This detection rule is designed to monitor and identify instances where a single source IP is generating multiple 403 Forbidden responses from the Kubernetes API server within Amazon EKS audit logs. The rule operates by analyzing the audit log entries generated by the Kubernetes API server, looking specifically for instances with a response code of 403 that originate from public IP addresses. If an IP address triggers 403 responses exceeding a defined threshold—set at 10 occurrences within a 30-minute deduplication period—an alert is generated. The metric emphasizes security by helping to identify potentially unauthorized access attempts from single IPs that may indicate malicious activity or misconfigurations. The rule consists of multiple test cases to validate that only the relevant requests are logged and counted toward the threshold, ensuring that private IPs and allowed requests do not falsely trigger alerts. The intent is to provide a foundational layer of visibility into unusual access patterns, particularly from external sources attempting to interact with Kubernetes resources in an insecure manner.