This detection rule identifies attempts to execute a child process from an Electron application using the Node.js child_process module. Adversaries may exploit this function to leverage permissions from the parent Electron process for unauthorized command execution. The rule is executed on macOS systems and utilizes a KQL query to search for specific event patterns in process start logs. It filters for events where processes have the 'start' type, originate from a macOS host, and include arguments indicative of the use of child_process, specifically looking for entries that contain '-e' and 'require('child_process')'. The rule is part of the Elastic Defend integration, which requires proper setup with Elastic Agent to monitor and send relevant data.