This rule, authored by Elastic, is designed to detect potential unauthorized access to the Kubelet API in Kubernetes environments by monitoring process arguments for HTTP requests targeting the Kubelet API (typically accessed on port 10250). Attackers may use these requests to execute commands, enumerate resources, or probe the cluster for vulnerabilities, leading to lateral movement. The detection focuses on processes initiated within Linux containers that attempt to access Kubelet API endpoints. The rule facilitates the identification of compromised workloads that may be attempting to exploit the Kubelet for further access or control within the cluster. The investigation guide provides steps to analyze incidents where this rule triggers, outlining how to reconstruct requests, examine audit logs, and determine whether the access is legitimate or malicious. The severity of detected events is rated as medium, with a risk score of 47. The overall approach encourages timely response to potential threats, with specific recommendations for containment and remediation actions.