Detects a short sequence where a non-root user performs unshare-related namespace activity (often linked to user namespace privilege escalation primitives) and shortly after a root process is spawned. This pattern, observed via Auditd Manager telemetry, can indicate a local privilege escalation attempt or namespace manipulation. The rule targets Linux endpoints by correlating unshare and privileged execution within a brief window and relies on process and kernel-level data (syscalls/arguments) to identify suspicious activity. It includes guidance to handle false positives from legitimate sandboxing or container tooling, along with triage, investigation steps, and remediation recommendations. References MITRE ATT&CK T1068 and Auditd Manager documentation are provided for context.