The rule focuses on detecting potentially vulnerable Docker Remote APIs that are exposed to the internet. Docker is a popular virtualization technology utilizing containers, which can enhance application deployment and management but, if improperly secured, can become an attack vector. The detection logic applies to event logs harvested by web application firewalls (WAF) where it looks for interactions with Docker APIs over ports 2375 and 2376. These ports are used for remote access to Docker and ideally should be restricted to localhost. The exposure of these APIs can allow malicious entities to control Docker containers or exploit vulnerabilities such as CVE-2019-5736, which may grant them root access to the host system. The rule logs actions that originate from non-local IPs and maintains a tabular record of pertinent attributes such as timestamps, user agents, and source IP geolocation, allowing for comprehensive tracking of potential security breaches in the Docker environment. Thus, this rule serves to mitigate risks associated with insecure Docker configurations, particularly in public cloud or hybrid environments where misconfigurations may exist.