This Elastic Detect rule monitors Linux hosts within Defend for Containers for signs of chroot usage inside a container, which can indicate an attempt to escape to the host. It watches process-start events (process where host.os.type == "linux" and event.type == "start" with event.action == "exec") and flags two scenarios: (1) a direct chroot invocation (process.name == "chroot"), or (2) a subprocess executing chroot called by a shell (for shells such as bash, dash, sh, tcsh, csh, zsh, ksh, fish, busybox) where process.args contains a chroot command or chroot path (e.g., /bin/chroot, /usr/bin/chroot, /usr/local/bin/chroot). To reduce false positives from common multi-process wrappers, the rule excludes known benign arguments such as which, man, chmod, and chown plus their path variants. The rule also requires container.id to be present, ensuring the activity occurs inside a container context. If triggered, the signal is mapped to MITRE ATT&CK as T1611 Escape to Host, within the Privilege Escalation tactic (TA0004), reflecting the potential to gain access to the host filesystem from within a container. The rule is scoped to logs-cloud_defend.process* and is configured with a 6-minute lookback and a 5-minute interval, with a low severity and a risk score of 21. Overall, it aims to detect container escape techniques via chroot usage, though it may miss non-standard or obfuscated attempts and may require contextualization to avoid false positives in legitimate container operations.