So there is a query on my splunk cloud instance. Which is below: index=windows EventCode=4688     [| inputlookup "lotl_commands.csv"     | rename suscmd as search ]     NOT Account_Name=*$     NOT (net "use ")     NOT InteractionScripter.NET.exe     NOT (Account_Name=itreports sqlcmd.exe)     NOT (Account_Name=SRV_EtlProd winscp.exe OR MSSQLSERVER OR SQLSERVERAGENT)     NOT (Account_Name=SRV_EDW_SQLEngine sqlcmd.exe conhost.exe OR sqldiag.exe)     NOT (Creator_Process_Name="C:\\Windows\\System32\\net.exe" New_Process_Name="C:\\Windows\\System32\\conhost.exe")     NOT (New_Process_Name=C:\\Windows\\System32\\conhost.exe)     NOT (Creator_Process_Name="*\\MicroStrategy Services.exe" New_Process_Name=C:\\Windows\\System32\\cscript.exe)     NOT Account_Name="SVCBTSCAN" `comment(INC0036469)`     NOT Account_Name="SVCBTFUNC" `comment(INC0036469)`     NOT Account_Name="SRV_Vulscanning" `comment(INC0036582)`     NOT (Account_Name="SRV_Lansweep_4Server" csc.exe) | table _time EventCode ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line | sort _time   Whenever it runs, it triggers an alert for file path: C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe C:\Windows\SysWOW64\schtasks.exe Now this file path is running legitimately and I am trying to exempt it from being searched again so another alert does not trigger so the 10th line that starts with " NOT (Creator_Process_Name=" I created another line like that under it and inserted both file paths but when I do a 24hr search it still comes up, which means it is still not exempting that file path. So please i need help being able to exempt that file path from the search. Thanks. ... View more