This rule detects potential payload execution originating from a JetBrains TeamCity process by monitoring Java processes that reference the Windows TEMP directory. The intent is to catch an attacker chaining TeamCity to stage and execute a payload (commonly associated with remote code execution via metasploit) from TEMP. The alert triggers when endpoint telemetry shows a Java process (bundled with TeamCity) with command lines or file paths matching indicators such as -classpath, Windows TEMP paths (e.g., ~spawn in TEMP, *.tmp.dir), files containing Payload or TeamCity identifiers, and related process relationships. The detection aggregates rich process context (process name, hash, vendor product, user, parent process, current/parent paths, integrity level, etc.) to help triage and investigate how the payload was invoked and by whom. The rule targets data from Sysmon process creation, Windows Security log 4688, and CrowdStrike ProcessRollup2, normalized to the Endpoint.Process CIM model. Final filtering uses existing Splunk macros (drop_dm_object_name and time normalization) and a dedicated filter window (windows_teamcity_payload_execution_from_temp_directory_filter). When triggered, the alert surfaces the destination host as a potential risk object and flags the parent process name and the executing process as threat objects for immediate investigation. The rule aligns with known TeamCity vulnerability activity and metasploit-exploited workflows described in the references, and supports drilldown by user or destination for rapid incident analysis. False positives may occur during legitimate TeamCity maintenance or updates that spawn Java processes from TEMP, so tuning and corroboration with TeamCity activity is advised.