Unusual Kernel Module Enumeration

event.category:process and host.os.type:linux and event.type:start and event.action:exec and (
 (process.name:(lsmod or modinfo)) or
 (process.name:kmod and process.args:list) or
 (process.name:depmod and process.args:(--all or -a))
) and
not (
  process.parent.name:(
    mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools or readykernel or lvm2 or
    vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or weak-modules or zfs or
    systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install or newrelic-infra
  ) or
  process.parent.executable:(
    /var/lib/dpkg/info/linux-modules*-generic.post* or "/var/ossec/bin/wazuh-modulesd" or "/opt/gitlab/embedded/bin/ruby" or
    "/usr/share/initramfs-tools/hooks/thermal" or "/usr/libexec/iptables/iptables.init" or "/usr/sbin/mkinitramfs" or
    "/usr/share/initramfs-tools/hooks/cryptroot" or "/usr/bin/kdumpctl"
  ) or
  process.parent.args:(/var/lib/dpkg/info/* or /var/tmp/rpm-tmp* or "longhorn-manager" or "/usr/bin/entry") or
  process.entry_leader.executable:(
    "/usr/lib/apt/apt.systemd.daily" or "/usr/libexec/gnome-terminal-server" or "/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent"
  )
)