This rule aims to identify and detect actions performed by anonymous users trying to create, update, or patch pods within a Kubernetes cluster. It specifically targets unauthorized access to the Kubernetes API server, a pathway often exploited by attackers for compromising the cluster's security. The detection logic employs EQL (Event Query Language) to analyze audit logs generated by Kubernetes, looking for user actions that fit the criteria of anonymous or unauthenticated requests. The rule flags events where the username is one of the standard anonymous identifiers or missing altogether, combined with actions that involve creating, updating, or patching pod resources. With a medium severity and a risk score of 47, this detection is crucial for maintaining Kubernetes cluster integrity against unauthorized manipulations.