This detection rule aims to identify potentially malicious attempts to create or modify Kubernetes pods that utilize the host's PID namespace (HostPID). HostPID allows a pod to access all processes on the host, which can lead to privilege escalation, especially when the pod is running with elevated permissions. The detection rule checks Kubernetes audit logs to find instances where a pod is created or modified with HostPID enabled. It flags alerts if the action was allowed, and the specified container images are not part of an approved list to minimize false positives. The rule encourages a careful review of audit logs, user accounts involved, and the container images to assess whether the activity is legitimate or potentially harmful. Additional investigation steps include reviewing recent changes made in the environment, validating the necessity for such configurations, and ensuring proper logging and monitoring for future detections.