[Rule Tuning] System Information Discovery via Windows Command Shell (#2741)

rules/windows/discovery_files_dir_systeminfo_via_cmd.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/24"
 
 [rule]
 author = ["Elastic"]
@@ -56,7 +56,8 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.name : "cmd.exe" and process.args : "/c" and process.args : ("set", "dir")
+  process.name : "cmd.exe" and process.args : "/c" and process.args : ("set", "dir") and
+  not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\PROGRA~1\\*")
 '''