This detection rule identifies potential command injection attacks targeting Apache Spark through process creation events. Specifically, it is designed to catch instances of exploitation related to CVE-2014-6287 and CVE-2022-33891. The rule focuses on monitoring command lines that utilize specific patterns, particularly commands that involve querying user groups via the `id -Gn` command, which may indicate unauthorized execution of shell commands via an exploited Spark shell. By inspecting the parent image of process creation events for instances that end with '\bash', and ensuring the command line contains specific patterns, it can effectively raise alerts for suspicious activities while minimizing false positives. This rule is applicable primarily in Linux environments where Apache Spark is deployed, aiding security teams in detecting exploitation attempts early in the attack lifecycle.