This detection rule identifies when a container image is successfully pulled in a Kubernetes environment. Adversaries can exploit Kubernetes by deploying malicious containers to execute harmful processes or evade security measures. This particular rule triggers when an image is recorded as pulled during the creation of a pod, indicating potential unauthorized deployments. The associated logic uses Splunk queries to capture and analyze the relevant application data, focusing on the creation events to identify successfully pulled images. It extracts the image name and compiles various metadata about the event such as the time, host, user details, and IP address. This helps in distinguishing legitimate image pulls from potential malicious activity, thereby enhancing security monitoring in Kubernetes environments.