Detects a Metasploit-based Confluence plugin execution on Windows endpoints by flagging a Java process launched from Atlassian Confluence that contains indicators consistent with a payload delivery and Meterpreter foothold. The rule targets the Confluence server process path (Atlassian\Confluence\jre\bin\java.exe) and expects command-line indicators such as -classpath, references to AppData\Local\Temp\~spawn, and a Payload artifact. It leverages the Endpoint.Processes CIM data model and correlates fields like process_path, vendor_product, user_id, process_hash, and parent process details to build context around the activity. Data sources include Sysmon (Event ID 1), Windows Event Log Security (4688), and CrowdStrike ProcessRollup2 telemetry. The SPL-based detection uses a dedicated filter (windows_metasploit_confluence_plugin_execution_filter) and normalizes fields via CIM, applying firstTime/lastTime derived from the log window. If matched, the alert presents a potential Metasploit Confluence plugin execution on the destination host, with a risk object for dest (score 50) and a threat object based on the parent_process_name. Drilldown searches enable viewing results per user/dest and inspecting risk events over the last 7 days. The rule notes that legitimate pentest activity can trigger false positives and should be verified with security teams before action.