This rule detects Docker containers mounting the host's root filesystem into the container (host root "/" mapped to container root "/"). Such mounts grant the container visibility and potential write access to host files, elevating risk, especially if the container runs as root or with elevated capabilities (e.g., --privileged). The detection relies on Linux endpoint telemetry (Sysmon EventID 1) to identify process creation for docker-* processes and command lines containing volume mount indicators (-v or --volume) with mappings that include the host root. The search analyzes process and parent-process details to surface actions, destinations, and executables involved in the mount, then normalizes results via the Endpoint Processes data model. Elevated deployments are treated as higher risk. False positives can occur from legitimate administrative tasks that mount host volumes, so tuning filters is advised. References include Docker volume documentation and GTFOBins for docker. The rule supports investigation by linking the specific process, user, and endpoint where the mount was attempted, enabling rapid containment actions if needed.