As attackers increasingly use "living off the land" techniques to bypass modern security software, researchers have developed a graph-based framework called ProblemChild to detect anomalous parent-child process relationships. This approach utilizes machine learning to generate weighted graphs from process creation events, allowing for the identification of suspicious activity amid the normal noise of system operations. By leveraging community detection and a prevalence service, the method distinguishes between common and rare process chains, reducing false positives and enhancing detection accuracy. The framework, demonstrated at VirusBulletin and CAMLIS, aims to simplify the detector writing process, requiring less domain expertise and enabling more effective identification of attack sequences. Additionally, the prevalence engine helps security professionals understand the rarity of relationships between events, offering a new perspective on threat detection.