This detection rule targets the creation or startup of Docker containers using an Alpine image, which has been linked to Doki Malware—a non-malicious image exploited by attackers. The key vulnerability lies in the use of widely available public images, like Alpine, that incorporate the curl software, enabling attackers to execute commands immediately upon the container's activation. Because these images are commonly accessible, attackers can bypass the need for concealed hosting solutions. This particular detection rule utilizes Splunk logic to monitor specific HTTP requests associated with Docker operations, focusing on HTTP POST methods directed at Docker's default ports (2375, 2376). The rule also filters out local IP addresses, ensuring focus on potentially malicious external IPs, while extracting relevant fields to better analyze the requests. By leveraging event statistics and DNS lookups, the rule enhances the context about the source of the activity, potentially revealing attacker behavior. Key threat actors associated with this behavior include TeamTNT and WatchDog, emphasizing the necessity of diligent monitoring for container manipulations that might suggest malicious intents.