This rule detects an unusual process connecting to a container runtime Unix socket (for example, Docker or containerd sockets such as /var/run/docker.sock or /run/containerd/containerd.sock) from a Linux host. Direct access to container runtime sockets enables an attacker to create, exec into, or manipulate containers without going through the Kubernetes API server, thereby bypassing RBAC, admission webhooks, pod security standards, and Kubernetes audit logging. The detection relies on network telemetry to identify a process connecting to a Unix socket path associated with container runtimes, filtering out known legitimate components. The query targets Linux hosts (host.os.type: linux) and matches destination.address to common socket paths, while excluding processes whose executables are standard runtimes (e.g., kubelet, containerd, dockerd, and their wrappers). The rule is rated with a risk score and accompanied by a triage guide, investigation steps, and remediation guidance. It is designed to work with Auditd Manager (or Auditbeat) to surface network events where a process connects to a Unix socket, enabling visibility into potential privilege escalation, lateral movement, and unauthorized container manipulation. Possible outcomes include confirming whether the socket is host-default or bind-mounted inside a container, correlating the initiating process with user and session telemetry, and validating whether access should be permitted. If malicious, the recommended response is to isolate the host, revoke credentials, inspect for rogue containers or persistence mechanisms, and tighten socket permissions to trusted groups only. The rule aligns with MITRE ATT&CK techniques: T1613 (Container and Resource Discovery), T1611 (Escape to Host), and T1550 (Use Alternate Authentication Material), mapped to Discovery, Privilege Escalation, and Lateral Movement tactics, respectively. Setup notes emphasize enabling Auditd Manager network visibility so that events show process.executable and destination.address for connect events to the container socket paths, thereby enabling accurate detection and alerting.