This detection rule focuses on identifying unusual behavior in containerized environments, specifically when an interactive process is launched. Interactive processes are perceived as anomalous within containers as they typically require user input and are generally executed in the foreground, contrasting usual container behavior. This activity poses a risk, potentially indicating an attacker's attempt to exploit the container environment. The rule relies on specific indicators from data logged by Elastic Defend integrated with the Elastic Agent, targeting processes characteristic of an interactive shell execution. If detected, this could serve as an early warning of unauthorized access or malicious activity within a container. The rule utilizes MITRE ATT&CK technique T1059 (Command and Scripting Interpreter), indicating that it specifically targets scenarios where command and scripting interpreters are utilized for execution. The rule requires setup through Fleet to ensure proper data collection from Linux systems, and it highlights the necessary configuration steps to integrate Elastic Defend successfully.