config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name in ("*\Temp\sam", "*\sam.sav", "*\Intel\sam", "*\sam.hive", "*\Perflogs\sam", "*\ProgramData\sam", "*\Users\Public\sam", "*\AppData\Local\sam", "*\AppData\Roaming\sam", "*_ShadowSteal.zip", "*\Documents\SAM.export", "*:\sam")) or 
 (action_file_name in ("*\hive_sam_*", "*\sam.save*", "*\sam.export*", "*\~reg_sam.save*", "*\sam_backup*", "*\sam.bck*", "*\sam.backup*"))))