config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("*domainlist*", "*trustdmp*", "*dcmodes*", "*adinfo*", "*-sc dclist*", "*computer_pwdnotreqd*", "*objectcategory=*", "*-subnets -f*", "*name=\"Domain Admins\"*", "*-sc u:*", "*domainncs*", "*dompol*", "* oudmp *", "*subnetdmp*", "*gpodmp*", "*fspdmp*", "*users_noexpire*", "*computers_active*", "*computers_pwdnotreqd*")))