You are absolutely correct in your query syntax. Sorry for the late reply, just wanted to ensure our query in the Bit9 Threat Intel Cloud was correct and it is: cb.urlver=1&q=(process_name%3Aiexplore.exe%20OR%20process_name%3Afirefox.exe%20OR%20process_name%3Achrome.exe%20OR%20process_name%3Aacrord32.exe%20OR%20process_name%3Ajava.exe%20OR%20process_name%3Ajavaw.exe)%20AND%20childproc_name%3Acmd.exe&cb.q.os_type=(os_type%3A%22windows%22) ...