The rule "Kubernetes Client Certificate Credential Created" is designed to detect the creation of client certificate signing requests (CSRs) within Kubernetes clusters. This behavior is particularly significant as it allows users with sufficient permissions to obtain client certificates for API authentication, potentially enabling persistent access to the cluster. Since client certificates offer long-term authentication measures that are not subject to service account token expiration limitations, they pose unique security challenges, including difficulties in revocation. This detection mechanism is recognized as a persistence technique, highlighted by the Stratus Red Team in their threat documentation. The rule operates across multiple cloud platforms, including Amazon EKS, Azure AKS, and Google GCP, monitoring specific audit logs for events related to the creation of CSRs. It emphasizes the investigation of unauthorized actions surrounding certificate creation, such as tracking the user responsible, ensuring correct authorization, and examining subsequent API activities that might raise security red flags.