Identifies suspicious usage of the unshare command to manipulate Linux namespaces within container environments. The detection rule triggers on process start events where the executable is unshare, the action is exec, and the process is within a container. It filters out known benign parents and common legitimate usage patterns (e.g., udevadm, systemd-udevd, snap-related activity, Java processes) to reduce false positives. When matched, it highlights potential privilege escalation or container escape attempts, aligning with MITRE techniques T1543 (Create or Modify System Process) and T1611 (Escape to Host). The accompanying investigation guidance covers triage, validation, remediation, and correlation with other alerts to determine impact and containment steps.