diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index 8ff48b7fd..d4c952913 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -61,6 +61,23 @@
   },
   "logs-kubernetes.*": {
     "kubernetes.audit.objectRef.resource": "keyword",
-    "kubernetes.audit.objectRef.subresource": "keyword"
+    "kubernetes.audit.objectRef.subresource": "keyword",
+    "kubernetes.audit.verb": "keyword",
+    "kubernetes.audit.user.username": "keyword",
+    "kubernetes.audit.impersonatedUser.username": "keyword",
+    "kubernetes.audit.annotations.authorization_k8s_io/decision": "keyword",
+    "kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword",
+    "kubernetes.audit.user.groups": "text",
+    "kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean", 
+    "kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation": "boolean",
+    "kubernetes.audit.requestObject.spec.securityContext.runAsUser": "long",
+    "kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser": "long",
+    "kubernetes.audit.requestObject.spec.hostPID": "boolean",
+    "kubernetes.audit.requestObject.spec.hostNetwork": "boolean",
+    "kubernetes.audit.requestObject.spec.hostIPC": "boolean",
+    "kubernetes.audit.requestObject.spec.volumes.hostPath.path": "keyword",
+    "kubernetes.audit.requestObject.spec.type": "keyword",
+    "kubernetes.audit.requestObject.rules.resources": "keyword",
+    "kubernetes.audit.requestObject.rules.verb": "keyword"
   }
 }
diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml
new file mode 100644
index 000000000..30c880f5b
--- /dev/null
+++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml
@@ -0,0 +1,63 @@
+[metadata]
+creation_date = "2022/07/11"
+integration = "kubernetes"
+maturity = "production"
+min_stack_comments = "Necessary audit log fields not available prior to 8.2"
+min_stack_version = "8.2"
+updated_date = "2022/07/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a
+sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this
+mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem
+can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.
+"""
+false_positives = [
+    """
+    An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for
+    legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed
+    by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates
+    several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and
+    /var/log.
+    """,
+]
+index = ["logs-kubernetes.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Kubernetes Pod created with a Sensitive hostPath Volume"
+note = """## Setup
+
+The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216",
+    "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath",
+]
+risk_score = 47
+rule_id = "2abda169-416b-4bb3-9a6b-f8d239fd78ba"
+severity = "medium"
+tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+kubernetes.audit.objectRef.resource:"pods" 
+  and kubernetes.audit.verb:("create" or "update" or "patch") 
+  and kubernetes.audit.requestObject.spec.volumes.hostPath.path:("/" or "/proc" or "/root" or "/var" or "/var/run/docker.sock" or "/var/run/crio/crio.sock" or "/var/run/cri-dockerd.sock" or "/var/lib/kubelet" or "/var/lib/kubelet/pki" or "/var/lib/docker/overlay2" or "/etc" or "/etc/kubernetes" or "/etc/kubernetes/manifests" or "/home/admin")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1611"
+name = "Escape to Host"
+reference = "https://attack.mitre.org/techniques/T1611/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+