This detection rule identifies the spawning of interactive shells within running containers, which could signal potential container breakout attempts or unauthorized access to the underlying host. The key detection mechanism utilizes EQL (Event Query Language) to monitor processes initiated inside containers, specifically focusing on process actions commonly associated with the execution of shells (e.g., 'fork', 'exec') accompanied by specific arguments indicative of interactive sessions, such as '-i' and '-it'. Given the numerous legitimate use cases for interactive shells within containers, the rule includes provisions for understanding and handling potential false positives. Proper investigation involves analyzing the context of each alert, reviewing associated logs, understanding user behavior, and incorporating procedures to mitigate risks stemming from malicious activities. Furthermore, guidance on response and remediation emphasizes the need for immediate isolation of affected containers, forensic data preservation, and ongoing efforts to enhance access controls to prevent unauthorized interactions with containers.