This detection rule targets potential malicious activities involving the `kubectl` command, particularly focusing on instances where it is used to modify network configurations in Kubernetes environments. The rule is built to monitor process events on Linux systems, capturing instances when `kubectl` executes with specific arguments (like `port-forward`, `proxy`, or `expose`) indicative of unauthorized modifications. Such alterations might signify an attacker attempting to gain unauthorized access or exfiltrate data from the Kubernetes cluster. The rule operates within a defined timeframe, allowing it to capture relevant execution events while minimizing noise from benign usage. It is a part of the Elastic ecosystem and integrates with Elastic Defend by collecting data from various sources including CrowdStrike and SentinelOne. To be effective, it requires proper setup of the Elastic Agent on monitored Linux hosts. The risk score is rated low (21), reflecting its role in proactive threat detection rather than immediate response.