This rule detects the potential abuse of Kubernetes Secrets, focusing on unauthorized access or misuse by atypical user groups, which could indicate an attacker’s attempt to exfiltrate sensitive data. By utilizing Kubernetes Audit logs, the detection identifies unusual patterns based on the analysis of request sources and the specific user groups that attempt access. Given that Kubernetes Secrets can include sensitive credentials such as passwords and tokens, any unauthorized access could lead to severe security breaches. The rule leverages a specific search query to filter out permitted user groups and highlights accesses that deviate from normal behavior, thereby facilitating timely detection and response to potential security incidents within a Kubernetes environment.