This detection rule identifies unusual user access patterns to Kubernetes Secrets, a crucial part of Kubernetes that stores sensitive data such as passwords and tokens. By leveraging Kubernetes Audit logs, it tracks unauthorized or abnormal access attempts based on user names. The rule generates alerts when someone not represented in an allowed users list attempts to access Kubernetes Secrets. Ensuring that audit logging is enabled is essential for this detection to work effectively. The rule assists SOC teams in recognizing potential breaches that could lead to unauthorized access to critical information or systems. Organizations should carefully configure audit policies to capture relevant activity and utilize log collection tools like the Splunk OpenTelemetry Collector for Kubernetes.