This rule detects a suspicious child process of Zoom, potentially indicating malicious activity such as masquerading or the exploitation of vulnerabilities within the Zoom application on Windows systems. It employs a query in EQL (Event Query Language) to search for instances where a process is spawned under Zoom.exe's execution chain, specifically targeting command line interfaces like cmd.exe, PowerShell, and PowerShell ISE as potential attack vectors. Further investigation steps are provided for analysts, which include examining the process execution chain, network connections, and associated file signatures to identify possible malicious behavior. Triage procedures also recommend isolating affected hosts and performing comprehensive malware scans if a threat is identified, highlighting the importance of robust incident response in mitigating attacks.