This detection rule identifies anonymous API requests made to Kubernetes API servers across different cloud environments including Amazon EKS, Azure AKS, and GCP GKE. In production Kubernetes environments, anonymous access should be disabled to mitigate the risk of unauthorized access to sensitive resources. The detection leverages logs from various Kubernetes audit logs and is designed to help administrators identify instances where unauthorized users (identified as 'system:anonymous') are accessing the API, which could indicate a security gap. The rule is part of a broader security framework aimed at improving the resilience of Kubernetes deployments against initial access vulnerabilities and is currently marked as experimental. Key steps for responding to an alert include querying API requests by the anonymous user, analyzing the IP addresses to determine access vectors, and reviewing related authentication attempts for additional suspicious activity.