This detection rule identifies unusual processes spawned from web server parent processes on Linux systems by monitoring low-frequency process activity. It targets specific web server processes and contextually relevant user accounts that could indicate suspicious behavior, such as establishing persistence, executing malicious commands, or maintenance of command and control channels. The rule utilizes ESQL to filter the relevant logs for the last hour and looks for processes spawned from known web server parental processes. If unusual low-frequency activity tied to those processes is detected, it alerts on potential compromise, thus helping security teams respond to possible threats.