This rule monitors the creation of privileged containers that mount host directories, a configuration risky for container isolation and potential host system compromise. Privileged containers allow users to execute commands with escalated privileges, and if they bind-mount critical host files or directories, attackers may leverage these to escalate privileges or pivot within an environment. The rule triggers when a process related to Docker is initiated with specific arguments indicating a privileged run that binds the container's filesystem to the host's root directory. Investigation steps include retrieving execution context and process details, correlating with Kubernetes events, and reviewing audit logs to ascertain whether the actions align with expected container management practices. Mitigation involves stopping the containers, maintaining forensic evidence, and enforcing stricter admission policies to prevent future incidents.