This rule detects potential Kubernetes cluster reconnaissance by aggregating Kubernetes audit log events for get/list actions across multiple resource kinds within a one-minute window. It groups events by user.name, source.ip, and user_agent.original, then flags when three or more distinct resource types are accessed in that window. Resources tracked include namespaces, nodes, pods, roles, serviceaccounts, clusterroles, clusterrolebindings, and rolebindings, among others. The intent is to surface rapid cross-resource discovery that typically precedes privilege escalation or data access, distinguishing it from routine automation that tends to touch a narrow set of resources. Both allowed and denied authorizations are included to reveal the caller’s target set and success/failure of those attempts. The rule renders per-identity and per-source statistics such as the number of unique resources touched and the enumerated resource types, aiding analysts in identifying unusual discovery patterns. It explicitly excludes localhost and common service accounts or assumed roles that would indicate legitimate automation. MITRE technique mapping: T1613 (Container and Resource Discovery) under Discovery (TA0007). Severity is medium with a risk score of 47. This rule is useful for Kubernetes-focused threat hunting, incident response, and post-incident analysis to determine whether entitlement or workload topology information is being probed by a single client.