This detection rule identifies potential unauthorized egress connections from a container that uses an `entrypoint.sh` script. When a container is started, its entrypoint file establishes commands or actions, which if manipulated, could be used to connect to external networks. The rule utilizes Elastic Query Language (EQL) to monitor processes and network activity, specifically detecting a sequence where the `entrypoint.sh` process starts followed closely by a connection attempt to an external IP. This sequence can indicate malicious activity such as unauthorized network connections initiated by an attacker who has gained access to the container environment. The highest risk scenarios involve attackers using this method to maintain persistence or escalate privileges by escaping the container's confines. The investigation guide outlines necessary steps to triage alerts generated by this rule, including analyzing both the execution of the entrypoint script and corresponding network connections. It recognizes potential false positives from legitimate operations while also detailing response protocols for security teams.