I'm still looking for guidance on this. We have instances of alerts being generated by our vulnerability scanning agent on a host. The agent will spawn a shell, that shell will spawn another process, which will spawn the process that is alerted on. So the agent is 3 degrees separated by the alert which means when I look at the log for the alert the agent is not present, but if I look at the "Analyze Event" I can see the agent in the process tree. I have whitelisted the agent executable but that has not helped.