This rule is designed to identify modifications to Kubernetes Admission Controller configurations, specifically those pertained to mutating and validating webhooks. These configurations can be targeted by adversaries to create persistence mechanisms or exfiltrate sensitive credentials from the cluster. The detection criteria focus on specific verbs such as 'create', 'update', and 'delete', which indicate changes to webhook configurations. The associated audit service within Kubernetes logs these actions, and this rule analyzes those logs to detect potential unauthorized access or changes. False positives may occur from legitimate administrative actions or automated processes that require configuration changes. It's crucial to ensure that such legitimate activities are filtered out to avoid unnecessary alerts.