Detection rule monitors for the use of the kubectl command to enumerate secrets across all Kubernetes namespaces. It specifically looks for Linux/macOS process start events where the process is named kubectl and the command line arguments indicate a broad secret discovery (get/describe with secret/secrets and --all-namespaces or -A). This activity can enable credential discovery, privilege escalation, or lateral movement. The rule maps to MITRE ATT&CK techniques T1613 (Container and Resource Discovery) and T1552 (Unsecured Credentials). Data is collected from multiple sources (Auditd Manager, Endgame, CrowdStrike, SentinelOne, Elastic Defend, Elastic Defend for Containers, and Cloud Defend related logs) to support cross-sensor detection and investigation. Investigation steps include validating the exact command line, identifying the initiating user and host, correlating with Kubernetes audit logs to see which secrets were listed, and checking for follow-on actions such as reading, exporting, or altering secrets or kubeconfig. Analysts should also review related kubectl activity (e.g., auth can-i, --as, impersonation tokens) and assess whether later sessions accessed sensitive resources. False positives can occur during legitimate admin, CI/CD, or troubleshooting activities; maintain exceptions for known workflows. Remediation guidance includes validating and restricting the executing user’s access, rotating credentials if exposure is suspected, and reviewing RBAC and related activity. The setup notes describe Elastic Defend integration via Fleet and prerequisite configuration to enable endpoint data collection for this detection.