This detection rule is designed to identify suspicious process creation events where a shell is spawned by a Java process (specifically, java.exe). This is significant as it may indicate exploitation attempts, such as those aimed at utilizing vulnerabilities within Java applications, like the notorious log4j exploit. The rule focuses on a scenario where processes like cmd.exe, powershell.exe, or bash.exe are launched as children of java.exe, capturing potentially malicious behavior that deviates from expected operations. The rule has a specific selection condition requiring both the parent image to be java.exe and the child image to be one of the specified shell executables. Moreover, a secondary filter is in place to exclude legitimate calls that include 'build' in their command line or path, ensuring that not all calls from java.exe are flagged, thus reducing false positives. The rule is applicable primarily in a Windows environment and targets the process creation category within log sources. It is important for endpoint security as it detects potential initial access, persistence, or privilege escalation tactics used by attackers.