An example method for identifying one or more potential malicious activities in a software-defined open radio access network includes detecting, by a trusted monitoring device, a communication flow from a sender component to a receiver component via an intermediate component. The method also includes, in response to the detecting of the communication flow, generating, by the trusted monitoring device and utilizing an intermediate identifier associated with the intermediate component, a flow record based on one or more parameters associated with the communication flow. The method further includes providing, by the trusted monitoring device and based on the flow record, an indication of the one or more potential malicious activities in the software-defined open radio access network.