This rule detects the creation of files named 'release_agent' or 'notify_on_release', which are commonly associated with the abuse of the Linux cgroup release mechanisms. In environments utilizing Docker or other containers, this behavior may indicate an attempt to exploit privilege escalation vulnerabilities, specifically CVE-2022-0492. Attackers may leverage the release_agent feature to execute malicious code on the host system from within a container. The rule focuses on events where files are created in a Linux environment, specifically monitoring the logs for such file creation events. The guidance suggests low severity for the detected behavior, but given the potential for privilege escalation, the risk associated is still non-negligible. The detection is enabled through EQL (Event Query Language) querying on endpoint file events, specifically looking for file name matches within a certain timeframe. Additionally, the rule is linked to the MITRE ATT&CK framework under the tactics and techniques surrounding privilege escalation, indicated as T1611 (Escape to Host). References to further reading and understanding of the vulnerabilities involved are provided, allowing for informed incident response and mitigation strategies.