This rule analyzes API calls to Kubernetes clusters to detect suspicious activity, specifically targeting anonymous and unauthenticated requests made via kubectl. The detection algorithm utilizes `kube_audit` logs to identify requests where users have neither provided a token nor authenticating credentials. Such behavior signals a critical misconfiguration within the Kubernetes cluster allowing unrestricted access, which can lead to potential data breaches or unauthorized control over cluster resources. By aggregating statistics on request counts based on various parameters, including object references, namespaces, response status codes, and source IPs, this alert aims to highlight any unusual patterns indicative of malicious intent. The analysis requires enabling audit logs in the Kubernetes environment, ensuring proper logging configurations to capture potential threats effectively. It is particularly tailored for environments like AWS EKS, where proper integration and log collection are essential to monitoring the security posture of Kubernetes deployments.