This rule monitors for unauthorized access to Kubernetes service account secrets, which are critical files for authenticating applications in Kubernetes clusters. The EQL (Event Query Language) rule is triggered when a process attempts to execute commands that involve the paths where these secrets are stored. By filtering for common actions associated with process starts and specific command lines or working directories, the rule identifies potential misuse of these sensitive files. The primary goal is to detect instances of privilege escalation or lateral movement that could result from an attacker accessing these secrets. The integration requires Elastic Defend and is intended to enhance security by detecting credential access threats and resource discovery techniques per the MITRE ATT&CK framework.