Merge pull request #3522 from splunk/extra_field_removal

Removing duplicate creation of user

Author: patel-bhavin

detections/endpoint/first_time_seen_child_process_of_zoom.yml

@@ -1,7 +1,7 @@
 name: First Time Seen Child Process of Zoom
 id: e91bd102-d630-4e76-ab73-7e3ba22c5961
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-05-15'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly
@@ -26,7 +26,7 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_
   as process_exec values(Processes.process_guid) as process_guid values(Processes.process_hash)
   as process_hash values(Processes.process_integrity_level) as process_integrity_level
   values(Processes.process_name) as process_name values(Processes.process_path) as
-  process_path values(Processes.user) as user  values(Processes.user_id) as user_id
+  process_path  values(Processes.user_id) as user_id
   values(Processes.vendor_product) as vendor_product from datamodel=Endpoint.Processes
   where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us)
   by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup