PR fixes

Hunting Queries/SecurityEvent/Least_Common_Process_Command_Lines.txt

@@ -3,12 +3,12 @@
 // Description: Looks across your environment for least common Process Command Lines, may be noisy and require whitelisting.  By ZanCo
 // DataSource: #SecurityEvent
 // Tactics: #InitialAccess, #Execution, #Persistance
-let Whitelist = dynamic (['conhost.exe', 'foo.exe', 'baz.exe']);
+let Whitelist = dynamic (['foo.exe', 'baz.exe']);
 let Sensitivity = 5;
 let StartDate = ago(7d);
 let Duration = 7d;
 SecurityEvent
-| where EventID == 4688 and TimeGenerated > StartDate and TimeGenerated < (StartDate + Duration)
+| where EventID == 4688 and TimeGenerated > StartDate and TimeGenerated < (StartDate + Duration) and NewProcessName !endswith 'conhost.exe'
 | extend ProcArray = split(NewProcessName, '\\')
 // ProcArrayLength is Folder Depth
 | extend ProcArrayLength = arraylength(ProcArray)