config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line ~= "\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[" or 
 action_process_image_command_line ~= "\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[" or 
 action_process_image_command_line ~= "\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[" or 
 action_process_image_command_line ~= "\$env:ComSpec\[(?:\s*\d{1,3}\s*,){2}" or 
 action_process_image_command_line ~= "\*mdr\*\W\s*\)\.Name" or 
 action_process_image_command_line ~= "\$VerbosePreference\.ToString\(" or 
 action_process_image_command_line ~= "\[String\]\s*\$VerbosePreference"))