This detection rule identifies suspicious child processes (Cmd.exe and Powershell.exe) that are initiated by specific SolarWinds parent processes, indicative of potential misuse or compromise. It's crucial to monitor for unauthorized command execution via SolarWinds, a widely utilized IT management tool, which can be exploited by threat actors to carry out malicious activities. This rule leverages EQL to query processes on Windows operating systems for those related to known SolarWinds executables that may lead to unauthorized command execution. The rule is designed to ensure early detection of behaviors aligned with recognized attack vectors outlined in the MITRE ATT&CK framework, specifically focusing on execution tactics and supply chain compromise.