), using OpenSearch Dashboards to prove the infection timeline.