This threat detection rule focuses on identifying suspicious `kubectl` calls in a Google Cloud Platform (GCP) Kubernetes environment. `kubectl` is the command-line tool used for interacting with Kubernetes clusters, and while its calls are not inherently malicious, anonymous calls can indicate potential security risks. The detection rule queries GCP's Pub/Sub messaging logs to capture requests made using `kubectl` by checking the user agent for values starting with 'kubectl'. The rule inspects the source user for values such as 'system:unsecured' or 'system:anonymous', both of which indicate a lack of authentication or a potentially unauthorized access method. The output is presented in a table format that includes details such as source IP, source user, the user agent string, and authorization info related to object access. The intention is to highlight any unusual patterns of access, particularly for sensitive Kubernetes objects like configmaps or secrets that could pose a security risk if accessed by unauthorized users. The rule has been marked as deprecated, suggesting there may be a newer approach or technique available.