This detection rule aims to identify suspicious processes that may be spawned by the Microsoft Exchange Server Unified Messaging (UM) service, particularly in the context of potential exploitation of vulnerabilities such as CVE-2021-26857. The rule utilizes an EQL (Event Query Language) query focusing on the Windows operating system and monitors for process creation events where the parent process is either 'UMService.exe' or 'UMWorkerProcess.exe'. The rule specifically excludes known legitimate executables to reduce false positives and provide more accurate alerts. The risk score assigned to this rule is medium, indicating a notable level of threat associated with the triggered alert. Security analysts are advised to follow a structured investigation protocol which includes verifying the legitimacy of processes, examining historical logs, and correlating data with other security tools.