Password Filter not Working

Im having an issue when viewing the report, the password entere/typed is being exposed on plain text.

So i have configured a command rewriting that if the shell is cpcksh it will rewrite to bash.

What happens is, viewing the report if it prompted a password and it typed. On the <ssh> report it will not display the password

However, on the -cpcksh command it is being revealed.

And also, the User and RunUser is being displayed as root, shouldnt be User = (AD Username) and RunUser = pamprime (local account on the server)?
Should it be the same details and the only differences should be the command? <ssh> and -cpcksh?

The rule for the SSH is this:

The command rewriting is this:

Thanks for the help!