diff --git a/Hunting Queries/Syslog/CryptoCurrencyMiners.yaml b/Hunting Queries/Syslog/CryptoCurrencyMiners.yaml
index 49f12aea51..d5660eeaad 100644
--- a/Hunting Queries/Syslog/CryptoCurrencyMiners.yaml	
+++ b/Hunting Queries/Syslog/CryptoCurrencyMiners.yaml	
@@ -17,7 +17,7 @@ query: |
   | project TimeGenerated, EventType, Computer, EventData 
   // Extract AUOMS_EXECVE details from EventData
   | where EventType == "AUOMS_EXECVE"
-  | parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group " gid=" gid "effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid " filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid " set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty " ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\" name=\"" name "\"" * "cmdline=\"" cmdline "\" containerid=" containerid
+  | parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group " gid=" gid "effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid " filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid " set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty " ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" * "cmdline=\"" cmdline "\" containerid=" containerid
   // Find wget and curl commands
   | where comm in ("wget", "curl")
   // Find command lines featuring known crypto currency miner names
diff --git a/Parsers/SyslogAUOMS/SyslogExecve.txt b/Parsers/SyslogAUOMS/SyslogExecve.txt
index 8617fc91f4..c274856ea2 100644
--- a/Parsers/SyslogAUOMS/SyslogExecve.txt
+++ b/Parsers/SyslogAUOMS/SyslogExecve.txt
@@ -5,5 +5,5 @@ Syslog
 | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData
 | project TimeGenerated, EventType, Computer, EventData 
 | where EventType == "AUOMS_EXECVE"
-| parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group " gid=" gid "effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid " filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid " set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty " ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\" name=\"" name "\"" * "cmdline=\"" cmdline "\" containerid=" containerid
+| parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group " gid=" gid "effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid " filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid " set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty " ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" * "cmdline=\"" cmdline "\" containerid=" containerid