This detection rule identifies the unauthorized use of the `mount` utility within privileged containers, aimed at flagging potential threats associated with privilege escalation and container escapes. The `mount` command facilitates the attachment of file systems and directories, and when executed in a privileged container—one that inherits capabilities of the host system—attacks can compromise sensitive host files. The rule uses EQL (Event Query Language) for monitoring incidents that show the `mount` command executed under specific parameters, leading to alerts that warrant further investigation. Detailed investigation steps are provided to analyze the execution context, review configuration, and assess if the action was legitimate or malicious. The rule also includes guidance on differentiating false positives arising from legitimate use cases, like maintenance tasks or development workflows, and outlines structured incident response strategies to mitigate any identified risks. The overall approach serves to create an additional layer of security in containerized environments by detecting potential exploitation points before they can be leveraged by attackers.