T1016 System Network Configuration Discovery-Program Blacklist

SELECT 
    process_events.path,
    process_events.arguments
FROM process_events 
WHERE process_events.event_type=0 
    AND reverse(split_part(reverse(path), '/', 1)) IN (
        'ifconfig', 
        'ip', 
        'iptables', 
        'route', 
        'traceroute', 
        'host', 
        'ping', 
        'tracepath', 
        'mtr', 
        'ethtool', 
        'arp'
    ) AND (
        reverse(split_part(reverse(process_events.path), '/', 1)) != 'ip'
        OR NOT EXISTS(
            SELECT 1 
            FROM process_events parent_process 
            WHERE process_events.parent_process_uuid = parent_process.process_uuid
                AND (
                    reverse(split_part(reverse(parent_process.path), '/', 1)) NOT IN (
                        'ip', 
                        '/sbin/dhclient-script'
                    ) OR parent_process.arguments[cardinality(parent_process.arguments)-1] IN (
                        '/usr/lib/python-exec/python2.7/google_ip_forwarding_daemon', 
                        '/usr/bin/google_network_daemon'
                    )
                )
        ) AND NOT EXISTS (
            SELECT 1 
            FROM process_events parent_process 
            WHERE process_events.parent_process_uuid = parent_process.process_uuid
                AND (reverse(split_part(reverse(parent_process.path), '/', 1)) IN (
                    'kubelet', 
                    'hyperkube', 
                    'kube-proxy'
                ) OR parent_process.path = '/opt/bin/flanneld'
        )
    )
)