The rule detects suspicious activities related to the SolarWinds Web Help Desk Java process, specifically the loading of untrusted or remotely sourced native modules (DLL files). This behavior is atypical for the application and may suggest exploitation of identified deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551) that facilitate loading malicious SQLite extensions and executing remote code. The detection logic is based on the monitoring of event categories such as 'library' and 'process', specifically looking for the Java executable path associated with the Web Help Desk and any subsequent child processes, indicating potential exploitation. The rule sets forth investigation steps to validate the nature of the loaded DLLs and any spawned child processes, emphasizing the importance of reviewing the executable paths and inspecting network activity for signs of compromise. This rule serves as a high-confidence indication of potential exploitation, urging immediate containment and remediation actions upon detection.