This rule is designed to detect unauthorized interactive requests to the Kubernetes API using Elastic's Defend for Containers and Kubernetes audit logs. It identifies attempts by adversaries to probe or move laterally within a Kubernetes cluster by executing commands that are forbidden by the cluster's authorization policies. The rule's query checks for instances of containers executing commands (e.g., `kubectl`, `curl`, etc.) that lead to forbidden API requests in the audit logs, often indicating malicious intent such as reconnaissance or privilege escalation. Key points include recognizing legitimate debugging activities that might trigger false positives, as well as outlining specific investigation steps and response strategies to address potential detection risks. The integration aimed for Kubernetes environments enhances security by monitoring how both processes within containers and Kubernetes API interactions could lead to threats.