This rule is designed to detect the execution of Python commands and scripts on Unix-like operating systems, which adversaries may exploit to perform various tasks related to their objectives. The detection is achieved using EDR (Endpoint Detection and Response) logs by searching for the term 'python,' which indicates that a Python script or command has been executed. The rule utilizes Splunk logic to aggregate logs, providing insights into the execution of Python processes and their relationships with parent processes, user context, and time of execution. The detection is relevant to techniques used by threat actor groups such as UNC5221 and UTA0178, who may leverage Python for malicious purposes. Key atomic tests associated with this technique provide a methodology for validating detection capabilities, making this rule a fundamental element in monitoring for potential abuse of Python scripting in an environment.