The Kubernetes Suspicious Self-Subject Review detection rule identifies unusual API calls made by non-human identities, specifically service accounts and nodes, attempting to enumerate their own privileges through the selfsubjectaccessreview and selfsubjectrulesreview APIs. This behavior is considered highly suspicious and often indicates the possibility of a compromised identity within a Kubernetes cluster. The rule is built on Kubernetes audit log data and includes detection capabilities for privileged access attempts that do not align with normal operational behavior. False positives may arise from legitimate administrative actions or automated processes within the cluster. The investigation guide provided within the rule outlines steps to analyze alert triggers, potential false positives, and recommended response actions for security practitioners. It urges immediate isolation of compromised accounts, thorough review of audit logs, and suggested enhancements to monitoring practices and Kubernetes RBAC policies to mitigate risks associated with privilege abuse.