This detection rule monitors for the execution of the "kubectl apply" command with a URL argument, which is commonly used for applying configurations or deploying resources in a Kubernetes cluster. Attackers might exploit this command to deploy harmful pods or modify existing configurations, risking unauthorized access or data leakage. The rule tracks process executions on Linux systems where the specified conditions are met. Alerts are generated when the command is executed with particular arguments indicative of potentially malicious activity. It requires data to be collected from Elastic Defend, integrated through the Elastic Agent, to ensure comprehensive monitoring of endpoint events. The rule carries a risk score of 21 and is categorized with a low severity level, given that it relates to the execution of container management commands that could indicate an attack vector.