This detection rule focuses on tracking the creation of Kubernetes pods specifically within the default namespaces: 'default', 'kube-system', and 'kube-public'. Utilizing Kubernetes audit logs, it identifies pod creation events, which are key indicators of potential malicious activities. The significance of pod creation in these namespaces arises from the fact that unauthorized actions might indicate an attempted security breach, privilege escalation, or the presence of malicious actors trying to obfuscate their activities. The rule aggregates data on created pods, including attributes such as the pod's name, namespace, timeline of the request, response status, source IP addresses, and user details, thereby providing thorough visibility into these critical events. Proper implementation of this rule requires setting up Kubernetes audit logging and adequately configuring the log collection processes using tools like Splunk OpenTelemetry Collector, particularly for deployments in environments such as AWS EKS.