This detection rule targets the identification of potentially malicious activities related to web servers running on Windows platforms. Specifically, it focuses on recognizing child processes spawned by legitimate web server processes such as w3wp (IIS), httpd (Apache), nginx, and others. The spawning of unusual shell processes (e.g., cmd, PowerShell, bash scripts) from these web server processes could signify a web shell attack, often associated with threat actors like Alloy Taurus/Gallium, OilRig, and Volt Typhoon. The logic employs Splunk queries that filter Windows event logs, specifically Event ID 4688, which captures process creation events. The rule utilizes regular expressions to match process names accurately and compiles a statistical overview of the occurrences of processes tied to web servers to assess the potential for malicious behavior. By enforcing thresholds (less than 25 instances of the same child process from a web server), it aims to minimize false positives while increasing detection of anomalous activity flowing from server environments, where web shells can be deployed by attackers to gain control over the server and execute further malicious commands.