In a Falco rule, you have the condition: 'evt.type=execve and proc.name=bash and container.id!=host'. What does this rule detect?
The rule matches execve events where the process name is bash and it is not running on the host (i.e., inside a container).
Why this answer
The rule triggers when a bash shell is executed (execve) inside any container (container.id != host). It does not check for interactive use; it simply detects bash execution.