Containerized botnets are ephemeral; they vanish before traditional forensics can catch them. To detect modern threats like "Crypto-jacking DaemonSets" or "Git-Native C2 channels," we need to move beyond static analysis and embrace real-time behavioral observability.

In this session, we will demonstrate how to use OpenSearch as a high-speed SIEM for Kubernetes. We will construct a threat-hunting pipeline that ingests Kubernetes Audit Logs and Cilium Network Flows to visualize the specific signatures of a compromised cluster.

Attendees will learn how to build OpenSearch Dashboards that flag:

Anomalous User Agents: detecting "imposter" Git clients and non-standard API calls.

Repo Jitter: visualizing the mathematical beaconing patterns of C2 traffic.

Privileged Pod Creation: alerting on unexpected DaemonSet deployments in the kube-system namespace.