Detects creation, modification, or deletion of Kubernetes MutatingWebhookConfiguration or ValidatingWebhookConfiguration objects by identities outside common system patterns. Admission webhooks intercept API requests before persistence, enabling an attacker to inject malicious sidecars into pods, modify security contexts, block defensive tooling, or exfiltrate pod specifications. Webhook configurations can appear benign in kubectl output, making this a stealthy persistence/defense-evasion technique. The rule analyzes Kubernetes audit logs (logs-kubernetes.audit_logs-*) to identify changes to webhook configurations where the access decision is allowed and the actor is not a known system/service account, flagging potential abuse. False positives can arise from legitimate cluster operators or GitOps automation installing/upgrading admission controllers, which should be validated against change tickets and approved controllers. The rule includes guidance for triage, investigation, and remediation (verifying the webhook resource and operator identity, reviewing webhook destinations, and assessing blast radius). The detection supports containment by alerting on suspect webhook changes and associated policy/configuration shifts that could enable persistence or data exfiltration.