This analytic rule is designed to detect the first-time execution of child processes spawned by Zoom (zoom.exe or zoom.us). It utilizes Endpoint Detection and Response (EDR) data, focusing on process creation events that are tracked through Sysmon and Windows Event Logs. The rule compares newly detected child processes against a historical cache of previously seen child processes related to Zoom. The motivation behind monitoring these events stems from the potential risk associated with unfamiliar child process executions, which could indicate malicious activity such as exploitation or misuse of the Zoom application. If a previously unseen child process is executed by Zoom, it can lead to serious security implications such as unauthorized code execution or data exfiltration.