This detection rule identifies multiple 403 (Forbidden) response codes issued by a single public IP address from the Kubernetes API server, which may indicate various malicious activities such as reconnaissance, permission enumeration, brute force attacks, or misconfigured access. The rule is focused on capturing patterns indicative of unusual access attempts by external actors, filtering out private IP addresses to avoid false positives related to legitimate internal traffic. The detection is a part of a comprehensive security control strategy for Kubernetes environments and utilizes multiple data sources to enhance its effectiveness. It operates by monitoring logs from Amazon EKS, Azure Monitor Activity, and GCP Audit Logs, which provide visibility into API interactions. If a public IP generates more than a predetermined threshold of 403 responses (set at 10 within a 30-minute deduplication period), the rule triggers an alert. Additionally, a runbook is provided for analysts to investigate suspicious activities efficiently, including examining related API calls and the extent of the source IP's activity across different clusters.