This detection rule is designed to identify attempts to enumerate Kubernetes secrets, a critical security concern as exposed secrets can lead to significant vulnerabilities if malicious actors gain access to them. The rule focuses on monitoring specific API calls made in the Kubernetes environment, particularly looking for the 'list' verb used on the resource type 'secrets'. Each time a listing action occurs, this rule evaluates whether the action signifies a potentially malicious attempt to gather sensitive information stored as Kubernetes secrets. Given the nature of Kubernetes cloud-native architectures, such enumeration attempts can often be indicative of reconnaissance efforts prior to executing more severe attacks.