Detects potential Kubernetes enumeration or attack activity by examining Kubernetes audit logs for API requests that execute shells, utilities, or specialized tools (e.g., Rakkess, TruffleHog) via API calls. The rule targets indicators of reconnaissance, secret harvesting, or code execution within a cluster, including execution of common shells (bash, sh, dash, ash, zsh), lightweight utilities (busybox, curl, wget, perl, python, kubectl), and other scripting/executable paths observed in audit events. It also flags suspicious user agents associated with credential discovery or secret scanning (access_matrix, trufflehog, azurehound, micro-scanner). Detection is triggered when there is a permitted API response (selection_status.code = ALLOW) and at least one matching request URI or user agent, indicating potential enumeration activity. False positives include authorized admin maintenance via kubectl, automated internal infrastructure monitoring and certificate rotation, and security-approved secret scanning in DevSecOps pipelines. The rule is categorized as a medium-severity detection and relies on Kubernetes audit logs as the data source to identify risky enumeration and code-execution patterns inside clusters.