This detection rule identifies potential cluster enumeration activities using the 'jq' command within Linux containers. The 'jq' tool, primarily utilized for parsing JSON data, can be exploited by attackers to extract sensitive information about the cluster and its operational services. The rule highlights that invoking the 'jq' command interactively within a container is an unusual behavior, typically associated with malicious reconnaissance actions. The detection is triggered by specific conditions: the presence of the 'jq' command being executed in a Linux environment, coupled with the command being run interactively and within a recognized container. While the rule serves as a vital security measure, it acknowledges the potential for false positives, particularly in legitimate scenarios such as debugging or troubleshooting where 'jq' may be employed properly.