Detects read access to Kubernetes Secrets (get/list) in audit logs when the client user_agent.original matches a curated set of non‑standard or attacker‑leaning fingerprints (curl, python, wget, Go-http, perl, java, node, php, Kali distributions, etc.) and the source IP is present. It targets credential access where the client fingerprint does not resemble routine kubectl or known controller traffic, flagging potential unauthorized secret reads. The rule operates on the kubernetes.audit_logs data stream, matching event.action: (get or list) for kubernetes.audit.objectRef.resource:"secrets" with a suspicious user_agent.original and a populated source.ip. Risk score is 73 with high severity, signaling high concern and likelihood of credential exposure. The rule includes triage guidance (identity correlation, namespace/object of interest, network origin validation), false positive considerations (CI/CD or generic automation may emit similar user agents; exclude stable pipelines), and remediation steps (rotate secrets, tighten RBAC, isolate offending source). It references MITRE ATT&CK (T1552 Unsecured Credentials, T1552.007 Container API) and provides an investigation guide to support incident response.