This detection rule monitors the creation of RoleBinding and ClusterRoleBinding objects within Azure Kubernetes Service (AKS) and Arc-enabled Kubernetes clusters. Such bindings are crucial for managing permissions by associating users, groups, or service accounts with specific roles. Given that these bindings can essentially grant significant privileges, their unauthorized creation could suggest malicious activity such as privilege escalation, or illicit access maintenance within the Kubernetes environment. The rule is triggered by log entries from Azure Monitor Activity pertaining to RBAC operations, and is essential for detecting threats to Kubernetes environments, particularly in ensuring organizations can respond to possible compromises or unauthorized access attempts in cloud-native applications. It encompasses both managed AKS clusters and those that are Arc-enabled, broadening its applicability across various operational setups. The detection rule is currently categorized as medium severity and is marked as experimental, indicating ongoing refinement and validation in a production context. A comprehensive runbook is outlined for further investigation upon detection, guiding administrators through the steps needed to ascertain the legitimacy of role binding operations. This rule aligns with relevant MITRE ATT&CK techniques addressing valid account usage and privilege escalation strategies.