This rule, authored by Elastic, is designed to detect creation or modification of kubeconfig files on Linux systems, which are critical for accessing and managing Kubernetes clusters. Attackers may manipulate kubeconfig files to gain unauthorized access or move laterally within Kubernetes environments. The rule employs EQL (Event Query Language) to query file events on Linux systems, specifically targeting common kubeconfig file locations. It filters out legitimate processes like kubeadm and kubelet to reduce false positives. A risk score of 47 indicates a medium level of concern associated with alerts raised by this rule. The setup requires integrating Elastic Defend through Elastic Agent, ensuring comprehensive monitoring of relevant file events on the hosts. This detection also aligns with various tactics in the MITRE ATT&CK framework, underlining its relevance to initial access, lateral movement, and defense evasion scenarios.