The 'Kubernetes DaemonSet Created' detection rule is designed to monitor the creation of DaemonSets within Kubernetes clusters, which are crucial for ensuring that a specific pod runs across all or select nodes, enabling consistent deployment and management of pods in a scalable way. However, attackers can misuse DaemonSets to deploy malicious containers, thereby achieving cluster-wide persistence, credential harvesting, cryptomining, or facilitating lateral movement within the infrastructure. This detection logic encompasses events from AWS EKS, Azure AKS, and GCP GKE, alluding to the need for vigilance across different cloud provider Kubernetes offerings. The detection leverages various audit log types to identify when a DaemonSet is created, flags potential misuse, and establishes a thorough process for analyzing user behavior and configurations in the surrounding events. The runbook provides actionable steps for investigating events, such as reviewing the characteristics of newly created DaemonSets, assessing historical activities associated with the user, and examining the context of the deployment to identify any risk factors associated with potential malicious activities.