This rule identifies the execution of DNS enumeration tools within a Linux container, which can facilitate reconnaissance on the network and services operating inside the container. Such tools, including nslookup, dig, and host, may be leveraged by attackers to gather crucial internal information following a compromise. The investigation section outlines methods for analyzing alerts triggered by the use of these tools, emphasizing the need to differentiate between legitimate debugging actions and potentially malicious activities. A series of actionable steps are provided for incident response, which includes isolating affected pods and rotating credentials. The rule aims to maintain security by pinpointing unusual usage patterns of DNS utilities indicative of exploratory moves by adversaries.