This rule monitors Kubernetes audit logs to flag create or patch actions on sensitive workloads (DaemonSets, Deployments, CronJobs) that originate from unusual client identity cues. It looks for events where the Kubernetes API server allows the action (authorization decision "allow"), the target resource is one of the sensitive workload kinds, and the operation is either create or patch. The detection emphasizes anomalous combinations of user agent, source IP, and username, while excluding actions performed by system:masters groups. The intent is to identify possible privilege escalation or unauthorized workload control, which attackers may abuse to inject privileged containers, mount sensitive volumes, or otherwise subvert cluster execution. The rule correlates activity over a seven-day window (history_window_start now-7d) to surface repeated anomalous activity by the same actor or origin. MITRE mapping ties the behavior to Account Manipulation (T1098) and its subtechnique Additional Container Cluster Roles (T1098.006), categorized under Privilege Escalation and Persistence. The rule has a low severity with a modest risk score (21), reflecting potential impact when combined with other indicators. The rule’s operational data source is Kubernetes audit logs from containerized API servers. It includes an investigation guide, remediation steps (pause/rollback deployments, rotate credentials, revoke tokens, harden admission controls, tighten RBAC), and suggested containment actions for compromised workloads. False positives may occur from legitimate emergency changes from new workstations, VPNs, or CI/CD automation, or from routine automation that changes origin identity. Effective response relies on validating identity provenance (linking Kubernetes user to IAM or kubeconfig), inspecting related RBAC changes, and verifying workload rollout states, image sources, and privileges. Overall, this rule provides a structured detection and response signal for potential unauthorized modifications to high-risk Kubernetes workloads.