The "Kubernetes Long-Lived Service Account Token Created" detection rule identifies the creation of long-lived service account tokens through the `serviceaccounts/token` subresource in Kubernetes. With the deprecation of automatic token generation in Kubernetes 1.24+, users with sufficient permissions can still create non-expiring tokens manually, which can be exploited by attackers as a means of establishing persistent access. This threat is outlined by the Stratus Red Team as a form of credential access and persistence mechanism. Organizations should be vigilant regarding token creation activities, especially monitoring users attempting to create such tokens to ensure legitimacy and compliance with best practices for access management. The rule targets both Amazon EKS and Azure AKS environments, highlighting specific activities that should be investigated, including token creation by unauthorized users or in sensitive namespaces. The rule also integrates with established frameworks like MITRE ATT&CK, making it easier to contextualize the threat and respond appropriately.