The 'Kubernetes Scanner Image Pulling' detection rule identifies the pulling of specific Kubernetes security scanner images, such as kube-hunter, kube-bench, and kube-recon, from Kubernetes logs ingested via Splunk Connect for Kubernetes. This rule indicates potential reconnaissance activities within a Kubernetes environment, where security scanners may be used to identify vulnerabilities. The detection is triggered by messages logged during the image pulling process. If deemed malicious, such actions could pose a significant risk to the security posture of the Kubernetes cluster, leading to possible exploitation of identified weaknesses. The detection employs a search query that targets relevant log messages, captures timestamps of the actions, and aggregates them by various properties such as host, namespace, and severity, rendering the analysis more actionable for security teams.