udpate after failure

detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml

@@ -16,7 +16,7 @@ data_source:
 - Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe
-  OR Processes.original_file_name=schtasks.exe) (Processes.process=*/s * AND Processes.process=*/run*)
+  OR Processes.original_file_name=schtasks.exe) (Processes.process= "* /S *" AND Processes.process=*/run*)
   by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
   Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
   | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter`'