This rule detects potential abuse of Kubernetes administration commands, which could indicate a security threat where adversaries utilize container management services to execute unauthorized commands within a container. Such services include the Kubernetes API server and the kubelet, allowing remote management capabilities. The logic implemented in Splunk captures relevant logs by utilizing an application data retrieval method to identify terms like 'exec' and 'attach' in command executions. The regex function further refines the search to target specific URIs associated with command execution and attachment, ensuring that any pertinent activity is collected. Statistics generated from the captured data display notable actions over time, aiding in the identification of potential unauthorized access or manipulation of the Kubernetes environment. This detection rule is vital for maintaining the integrity of containerized applications and safeguarding against unauthorized administrative actions that can compromise the cluster's security.