Splunk + eBPF for Kubernetes detections is trending

Splunk published a Part 2 lab post on February 26, 2026 that includes kubectl-based attack simulations and an example SPL to detect "Pods Running Offensive Tools" listing process names such as nmap, masscan, SharpHound, and kube-hunter. (splunk.com) The Part 1 setup guide prescribes installing the Cisco Security Cloud App, adding a Splunk HEC token, and populating hubble-enterprise-values.yaml to route Tetragon/Hubble events into Splunk Enterprise Security. (splunk.com) Splunk’s Observability workshop documents a 90-minute Isovalent (Cilium/Hubble/Tetragon) integration scenario that deploys Cilium in ENI mode, configures Hubble for L7 observability, and forwards eBPF metrics to Splunk Observability Cloud via OpenTelemetry. (splunk.github.io) Isovalent’s lab and blog content show an end-to-end Tetragon→Splunk pattern that uses Vector/OpenTelemetry for log shipping and emphasizes process ancestry and syscall context for runtime detections. (isovalent.com) Multiple community artifacts provide turnkey detection artifacts: a GitHub project "eBPF-Kubernetes-Threat-Detection" implements Tetragon-based runtime rules and test pods, and an independent "Kubernetes Detection Lab with Tetragon and Splunk" walkthrough documents step-by-step lab builds. (github.com) (kyberzo.github.io) Splunk Research and content packs map Isovalent telemetry to MITRE ATT&CK for Containers and publish detection stories and datasets (example analytics story dated November 18, 2025 and Cisco Isovalent dataset dated August 15, 2025) to support correlation search development. (splunk.com) (research.splunk.com) Splunk documentation and content guidance recommend normalizing Isovalent/Tetragon events into the Common Information Model and deploying CIM-aware add-ons so Enterprise Security detections and Risk-Based Alerting can consume process_exec and network telemetry at scale across multi-client estates. (help.splunk.com) (docs.splunk.com)