Question about adding process exclusions for Exploit Prevention Illegal API rules. When adding a process exclusion for Illegal API use, the first section is for the process you want to exclude. When I look at the threat event I want to exclude, there is a Target Parent Process and a Target Process. Which one should I enter into the rule?
For example below, do I use powershell.exe or snowagent.exe?
Description: ExP:Illegal API Use was detected as an attempt to exploit C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the AtlComPtrAssign API. It wasn't blocked because Exploit Prevention was set to Report Only. Attack Vector Type: Local System