This detection rule identifies the execution of the 'nsenter' utility in Kubernetes pods as a potential indicator of container escape or privilege escalation attempts. The 'nsenter' command allows users to enter the namespaces of other processes, including the host's init process, enabling the execution of commands with elevated privileges. Attackers can exploit misconfigured pods (e.g., those granted excessive privileges like hostPID or broad hostPath mounts) to access sensitive parts of the underlying host system. The rule uses the 'WorkloadAncestorsBinary' field to trace the process's lineage, providing context to the nsenter invocation. The detection relies on process execution data generated by Cisco Isovalent Runtime Security, necessitating effective configuration to capture relevant events. Investigating alerts concerning 'nsenter' should involve understanding the context, as legitimate uses are extremely rare.