This detection rule identifies suspicious child processes spawned by communication applications like Slack, WebEx, Teams, Discord, WhatsApp, Zoom, and Thunderbird on Windows systems. The use of child processes by legitimate applications is common, but adversaries can exploit this behavior to disguise malicious activity or leverage vulnerabilities to execute unauthorized code. By monitoring for processes that originate from these applications and ensuring they are not running from untrusted locations or signed by unknown entities, this rule can help in identifying attempts to masquerade as legitimate software or execute malicious commands. The detection logic encompasses several well-known communication apps, utilizing EQL (Event Query Language) syntax to filter events indicative of potential threats. The rule utilizes risk scoring and severity levels to categorize incidents, aiding security teams in prioritizing their response efforts.