This detection rule is designed to identify unauthorized UID change events in a Linux environment, specifically through the `nsenter` command, which can be used by attackers to escape a containerized environment and access the host system. Such behavior indicates potential privilege escalation or lateral movement within a network. The rule inspects process events for specific characteristics that suggest an attempt to utilize `nsenter` for manipulating namespace privileges. This is particularly concerning in managed container infrastructures, where isolating processes is critical for security. Proper investigation steps include confirming UID changes, reviewing process arguments, and analyzing log files. Responses should involve isolating suspected processes and reviewing access controls to mitigate risk.