Technical description: This rule triggers when a single user performs 15 or more distinct secret read operations within a 30-minute window in Kubernetes via audit logs. It aggregates per-user secret access events across verbs including list, get, and watch from Kubernetes audit streams (e.g., Amazon.EKS.Audit, Azure.MonitorActivity, GCP.AuditLog). By counting unique secret resources accessed in a sliding 30-minute window, the rule detects secret enumeration attempts that could facilitate lateral or vertical movement. The rule differentiates legitimate normal activity by requiring the volume of access and tracking the responseStatus codes (e.g., 200 for successful reads, 403 for denied attempts). It excludes non-secret resources and certain system principals to minimize false positives (for example, system:serviceaccount:... reading secrets via the kube-controller-manager is excluded). The Detection Result maps to MITRE ATT&CK technique TA0006:T1552.007 (Secret Discovery/Credential Access). The rule is labeled Experimental and disabled by default; thresholds are tunable (default threshold: 15, dedup 30 minutes). The Runbook provides steps to corroborate the alert: query the audit logs around the alert window, identify the full set of secrets and verbs observed, assess legitimate reasons, and search for related suspicious activity (e.g., privilege escalation or binding changes) in the prior 24 hours. Tests illustrate concrete audit events to validate detection and demonstrate suppression of false positives (e.g., non-secret resources or write verbs).