The detection rule named "Potential SAP NetWeaver Exploitation" identifies suspicious processes spawned from the SAP NetWeaver application, potentially signaling an attempt to execute commands via webshells. It leverages EQL (Elastic Query Language) to monitor for processes that start with specific shell or scripting executables (like sh, bash, python, etc.) when they run in relation to SAP's web interface paths. The rule is configured to analyze both Linux and Windows operating systems and is set to trigger on a high severity level if any suspicious activity is detected. The risk score is set at 73, indicating a significant threat level, and focuses on the execution tactic as defined by MITRE ATT&CK. Investigative guidance provided in the note section recommends isolating affected hosts, examining process trees for suspicious relationships, and conducting thorough reviews of system logs for indicators of compromise to mitigate risks effectively. Restoration from backups and updates to vulnerable applications like Java are also advised as part of incident response.