This detection rule identifies the use of the "curl" command-line tool combined with SOCKS proxy options within Linux containers. Such configurations can be exploited by attackers to tunnel traffic, circumvent network restrictions, and establish communication with command and control (C2) servers or exfiltrate sensitive data. The rule specifically looks for interactions that involve 'curl' being executed with flags that indicate SOCKS proxy usage, which can indicate malicious activity unless legitimately employed. The rule is sensitive to potential false positives, particularly in development and debugging scenarios, where developers may use similar commands for benign purposes. Comprehensive investigation steps are provided for analyzing alerts, including gathering command details, correlating with Kubernetes metadata, and scrutinizing network behavior to separate malicious attempts from legitimate uses of the tool.