fix: FPs with Suspect Svchost Activity

rules/windows/process_creation/win_susp_svchost_no_cli.yml

@@ -6,7 +6,7 @@ references:
     - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
 author: David Burkett
 date: 2019/12/28
-modified: 2020/08/28
+modified: 2021/02/24
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation    
@@ -20,9 +20,10 @@ detection:
     selection2:
         Image|endswith: '\svchost.exe'
     filter:
-        ParentImage|endswith:
+        - ParentImage|endswith:
             - '\rpcnet.exe'
             - '\rpcnetp.exe'
+        - CommandLine: null  # no CommandLine value available
     condition: (selection1 and selection2) and not filter
 fields:
     - CommandLine