The detection rule aims to identify modifications made to Kubernetes pod configurations using various commands such as kubectl-edit, scale, autoscale, or replace. The rule leverages Splunk to analyze application data logs, specifically focusing on the verbs associated with configuration changes. It inspects the API calls for any occurrences of create, patch, or update actions related to pod configurations. By utilizing a regex to extract relevant URIs, the rule filters logs for specified commands while constructing a detailed table of metrics including timestamps, user identities, action type, and outcome statuses. The detection also aggregates these details to aid in identifying abnormal patterns or unauthorized changes to deployments, which may indicate a security risk, particularly in the context of evasion techniques that involve deploying containers. Ultimately, this contributes to improved security posture in Kubernetes environments by enhancing visibility on changes to critical resources. The techniques observed correlate with container deployments, highlighting significant areas where oversight or intentional manipulation could occur.