This detection rule identifies the creation of a DaemonSet in a Kubernetes cluster by analyzing Kubernetes Audit logs. DaemonSets ensure a specific pod is deployed on every node, presenting a risk for persistent access within the infrastructure. Such activities, when logged, can indicate a potential attempt to maintain unauthorized access. The rule monitors for specific events related to the creation of DaemonSets, leveraging Kubernetes' powerful audit logging capabilities to flag any suspicious behaviors potentially associated with malicious user actions. Confirming the legitimacy of this activity is paramount, as unauthorized creation of DaemonSets can result in persistent threats, service disruptions, or exposure of sensitive data.