This detection rule is designed to identify unusual outbound network activity from web server processes on Linux systems. It focuses on capturing potential web shell activity or unauthorized connections made by web servers to external destinations. The rule evaluates network activity where the originating user is one commonly associated with web servers (such as 'apache' and 'nginx') or corresponding user IDs. Additionally, it checks whether the process name matches known web server executables and filters the egress traffic on uncommon destination ports, excluding standard web traffic ports (e.g., 80 and 443) and local IP addresses. It utilizes Elastic's EQL (Event Query Language) for querying the required endpoint data.