This anomaly detects Linux Docker shell execution by correlating docker-related process activity with shell processes. It triggers when a Docker command (e.g., docker exec) or a container entrypoint override launches an interactive or non-interactive shell (such as /bin/bash, /bin/sh, /bin/dash, /bin/zsh, or shell invocations like bash/dash/sh) inside a container. The rule relies on endpoint process telemetry (e.g., EDR data) to identify a docker* process invoking an exec-like operation and matching against known shell executables. It surfaces contextual details including the involved processes, parent process lineage, command lines, user, and destination host to aid investigation. The associated risk event flags that a user on an endpoint spawned a shell inside a container, which can indicate legitimate admin activity or potential post-exploitation activity, such as attacker access, container breakout attempts, persistence, or pivoting. The technique maps to MITRE ATT&CK T1059.013 (Linux Shell). To minimize noise, the rule is designed to work with CIM-normalized endpoint data and complete command-line telemetry, enabling filtering for known administrative workflows or container orchestration events. References include Docker’s container exec docs and GTFOBins guidance for docker, and a note about possible false positives due to automated tooling. This rule supports targeted drilldowns per destination and facilitates risk-based alerting on container-related shell activity.