This detection rule monitors access to Kubernetes system principals from public IP addresses that are not associated with major cloud providers, such as AWS, Azure, or GCP. Kubernetes system principals are service accounts whose usernames begin with 'system:', 'eks:', or 'aks:'. The rule is vital since these service accounts are meant to operate only within the cluster or legitimate cloud infrastructure. If a principal is accessed from an external public IP, it may indicate a compromise of service account tokens, likely associated with unauthorized or malicious access attempts. The rule targets audit logs from Amazon EKS, Azure Monitor Activities, and GCP Audit Logs to detect potentially malicious activities.