This detection rule is designed to identify potential unauthorized or unauthenticated scanning activity against Google Kubernetes Engine (GKE) clusters. It detects events where unauthenticated requests are being made to the Kubernetes API, specifically those requests that are blocked due to lack of permissions, as indicated by the messages in the protoPayload. The rule leverages data from Google Cloud Pub/Sub messages to filter for relevant events, checking for unauthorized access attempts from IP addresses other than the localhost. The criteria for triggering this alert includes the presence of certain error messages (like 'PERMISSION_DENIED') and requests made by the 'system:anonymous' user. It aggregates the findings by source IP and cluster name, providing information about request methods, resource names, and user agents associated with potential unauthorized access. By analyzing the frequency and source of these requests, security teams can determine if there is a legitimate concern of scanning activity that warrants further investigation.