This detection rule monitors the creation of Kubernetes pods that utilize hostPath volume mounts. hostPath volumes allow pods to access the underlying host filesystem, which can lead to security vulnerabilities, including privilege escalation and unauthorized access to sensitive data. The rule specifically flags pod creation events where such mounts are present, as this is not a common or recommended pod requirement. To avoid false positives, pods associated with system service accounts within the kube-system namespace are excluded from detection. The warning is moderately severe due to the risks involved with hostPath mounts, such as potential data exfiltration. The rule provides a structured runbook for responding to detections, which includes reviewing past pod creation events and analyzing the paths of mounted volumes.