This rule focuses on detecting suspicious use of the `chmod` and `chown` commands within containerized environments, specifically targeting scenarios where these commands add execute permissions to files. The presence of executable permissions could signify an attempt by an attacker to run unauthorized or malicious code inside the container, highlighting potential threats to the system's integrity. The rule's EQL query filters for processes where the host OS is Linux, the event type signals the start of a process, and the relevant actions involve changing file permissions to values associated with executable files, while being set within a container context. Given the potential for misuse, monitoring these activities can help identify and mitigate risks associated with unauthorized access or exploit attempts in cloud and container environments. The setup guidelines emphasize integrating Elastic Defend with Fleet for effective monitoring and threat detection. Effective investigation steps include analyzing process arguments, user permissions, and cross-referencing logs to ascertain the legitimacy of these actions. In addressing potential false positives, particular attention should be paid to legitimate DevOps activities and system updates, which may involve changing file permissions.