This detection rule focuses on monitoring Kubernetes Role-Based Access Control (RBAC) authorizations associated with user accounts in Azure Kubernetes Service (AKS). By utilizing Kubernetes audit logs, this rule identifies instances where accounts perform actions that involve specific authorization reasons, helping to uncover potentially malicious activities within the cluster. The search utilizes the `kubernetes_azure` category and filters through the logs looking for `annotations.authorization.k8s.io/reason`. It then aggregates the occurrences of various authorization actions by user, enabling analysts to highlight rare or significant usage patterns by users. Given that not all RBAC permissions are inherently malicious, the rule serves as a broader analytical tool that can inform investigations related to user roles and permissions.