When talking about identifying often-targeted applications spawning cmd.exe, I don't believe the query displayed is correct.
childproc_name:cmd.exe AND (parent_name:iexplore.exe OR parent_name:firefox.exe OR parent_name:chrome.exe OR parent_name:acrord32.exe OR parent_name:java.exe OR parent_name:javaw.exe OR parent_name:*flash*)
With that query, it would identify a.exe in this example.
javaw.exe --spawns--> a.exe --spawns--> cmd.exe
In this scenario javaw.exe is the parent process of a.exe and cmd.exe is the child process of a.exe, so a.exe would match. I believe this is the desired query:
childproc_name:cmd.exe AND (process_name:iexplore.exe OR process_name:firefox.exe OR process_name:chrome.exe OR process_name:acrord32.exe OR process_name:java.exe OR process_name:javaw.exe OR process_name:*flash*)
Which would match:
javaw.exe --spawns--> cmd.exe