This rule detects potential credential theft in Kubernetes environments by monitoring for cluster-wide secret listing operations. Attackers with permissions to list secrets at the cluster level can issue the LIST API call on the secrets resource ("/api/v1/secrets"), which would expose all sensitive data across all namespaces, including passwords, tokens, and configuration details. This method of attack is publicly documented by the Stratus Red Team and represents significant security risks as it could lead to mass exfiltration of credentials. The detection covers logs from multiple cloud provider audit services such as Amazon EKS, Azure MonitorActivity, and GCP AuditLog. Remediation steps include immediate user activity investigation, credential rotation, and analysis of any suspicious API interactions.