This detection rule identifies instances where direct interactive Kubernetes API requests are made using common networking utilities such as curl, wget, and kubectl. The rule leverages logs from Elastic Defend for Containers and Kubernetes audit logs to capture these interactions, which could signal an adversary's attempt to explore the Kubernetes API server or perform lateral movement within a cluster. The rule is designed to trigger on specific combinations of process activity and Kubernetes audit events that indicate the API server is being accessed directly via interactive sessions. It also outlines potential false positives arising from legitimate use, such as debugging or troubleshooting scenarios, emphasizing the importance of context during investigations. The investigation guidance includes steps to analyze the workflows and account for legitimate operational procedures. Due to the sensitive nature of the Kubernetes environment, there are recommended response measures to mitigate any identified threats, including immediate isolation of affected pods and re-evaluation of service account permissions.