The rule identifies and alerts on attempts to perform a sidecar injection into a running Kubernetes deployment. Sidecar injection often involves adding a secondary container to an existing pod, typically achieved through a `kubectl patch` operation targeting resources like Deployments, DaemonSets, or StatefulSets. This is a tactic utilized by attackers to execute unauthorized code within a legitimate pod, thereby concealing their activities from detection systems that monitor separate pods. The rule specifically looks for patch operations executed on deployments, indicating a modification to the existing container landscape of a pod. Given the critical nature of container orchestration and security within Kubernetes environments, this rule serves as an essential mechanism to flag potential intrusions that leverage sidecar containers for malicious purposes.