This detection rule identifies the creation of Kubernetes CronJobs, which are scheduled tasks in the Kubernetes container orchestration platform. By monitoring API calls related to object creation, specifically focusing on resources categorized as cronjobs, this rule aims to detect potentially unauthorized or malicious scheduling activities within a Kubernetes cluster. The underlying logic is based on querying application data related to CronJob resource creations using Splunk syntax. This query highlights the importance of sandboxing and isolating workloads while maintaining observability over application events. Key data points captured include timestamps, user actions, request URIs, and various user identifiers, providing a comprehensive overview of the context in which the CronJob creation event occurs. The rule is rooted in the techniques defined in the MITRE ATT&CK framework under T1053.007, which focuses on container orchestration jobs for executing scheduled tasks and establishing persistence through these jobs. It is particularly useful for detecting anomalies in CronJob activities, offering valuable insights for incident response and cybersecurity monitoring in Kubernetes environments.