You can tag all processes that are launched by svchost.exe so that you can report when the child processes are running.
You can create a pair of rules for this purpose. Name the rules in a way that makes their relationship clear, and consider providing more information in the Description field for each one.
Create one Custom rule that applies a tag to a process if it is launched by svchost.exe.
For example:
- Operations: Process Create
- Actions: Tag Target
- Tags to Add/Remove: childofsvchost
- Process: svchost.exe
Create a second Custom rule that reports creation of processes identified with the tag created in the previous rule
For example:
- Operations: Process Create
- Actions: Report
- Process Tag(s): childofsvchost
