This rule is designed to detect potential privilege escalation attempts on Linux systems via writable Docker runtime sockets. Docker sockets, which facilitate communication between the Docker client and daemon, are typically restricted to the root user and specific groups. If an attacker gains permission to write to these sockets, they can create and run containers with elevated privileges, leading to unauthorized access to the host file system. The detection logic utilizes event queries to monitor for processes related to Docker and Socat that interact with these sockets while being executed by non-root users. When such suspicious behavior is detected, the rule triggers an alert, helping organizations to investigate and respond to potential privilege escalation threats.