This rule detects potential credential access attempts targeting Kubernetes secrets by monitoring audit events for get/list operations on secrets where the request comes from an unusual client. It focuses on Kubernetes audit logs (logs-kubernetes.audit_logs-*) and filters events with kubernetes.audit.objectRef.resource:"secrets" and kubernetes.audit.verb:("get" or "list"). It further narrows results by requiring an atypical user agent (user_agent.original) that is not in the standard Kubernetes format (not kubernetes/$Format), indicating a non-standard client may be attempting to access secrets. The rule emits new_terms observations for source.ip, user.name, and user_agent.original within a 7-day history window, highlighting previously unseen combinations of origin IP, user, and client UA. MITRE ATT&CK mapping places this under T1552.007 (Container API) within T1552 Unsecured Credentials, under the Credential Access tactic (TA0006). The rule has a relatively low severity with a risk_score of 21, reflecting its role as an indicator that may signal post-compromise activity rather than definitive theft. Operationally, the rule uses event.ingested as the timestamp reference and targets the Kubernetes audit log data stream to surface instances where secrets may be accessed by atypical clients. It is intended to help detect unauthorized secret access that could lead to data exposure or privilege escalation within a Kubernetes cluster, especially when attackers leverage compromised cluster access. Potential false positives may arise from legitimate automation or tooling using non-standard.user agents; tuning may be required for environment-specific clients or legitimate integrations. Overall, this rule provides a focused signal around credential access attempts against Kubernetes secrets via Container API interactions in cloud-based Kubernetes deployments.