config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name in ("*\fgdump-log*", "*\kirbi*", "*\pwdump*", "*\pwhashes*", "*\wce_ccache*", "*\wce_krbtkts*")) or 
 (action_file_name in ("*\cachedump.exe", "*\cachedump64.exe", "*\DumpExt.dll", "*\DumpSvc.exe", "*\Dumpy.exe", "*\fgexec.exe", "*\lsremora.dll", "*\lsremora64.dll", "*\NTDS.out", "*\procdump.exe", "*\procdump64.exe", "*\procdump64a.exe", "*\pstgdump.exe", "*\pwdump.exe", "*\SAM.out", "*\SECURITY.out", "*\servpw.exe", "*\servpw64.exe", "*\SYSTEM.out", "*\test.pwd", "*\wceaux.dll"))))