This detection rule monitors for the creation of Kubernetes cron jobs through the analysis of Kubernetes Audit logs. Cron jobs in Kubernetes are configurations that allow tasks to be scheduled at regular intervals automatically. The monitoring of these activities is crucial as they can be exploited by malicious users to run unauthorized tasks consistently, potentially leading to service disruption, data breaches, or persistent unauthorized access to the Kubernetes environment. The rule captures these events by focusing on the creation verbs in the audit logs accompanied by relevant metadata such as user details, source IPs, and container images. To implement this detection, it is vital to enable detailed audit logging within the Kubernetes cluster and configure the necessary logging framework to collect these logs effectively. Any identified anomalous creation of cron jobs should be investigated promptly to mitigate associated risks.