Ever been alerted by a single security event and then spent ages querying logs to confirm what it was?

Usually, we pay vendors to do this and ship our data to some SaaS or data-storage-situation.
This talk is about pre-correlating IoCs in real time, locally on each node. With an adaptive streaming operator, that exports only the enriched data, which can include several pods in one "span".

This is ongoing research for the Austrian Armed Forces to create a sovereign kubernetes SOC that reduces data volume. 100% open-source.

You'll see a 3-step attack chain, where entire steps are undetectable but the in-place correlation still extracts the entire attack path.
This solution is for data-center operators or anyone who has a few k8s clusters and no nerve to check each alert.