This detection rule is designed to monitor PostgreSQL environments for suspicious activities that suggest potential code execution by an attacker. Attackers may exploit vulnerabilities in PostgreSQL databases, particularly those that face externally, leading to unauthorized access through methods such as SQL injection or remote command execution. The rule employs an EQL (Event Query Language) query to detect instances where processes started by the PostgreSQL user, 'postgres', execute shell commands indicative of command injection attempts, specifically looking for patterns involving 'sh' and 'echo'. The risk score assigned to this rule is 47, categorized as medium severity, highlighting the potential threat of unauthorized code execution. Essential setup includes integration with Elastic Defend to ensure effective data collection, emphasizing the requirement of Elastic Agent deployment on monitored hosts. The investigation guide provides extensive details regarding potential false positives, necessary triage steps, and recommendations for mitigation actions in response to detected alerts including isolating affected systems and credential resets.