This detection rule identifies suspicious child processes spawned by the SolarWinds services, particularly focusing on the processes 'SolarWinds.BusinessLayerHost.exe' and 'SolarWinds.BusinessLayerHostx64.exe'. Given the heightened risk of exploitation associated with compromised SolarWinds installations (such as the Sunburst backdoor incident), the rule is designed to track anomalous activity that may indicate the execution of malicious programs. The query filters out known trusted child processes and seeks to alert on any new or unrecognized child processes that may result from these trusted parent processes. The rule is aimed at Windows environments and leverages Elastic's EQL (Event Query Language) for querying process events across endpoint logs. Furthermore, due diligence for false positives is emphasized, suggesting investigation steps to discern between legitimate SolarWinds activity and potential threats.