This detection rule identifies the use of common Linux utilities (ls, find, du, locate, nice) that are employed by users to discover running pods in a Kubernetes cluster. Specifically, the rule monitors interactions with the /var/lib/kubelet/pods directory, where Kubelet pod data is stored. Attackers may utilize these tools to enumerate pod details, including IDs and volumes, which could facilitate further exploitation or lateral movement across the cluster. The rule generates alerts based on a sequence of events that indicate interactive use of these utilities in the targeted directory, suggesting possible attempts to harvest sensitive information such as service account tokens or configuration files. It also provides detailed investigative steps and response recommendations to mitigate potential risks, emphasizing containment, remediation, and preventive measures to strengthen cluster security.