This rule detects suspicious parent processes associated with Endpoint Security executables on Windows systems, such as 'esensor.exe' and 'elastic-endpoint.exe'. The presence of these processes as children of unexpected parent executables may indicate potential code injection or process hollowing attacks. The rule uses EQL querying to identify processes where the 'event.type' is 'start', and the parent executable is not from a predefined whitelist of legitimate paths, thus highlighting anomalies typical of malicious behavior. To mitigate false positives, specific known benign processes and command arguments are excluded from detection, allowing for accurate identification of malicious activity without generating unnecessary alerts. Additionally, a detailed investigation guide outlines potential investigative steps, response actions, and guidance for false positive analysis, ensuring a comprehensive approach to incident response.