This rule detects potentially malicious activity where an interactive process creates and executes a file within a running Linux container. Such behavior may indicate a breakout attempt or unauthorized access to the underlying host. The detection utilizes the Elastic Query Language (EQL) to monitor file creation followed shortly by process execution, leveraging both process and file logs from the Cloud Defend integration. The primary indicators of compromise involve the sequence of events where files are created in writable directories such as /tmp or /var/tmp, and subsequently executed. The rule is designed for environments running on Elastic Stack version 9.3.0 and is crucial for mitigating risk associated with possible intrusions or command-and-control techniques. Investigation steps include correlating alert times with container logs, inspecting newly created files for malicious content, analyzing process trees for operator commands, and monitoring network activity for signs of established command-and-control channels. A predefined response strategy involves immediate isolation of compromised workloads, preservation of forensic evidence, and eradication of threats by redeploying from secure images. False positives should be carefully analyzed to differentiate between regular development activities and suspicious behavior.