The rule 'Kubernetes System Role Modified or Deleted' is designed to monitor modifications or deletions of Kubernetes system ClusterRoles or Roles that begin with 'system:'. These roles are critical for the functioning of Kubernetes control plane components such as kube-scheduler, kube-controller-manager, and system:admin. Any unauthorized changes to these roles can lead to serious consequences, including privilege escalation, creating security backdoors, or impairing cluster functionality. Legitimate changes are infrequent and typically occur during cluster upgrades. When this rule triggers, it highlights potentially malicious activity that requires immediate investigation. The prescribed response includes reviewing the changes, reverting unauthorized modifications, and auditing the actions of the user involved in the incident. This ensures that any potential exploits are mitigated and allows for a thorough forensic evaluation of user activity over recent days to reveal further suspicious behavior.