This detection rule targets the creation of new Kubernetes service accounts, which is a potential indicator of an attacker trying to establish persistence within a Kubernetes cluster. The rule activates on audit logs with a specified condition that checks for 'create' verbs specifically on the 'serviceaccounts' resource. The intent behind tracking service account creation is due to the pivotal role these accounts play in Kubernetes; they can be exploited by unauthorized users to gain access to cluster resources or achieve expanded privileges. By monitoring such activities, security teams can be alerted to possible malicious maneuvers within their Kubernetes environment. The rule is classified as experimental, suggesting that it may still be undergoing evaluation or refinement, and it holds a low severity level. This may help in minimizing noise from benign activities while still capturing potentially malicious actor behavior.