This detection rule identifies the creation of new Kubernetes containers within a cluster. Adversaries may deploy these containers to execute malicious processes or evade security measures within the environment. The logic leverages Splunk to query certain events related to container creation, filtering for instances where containers are created but without associated application requests. The rule captures relevant data such as timestamps, hostnames, user actions, source IP addresses, and various identifiers to track the context of the deployment. By analyzing this data, security teams can detect potential malicious activity related to container management and take appropriate actions against unauthorized deployments. The rule is particularly valuable in cloud-native environments where container orchestration is prevalent, and it integrates well into existing monitoring frameworks. It is linked to techniques for defense evasion and execution within the MITRE ATT&CK framework.