File Creation in World-Writable Directory by Unusual Process

host.os.type:linux and event.category:file and event.type:creation and (
  process.name:(
    "cp" or "mv" or "chmod" or "chown" or "chattr" or "chgrp" or "curl" or "wget" or "timeout" or
    "env" or "node" or "deno" or "nodejs" or .* or python* or perl* or ruby* or php* or lua*
  ) or
  process.executable:(
    ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /run/* or /var/run/* or /boot/* or /sys/* or
    /lost+found/* or /proc/* or /var/mail/* or /var/www/*
  )
) and
file.path:(/run/* or /var/run/* or /dev/shm/* or /tmp/* or /var/tmp/*) and
not (
  file.path:(
    /var/tmp/dracut.* or /var/tmp/mkinitramfs_* or /tmp/.*-00000000.so or /run/udev/rules.d/* or
    /tmp/new_root/* or /tmp/newroot/* or /run/user/*/.bubblewrap/newroot/* or /tmp/tmp.*/docker-scout_* or
    /var/tmp/portage/* or /tmp/yarn--* or /run/k3s/containerd/* or /var/tmp/pamac-build-* or
    /tmp/mkinitcpio* or /run/user/*/netns/netns-*
  ) or
  file.extension:("json" or "txt")
)