config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((((action_process_image_path in ("*\NTDSDump.exe", "*\NTDSDumpEx.exe")) or 
 (action_process_image_command_line contains "ntds.dit" and 
 action_process_image_command_line contains "system.hiv") or 
 action_process_image_command_line contains "NTDSgrab.ps1") or 
 (action_process_image_command_line contains "ac i ntds" and 
 action_process_image_command_line contains "create full") or 
 (action_process_image_command_line contains "/c copy " and 
 action_process_image_command_line contains "\windows\ntds\ntds.dit") or 
 (action_process_image_command_line contains "activate instance ntds" and 
 action_process_image_command_line contains "create full") or 
 (action_process_image_command_line contains "powershell" and 
 action_process_image_command_line contains "ntds.dit")) or 
 (action_process_image_command_line contains "ntds.dit" and 
 ((actor_process_image_path in ("*\apache*", "*\tomcat*", "*\AppData\*", "*\Temp\*", "*\Public\*", "*\PerfLogs\*")) or 
 (action_process_image_path in ("*\apache*", "*\tomcat*", "*\AppData\*", "*\Temp\*", "*\Public\*", "*\PerfLogs\*"))))))