I am currently facing some challenges while attempting to create a correlated use case involving the prebuilt "Whoami Process Activity." The issue arises because we need to make an exception for a previous log that generates this activity. Specifically, it is a PowerShell script that executes the "whoami" validation.
sequence with maxspan=2s
[process where process.args: "*"]
[process where event.type in ("start", "process_started") and process.name: "whoami.exe"]
Currently, when I attempt to use the query NOT "process where not process.args:", it does not seem to be functioning correctly.
I would greatly appreciate your assistance in this matter. Could you please help me understand what I might be doing wrong?