The 'Linux Webshell Indicators' rule is designed to detect the presence of suspicious sub-processes spawned by common web server software typically used in Linux environments. The rule focuses on process creation events where parent processes are recognizable web server binaries such as `httpd`, `lighttpd`, `nginx`, `apache2`, `node`, and `caddy`, as well as Java processes that may pertain to Tomcat or WebSphere applications. It identifies problematic command usage—including known Linux command line tools like `/whoami`, `/ifconfig`, and `/netstat`—indicative of potential web shell activity. By applying these detection logic rules, it enables security teams to pinpoint unauthorized access and potentially malicious actions taken through compromised web server environments. The presence of these sub-processes suggests an attacker may be controlling the web server via a web shell, which can be a serious security risk.