This detection rule focuses on monitoring Kubernetes environments on Azure for rare and potentially suspicious `kubectl` calls. The rule leverages Kubernetes audit logs to identify unusual patterns of access that could suggest malicious activity. By analyzing the `userAgent`, `sourceIPs`, and various Kubernetes object references, it seeks to highlight configurations that don't match typical usage patterns, specifically looking for `kubectl` commands executed from non-local source IPs accessing significant Kubernetes objects like configmaps or secrets. Incorporating the `rare` function in Splunk, it flags anomalous behaviors for further investigation while allowing legitimate Kubernetes operations to flow unimpeded. This rule requires the installation of the Microsoft Cloud Services Add-on and proper configuration of Kube-Audit data diagnostics to function effectively.