The rule 'Kubernetes Pod Created in System Namespace' monitors the creation of Kubernetes pods within critical system namespaces such as kube-system, kube-public, gke-system, and kube-node-lease. These namespaces are specifically designated for Kubernetes control plane operations and core infrastructure components. Unauthorized pod creations in these namespaces often indicate potential adversarial behavior, such as privilege escalation attempts, where attackers utilize legitimate infrastructure to deploy malicious pods, making detection difficult. The rule is designed to alert on such activities, enabling security teams to investigate and respond to potential threats promptly. In addition to detecting malicious pod creation, the rule includes a runbook for analysis of the context surrounding the event, aiding in understanding the intent behind the action and determining if further security measures are necessary. Given its importance in monitoring system integrity and protecting against privilege escalation and persistence tactics, this rule holds a medium severity classification. The data sources used for detection include logs from popular cloud providers like Amazon EKS, Azure, and GCP, making it versatile across different Kubernetes environments.