This analytic detection rule focuses on identifying instances where Java, Apache, or Tomcat processes within a Linux environment spawn a shell, indicating potential exploitation attempts. Specifically, it targets scenarios like those associated with the Log4Shell vulnerability (CVE-2021-44228). Utilizing Endpoint Detection and Response (EDR) telemetry, the detection relies on analyzing the relationships between process names and their parent-child hierarchies to identify these malicious activities. The rule's importance lies in its capability to flag compromised Java applications, which could lead to unauthorized shell access, execution of arbitrary commands, privilege escalation, or persistent access by attackers, thereby posing significant threats to the environment. This rule emphasizes on ensuring proper ingestion of logs and mapping them to the appropriate data model for accurate detection and response.