This detection rule addresses the potential security risk of unauthorized access to service account tokens or certificates within Kubernetes containers. Service account tokens are crucial for authenticating containers to the Kubernetes API server, and adversaries often target these tokens to exploit the API and access sensitive resources in the cluster. This rule is triggered when there is an interaction with these files, specifically when they are opened, indicating possible malicious intent. The rule provides multiple investigation steps such as mapping the container to its metadata, examining process activities, correlating network telemetry, and reviewing Kubernetes audit logs. Additionally, it outlines potential false positives linked to legitimate troubleshooting actions and offers remediation steps involving immediate deletion of affected pods, credential rotation, and escalation for incident response. This proactive approach aims to minimize the risk posed by credential exposure in containerized environments.