I have a question about rule Excessive Usage Of Net App. I've noticed that Endpoint data model doesn't contain Processes.original_file_name field, so why is it used in here?

Hi @wgyct , since CIM 4.0 the original_file_name was added to the Endpoint Datamodel under the Processes node. A lot of our macros will include process_name and original_file_name as a way to detect renamed net.exe instances or other process renames. In addition, the Sysmon TA includes the mapping as do other EDR products (or should :) )Hope that helps!