This detection rule monitors for the execution of 'curl' or 'wget' commands that access Kubernetes API endpoints, which may signify unauthorized interactions with Kubernetes resources. The focus is on gathering sensitive information such as secrets and config maps without using the official 'kubectl' tools, potentially performed by adversaries. The rule utilizes EQL (Event Query Language) to analyze process events on Linux systems. It targets processes initiated with 'curl' or 'wget' that attempt to access specific Kubernetes API endpoints for secrets and other resources. The rule is set to trigger if any of these commands are executed and includes a medium risk score indicating a moderate level of concern for potential compromise. The rule supports Elastic Defend integration, which needs to be configured according to the prerequisites laid out in the setup section. This integration should be enabled to enhance detection capabilities in cloud workload or traditional endpoint environments.