This detection rule targets Kubernetes service accounts in Google Cloud Platform (GCP) by analyzing their activity against pods. It focuses on interactions based on the source IP address, user agent, verbs (actions performed), and the authorization decision made by Kubernetes. The output provides a table summarizing the most active service accounts, highlighting potentially suspicious behaviors over time. While intended to enhance security monitoring within GCP GKE Kubernetes clusters, analysts should be cautious as not every service account interaction indicates malicious activity. Contextual factors such as IP address and verb usage should be evaluated during analysis to ensure accurate threat assessment.