diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql
index 85064a8..9d4a68a 100644
--- a/detection/initial_access/unexpected-shell-parent-events.sql
+++ b/detection/initial_access/unexpected-shell-parent-events.sql
@@ -99,8 +99,8 @@ WHERE
       'nvim',
       'package_script_service',
       'perl',
+      -- 'python' - do not include this, or you won't detect supply-chain attacks.
       'PK-Backend',
-      'python',
       'roxterm',
       'sdk',
       'sdzoomplugin',