remove programdata from path

Co-authored-by: Nasreddine Bencherchali <[email protected]>

Author: patel-bhavin

detections/endpoint/windows_suspicious_process_file_path.yml

@@ -20,7 +20,7 @@ data_source:
 search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
   as process_name values(Processes.process) as process min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes 
-  where Processes.process_path IN("*\\windows\\fonts\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*Recycle.bin*", "*\\Windows\\Media\\*","\\Windows\\repair\\*", "*\\PerfLogs\\*", "*:\\Windows\\Prefetch\\*", "*:\\Windows\\Cursors\\*", "*:\\Windows\\INF\\*", "*\\programdata\\*") AND NOT(Processes.process_path IN ("*\\temp\\*"))
+  where Processes.process_path IN("*\\windows\\fonts\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*Recycle.bin*", "*\\Windows\\Media\\*","\\Windows\\repair\\*", "*\\PerfLogs\\*", "*:\\Windows\\Prefetch\\*", "*:\\Windows\\Cursors\\*", "*:\\Windows\\INF\\*") AND NOT(Processes.process_path IN ("*\\temp\\*"))
   by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user 
   | `drop_dm_object_name(Processes)` 
   | `security_content_ctime(firstTime)`