This rule detects Linux container process termination attempts by monitoring containerized process executions that invoke process-killing utilities (kill, pkill, killall) or wrappers (bash/sh) with kill-related arguments. It fires when a process starts (event.type == "start") with event.action == "exec" inside a container (container.id pattern) and the command lineage indicates an attempt to terminate services, agents, or competing processes. It accounts for tools that spawn the target utility as a subprocess (e.g., shells invoking kill via args) while excluding benign operations like manual pages or simple file permission changes to reduce false positives. The detection maps to MITRE ATT&CK T1489 (Service Stop) under the Impact tactic (TA0040). The rule is designed to catch adversaries seeking to seize control of a workload by stopping essential services or security tooling, potentially preceding persistence or resource manipulation. Triage/analysis guidance covers correlating the kill event with exec/attach activity, health checks, pod restarts, and startup scripts; assessing whether the kill was admin-initiated or malicious; and looking for corroborating disruption indicators. Response guidance includes quarantining the pod/container, collecting volatile artifacts (process tree, PID/name, signal, network connections, filesystem diffs), redeploying from trusted images, rotating credentials/tokens, and applying least-privilege and runtime policy controls to deny process-termination utilities where not required. False positives may arise from legitimate maintenance or debugging workflows that terminate processes during deployments or troubleshooting.