This rule identifies unauthorized requests made by Kubernetes service accounts to the API server, which is indicative of potential security compromises or system misconfigurations. Service accounts, if functioning normally, should not exhibit unauthorized behavior; any deviation is abnormal and may indicate that an adversary has gained access to service account credentials or tokens. The detection focuses on analyzing kubernetes.audit_logs for user names corresponding to service accounts whose requests have been denied as indicated by the 'authorization_k8s_io/decision' field being marked as 'forbid'. Points of investigation include auditing the specific service account, checking the nature of the denial, and examining the request's source. Further, the rule suggests steps to distinguish false positives arising from testing scenarios, automated scripts, or misconfigurations in RBAC settings, before advising immediate remedial actions if unauthorized access is suspected. This approach helps reinforce security postures within Kubernetes clusters by ensuring service accounts adhere to their intended permissions and behaviors.