The rule titled 'Unusual Interactive Shell Launched from System User' is designed to detect potentially malicious activity whenever an interactive shell is launched by system users on Linux systems. System users are typically non-interactive, serving specific system functions without the need for terminal access. Hence, the appearance of an interactive shell from such accounts may indicate attempts by an adversary to bypass security controls and gain unauthorized access to the system. The rule uses a KQL-based query to identify process events categorized as shell launches by specific system users, filtering out known legitimate process behaviors to reduce false positives. It highlights a risk score of 21 under the low severity classification, indicating the importance of investigating these events promptly to mitigate potential threats. The rule requires integration with Elastic Defend for data collection, ensuring adequate monitoring of process activity on the endpoint. An investigation framework is provided to analyze such anomalies and refine detection systems, ultimately fortifying the security posture against misuse of system accounts.