fix: FP with Datev SQL Server

rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml

@@ -4,7 +4,7 @@ description: Detects suspicious shell spawn from MSSQL process, this might be si
 status: experimental
 author: FPT.EagleEye Team, wagga
 date: 2020/12/11
-modified: 2021/06/27
+modified: 2022/03/03
 tags:
     - attack.t1505.003
     - attack.t1190
@@ -23,5 +23,10 @@ detection:
             - '\bash.exe'
             - '\powershell.exe'
             - '\bitsadmin.exe'
+    filter_datev:
+        ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
+        ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
+        Image: 'C:\Windows\System32\cmd.exe'
+        CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
     condition: selection
 level: critical