✄𐘗
text code block:
✄𐘗event.category:process and host.os.type:linux and event.type:start and event.action:exec and (
  process.parent.name:(
    "apache" or "nginx" or "apache2" or "httpd" or "lighttpd" or "caddy" or "mongrel_rails" or "haproxy" or
    "gunicorn" or "uwsgi" or "openresty" or "cherokee" or "h2o" or "resin" or "puma" or "unicorn" or "traefik" or "uvicorn" or
    "tornado" or "hypercorn" or "daphne" or "twistd" or "yaws" or "webfsd" or "httpd.worker" or "flask" or "rails" or "mongrel" or
    php-fpm* or "php-cgi" or "php-fcgi" or "php-cgi.cagefs" or "java" or "node"
  ) or
  user.name:("apache" or "www-data" or "httpd" or "nginx" or "lighttpd" or "tomcat" or "tomcat8" or "tomcat9") or
  user.id:("33" or "498" or "48" or "54321")
) and process.working_directory:(
  /var/www/* or
  /usr/share/nginx/* or
  /srv/www/* or
  /srv/http/* or
  */webapps/* or
  /home/*/public_html/* or
  /home/*/www/* or
  /opt/* or
  /u0*/*
) and
process.command_line:* and process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and process.args:"-c" and
not (
  (process.parent.name:java and not process.parent.executable:/u0*/*) or
  (process.parent.name:node and process.parent.executable:(/home/*/.vscode-server/* or /users/*/.vscode-server/* or /bin/node or /usr/bin/node or /usr/local/bin/node or /opt/plesk/node/*/bin/node)) or
  process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/dbhome_* or /u0*/app/oracle/product/*/db_* or /var/www/*edoc*) or
  process.parent.executable:/tmp/* or
  process.args:/usr/local/bin/wkhtmltopdf* or
  process.parent.name:php
)