This detection rule is designed to identify when an SSH (Secure Shell) connection is established within a running container, which is generally advised against due to potential security risks. The presence of an SSH daemon (sshd) inside a container could be exploited by attackers to gain initial access or persist within the environment. The rule utilizes EQL (Event Query Language) to monitor relevant process events where an SSH daemon process starts either as the initial process run in the container or as a new session. The detection is significant as it pertains to the tactics of Initial Access and Lateral Movement as defined by the MITRE ATT&CK framework. Investigation steps include analyzing logs to discern legitimate SSH usage versus potential threats, reviewing configurations for SSH daemon necessity, and addressing potential false positives. The rule emphasizes the importance of isolating affected containers and enforcing security best practices regarding SSH utilization within containerized environments.