diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml
new file mode 100644
index 000000000..6a524b580
--- /dev/null
+++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml
@@ -0,0 +1,61 @@
+[metadata]
+creation_date = "2022/07/05"
+integration = "kubernetes"
+maturity = "production"
+min_stack_comments = "Necessary audit log fields not available prior to 8.2"
+min_stack_version = "8.2"
+updated_date = "2022/07/05"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use
+the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker
+could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies
+applied to its given namespace.
+"""
+false_positives = [
+    """
+    An administrator or developer may want to use a pod that runs as root and shares the host�s IPC, Network, and PID
+    namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto
+    the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and
+    network namespaces from the host's perspective.
+    """,
+]
+index = ["logs-kubernetes.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Kubernetes Pod Created With HostNetwork"
+note = """## Setup
+
+The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections",
+    "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces",
+    "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation",
+]
+risk_score = 47
+rule_id = "12cbf709-69e8-4055-94f9-24314385c27e"
+severity = "medium"
+tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostNetwork:true
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1611"
+name = "Escape to Host"
+reference = "https://attack.mitre.org/techniques/T1611/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+