Merge pull request #2825 from SigmaHQ/aurora-false-positive-fixing

fix: FPs noticed with EdgeTransport sub processes

rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml

@@ -7,14 +7,16 @@ references:
   - https://twitter.com/cglyer/status/1182389676876980224
   - https://twitter.com/cglyer/status/1182391019633029120
 date: 2019/10/11
-modified: 2021/11/27
+modified: 2022/03/18
 logsource:
   category: process_creation
   product: windows
 detection:
   selection:
     ParentImage|endswith: '\EdgeTransport.exe'
-  condition: selection
+  filter:
+    Image: 'C:\Windows\System32\conhost.exe'
+  condition: selection and not filter
 falsepositives:
   - Unknown
 level: critical