This rule is designed to detect suspicious behavior originating from Confluence processes on Windows systems. Threat actors may exploit vulnerabilities in Confluence, such as CVE-2023-22527 and CVE-2023-22518, to gain unauthorized access and subsequently leverage Confluence's functionality to execute command-line utilities. The focus of this detection is on identifying instances where Confluence processes (specifically those related to 'tomcat' or 'java.exe') initiate command-line tools that are often associated with malicious activities, such as 'powershell.exe', 'cmd.exe', and other well-known executables used by attackers. The logic employs Sysmon event code 1, which logs process creation events, and utilizes regex patterns to filter the parent process path for 'Confluence' to confirm its legitimate origin. Successful detection indicates the potential for an attack stemming from Confluence, urging immediate investigation to prevent further exploitation or lateral movement within the network.