This rule focuses on detecting anomalous shell execution within container namespaces in a Cisco Isovalent environment. It identifies when a shell (e.g., sh, bash) is executed, which is critical since such actions could indicate an attacker attempting to gain shell access, possibly leading to serious security breaches such as data theft and service disruption. The detection mechanism relies on process execution logs to flag these events, suggesting a significant risk if left unchecked. Ensuring proper monitoring through Cisco Isovalent Process Exec data enhances visibility into potential attacks. Proper integration with Splunk is required to leverage this detection effectively.