This rule is designed to detect reconnaissance activity conducted by web servers that spawn processes looking for the presence of common scripting tools on the system. The detection works by monitoring business logic in process creation logs, specifically for processes originating from web server executables such as Caddy, Apache HTTPD, Nginx, PHP-CGI, IIS's w3wp process, or Java processes related to Tomcat. When any of these web server processes initiate commands that request help documentation for scripting tools, including Perl, Python, and Wget, the rule will trigger an alert. The implementation involves checking the parent image of the spawned processes and their command-line arguments for specific patterns indicative of reconnaissance behavior. By identifying this suspicious behavior, organizations can proactively respond to potential security threats, as attackers may use web servers to execute reconnaissance for vulnerabilities or additional tools on the system. The high-level threat indicates the seriousness of the activity, and as such it should be taken into consideration when evaluating security events on the network.