The search page of EDR on-prem appliance displays unexpected results when searching the EDR database with the terms "stop citrix".

Search query: process.file.name:net.exe AND process.cmd_line:"stop citrix"

catching this:
net  stop "Citrix Desktop Service"

not catching this:
net  stop CitrixCSEEngine

Release : 4.6.8

Search query: type_id: 8001 AND process.file.name:net.exe AND process.cmd_line: "net*start*" AND -"Altiris"
Note the negate operator as  character against 'Altilis' phrase.
A result may include net start command with "AeXNSClient" and "SISManager", but not "Altiris"

This syntax appears to work when tested on EDR 4.7.0, which has the same search syntax as EDR 4.6.8.