This detection rule is designed to monitor and log access to sensitive Kubernetes objects such as secrets and configmaps within Azure's Kubernetes Service (AKS) deployments. It utilizes data from the Kubernetes audit logs, specifically by filtering the logs for events where sensitive resources are accessed by users, particularly focusing on the system's anonymous user or when access decisions are explicitly allowed. The search query is crafted to extract relevant details including the username, user groups, resource details (such as namespace and object name), and any associated decision reasons. This information is then structured into a readable format and duplicates are removed to streamline the output. Implementation requires installing the Microsoft Cloud Services Add-on and enabling Kube-Audit data diagnostics. As the monitoring of sensitive object access does not inherently imply malicious activity, context is critical for appropriately evaluating such access.