This rule detects potential endpoint enumeration attempts by unauthorized users in Kubernetes environments. An anonymous user, who is not authenticated or authorized, poses a risk of probing the Kubernetes API server for accessible endpoints which could lead to credential theft or exploitation. This detection is established by monitoring for a series of suspicious failed API requests made to multiple endpoints within a short timeframe. Such behavior is atypical for standard Kubernetes clusters, indicating possible reconnaissance activity by an attacker. The rule employs ESQL to analyze logs for requests made by users classified as 'system:anonymous' or 'system:unauthenticated', counting responses that include unauthorized access errors, and analyzing the diversity of accessed URIs and resource types. The investigation focuses on identifying the originating IP, correlating with firewall or load balancer logs, validating the authentication configuration, and checking for any successful data exposure. Remediation includes restricting network access and disabling anonymous permissions to safeguard the API server from potential exploitation. This rule is vital for maintaining the security posture of Kubernetes deployments and preventing unauthorized access to sensitive information.