The 'Kubernetes.Exec.Into.Pod' rule is designed to monitor and detect unauthorized `exec` operations within Kubernetes pods across different cloud environments such as Amazon EKS, Azure AKS, and GCP GKE. The rule's core purpose is to establish visibility over `exec` commands being executed within pods, which can pose potential security risks including unauthorized access and privilege escalation. This detection is flagged as 'Medium' severity, indicating a moderate level of risk, and is categorized as 'Experimental', thus not enabled by default. Users are encouraged to configure inline filters through the Panther UI to exclude known legitimate use cases (for instance, actions performed by specific service accounts or namespaces). Key operations that may trigger the rule involve fetch requests for command execution inside pods, which are recorded via Kubernetes audit logs. The detection rule provides a series of runbook steps, advising analysts to review the contexts of alerts including usernames and namespaces, and to ascertain if the exec actions pertain to sensitive workloads. Testing scenarios validate the rule against legitimate exec events while ensuring that unrelated pod creation or retrieval actions do not falsely trigger alerts.