This detection rule identifies potential reverse shell activities originating from a Java JAR application on Linux systems, triggered post an incoming network connection. The rule leverages EQL (Event Query Language) to monitor for sequences of events where a Java executable makes network connections, followed by a shell execution that matches typical reverse shell behavior. Specifically, it tracks the execution of common shell interpreters after a Java application has accepted or attempted a network connection. Notably, certain benign Java applications, such as Jenkins, are excluded to reduce false positives. The rule requires data sourced from Elastic Defend and is intended for environments using Elastic Agent integrated with Fleet for monitoring. A medium risk score indicates a moderate level of concern, warranting further investigation if triggered.