This detection rule identifies a pattern where a user modifies a Kubernetes Role or ClusterRole to add high-risk permissions (e.g., wildcard or escalation verbs) and subsequently creates or modifies a workload resource (such as a DaemonSet, Deployment, or CronJob) within a short time frame. This sequence of actions often indicates potential privilege escalation and the deployment of malicious payloads by adversaries. The rule leverages Kubernetes audit logs and employs an EQL sequence query to track user actions and their timing to detect this behavior. Detailed investigation steps and response measures are provided to aid analysts in confirming and addressing potential security incidents related to RBAC changes and workload modifications.