Detects creation of executable file formats within the Atlassian Confluence directory on Windows endpoints by analyzing Sysmon FileCreate events (Sysmon EventID 11) captured via EDR telemetry. The rule targets file_path patterns that reside under Atlassian\\Confluence and extensions such as .bat, .cmd, .dat, .dll, .exe, .msc, .ps1, .vbe, and .vbs. It aggregates results by destination host, file creation time, and associated process context (process_path, process_guid, process_id, file_path, action, file_name, user, vendor_product). The intent is to detect malware staging or exploitation of Confluence web services, since an attacker may drop executables in the Confluence directory to be executed or leveraged later. The detection relies on endpoint telemetry normalized to the CIM, requiring ingestion of complete command lines and mapping to the Endpoint data model. It will not catch adversaries who place output elsewhere outside the Confluence directory, so changes to the output location can bypass the rule. The rule includes drilldown views to inspect per-user and per-destination results and risk context, and uses a risk object focused on the destination host with a file_path threat object, highlighting executable creation under a Confluence path as a potential compromise.