SSRG097 - Detect Prohibited Applications Spawning cmd exe -- Filtering needed

[jward51]

| tstats security_content_summariesonly count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | search NOT process = "\SplunkUniversalForwarder\" NOT parent_process_name = "splunk.exe" | patronus_helper

[jward51]

Updated query for SSRG097 was missing pipe to rename Processes. as "". I updated the query on the patronus.dev instance.

| tstats security_content_summariesonly count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | rename Processes. as "" | search NOT process = "SplunkUniversalForwarder" NOT parent_process_name = "splunk.exe" NOT parent_process_name="AgentMon.exe"