This detection rule identifies the execution of specific commands within Linux containers that are commonly used for privilege boundary enumeration. The commands monitored include 'id', 'whoami', 'capsh', 'getcap', and 'lsns'. These commands allow users to ascertain the privileges and capabilities of a container, potentially indicating illicit activities by an adversary looking for weaknesses to exploit. The rule implements a query using the Elastic Query Language (EQL), focusing on process executions of these commands from containers. Investigators are advised to assess alerts generated by this rule cautiously since there is a risk of false positives from legitimate usage scenarios, such as debugging. The response actions detail the containment, eradication, and recovery processes should a true incident be identified.