Detection Engineering


Kubeshark scripting in conjunction with hooks provides mean to programmatically detect suspicious network behaviors. Using helpers can trigger actions as a result and by that reduce the incident response time.

For example:

function onItemCaptured(data) {
  if (data.response.status === 500) {
    // Your code goes here
  } else if (kfl.match(data, 'request.headers["Authorization"] == r"Token.*" and src.ip != ""')) {
    // Your code goes here

A few more detection examples:

  • Abnormal API throughput
  • Suspicious payload matching a regex
  • Incoming communication from bad IPs


Actions are divided to three segments:

  • Alerts
  • Forensics
  • Telemetry


You can send a message to Slack, to a console log, to the WebUI or use a webhook to send anything anywhere.

Alerts can be used to notify that a certain action was completed (e.g. PCAP was generated and upload) or to provide a real-time notification of a programmatically identified network behavior.


Forensics generation can be triggered programmatically using hooks and/or Jobs.

The following forensic types are available:

  • Network snapshots in the form of PCAP files
  • Name resolution history
  • User-generated files

Forensics can be uploaded to an immutable datastore like AWS S3 or Google Cloud STorage with existing helpers or by using a Webhook.


Kubeshark enables you to send metrics and logs to your favorite telemetry or logs provider and enjoy dashboards and alerts.

Read more in the InfluxDB & Grafana and Elasticsearch sections.