Detects nsenter executions from inside a monitored Linux container that include a namespace target flag (-t or --target). The rule triggers on a process start where the process name or arguments indicate nsenter and the process is running within a workload that has a non-empty container.id. This pattern is commonly used to enter host or peer namespaces, enabling container escape or host pivoting when combined with privileged mounts, exposed PIDs, or shared namespaces. The alert supports rapid triage by inspecting the full command line, the parent process, and the container lineage (image, pod, namespace, node) to determine whether nsenter is legitimate or suspicious. Analysts should correlate with file, network, and authentication telemetry to identify follow-on access to host resources or runtime sockets. Some legitimate debugging or platform instrumentation may wrap or invoke nsenter; verify provenance and approved procedures before deeming as malicious. If unauthorized, respond by isolating the workload, preserving artifacts, rotating credentials exposed to the container, and re-imaging affected nodes as needed. Enforce least privilege, reduce host namespace sharing, limit hostPath and sensitive mounts, and block unnecessary capabilities to reduce recurrence. MITRE mapping associates this with T1611 (Escape to Host) under TA0004 Privilege Escalation.