This detection rule identifies the creation of Kubernetes NodePort services through analysis of Kubernetes Audit logs. NodePort services expose internal services to the external network, which can significantly alter security postures if misused or manipulated by unauthorized users. The detection works by filtering Kubernetes Audit logs specifically for entries that indicate the creation of services of type NodePort. Given that this behavior can signal a potential misconfiguration or abuse for unauthorized access, understanding its context allows Security Operations Centers (SOCs) to act promptly. The detection implementation requires enabling and properly configuring audit logging in the Kubernetes cluster. However, it is crucial to ensure that this logging is correctly set, especially when integrated with cloud platforms like AWS EKS for reliable data collection. Potential risks include data breaches or service disruptions stemming from unauthorized exposure of internal services.