This detection rule identifies unauthenticated access attempts to Kubernetes cluster pods hosted in Google Cloud Platform (GCP). By analyzing Google Cloud Pub/Sub messages related to Kubernetes audit logs, the rule targets entries where the response status code is 401, indicating unauthorized access attempts. Such attempts, while potentially benign, are indicative of reconnaissance or scanning behavior commonly exhibited by malicious actors probing for vulnerabilities within Kubernetes environments. The SOC should consider repeated occurrences of these unauthorized requests as a sign of possible malicious intent. If confirmed, these actions could pose serious risks such as unauthorized access to sensitive data and exploitation of vulnerabilities within the Kubernetes cluster.