(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ParentImage!="?" AND ParentImage!="C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" AND ParentImage!="C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" AND((Image="C:\Windows\System32\smss.exe" AND (ParentImage!="C:\Windows\System32\smss.exe" AND ParentImage!="System")) OR(Image="C:\Windows\System32\csrss.exe" AND (ParentImage!="C...
