The rule 'Kubernetes Pod with Dangerous Linux Capabilities' addresses the security risks associated with the deployment of Kubernetes pods that utilize dangerous Linux capabilities such as SYS_ADMIN, NET_ADMIN, or BPF. These capabilities can allow for privilege escalation, container escape, or unauthorized access to host resources, which makes them attractive to attackers who may attempt to exploit them in order to bypass security restrictions. The detection mechanism is implemented via logs from various cloud service providers, namely Amazon EKS, Azure Monitor, and GCP, leveraging audit logs to identify pod creation events that include these risky capabilities. Security teams are prompted to analyze user activities and the capabilities that were granted, looking for either malicious intent or legitimate business purposes. The rule includes a step-by-step runbook for responding to alerts, ensuring a systematic review of potentially dangerous deployments.