The rule detects potential endpoint permission enumeration attempts within Kubernetes environments that are indicative of automated attacks. It utilizes Kubernetes audit logs to identify patterns where a single user, coming from one IP address, issues an unusually high volume of API requests across various resources, showing a mix of successful and failed responses. This behavior is atypical for normal operations, suggesting a probing effort to discover access rights to sensitive resources like secrets and pods. The rule is structured to filter audit logs for response completions, checking for verbs like get, list, and watch, while also applying constraints on the number of distinct request URIs and response statuses. If such enumerations are detected, it initiates subsequent investigative and remediation steps to evaluate the legitimacy of the actions, focusing on the context of the requests, the identity executing them, and potential escalation attempts.