This rule, authored by Elastic, identifies potentially suspicious child processes spawned by the Windows Console Host (conhost.exe), which could indicate code injection activities. Conhost.exe normally does not create child processes, so any spawning of processes from it warrants investigation as it could signify malicious behavior such as process injection. The rule utilizes EQL (Event Query Language) to track events where processes are started, filtering for any created by conhost.exe that are not part of the expected behavior. The detection includes guidance for triage and analysis steps to investigate the process execution chain and the behaviors of such processes. Effective responses to identified threats are outlined, which include isolating affected hosts and executing incident response plans.