config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("*Add-ADDBSidHistory*", "*Add-ADNgcKey*", "*Add-ADReplNgcKey*", "*ConvertFrom-ADManagedPasswordBlob*", "*ConvertFrom-GPPrefPassword*", "*ConvertFrom-ManagedPasswordBlob*", "*ConvertFrom-UnattendXmlPassword*", "*ConvertFrom-UnicodePassword*", "*ConvertTo-AADHash*", "*ConvertTo-GPPrefPassword*", "*ConvertTo-KerberosKey*", "*ConvertTo-LMHash*", "*ConvertTo-MsoPasswordHash*", "*ConvertTo-NTHash*", "*ConvertTo-OrgIdHash*", "*ConvertTo-UnicodePassword*", "*Disable-ADDBAccount*", "*Enable-ADDBAccount*", "*Get-ADDBAccount*", "*Get-ADDBBackupKey*", "*Get-ADDBDomainController*", "*Get-ADDBGroupManagedServiceAccount*", "*Get-ADDBKdsRootKey*", "*Get-ADDBSchemaAttribute*", "*Get-ADDBServiceAccount*", "*Get-ADDefaultPasswordPolicy*", "*Get-ADKeyCredential*", "*Get-ADPasswordPolicy*", "*Get-ADReplAccount*", "*Get-ADReplBackupKey*", "*Get-ADReplicationAccount*", "*Get-ADSIAccount*", "*Get-AzureADUserEx*", "*Get-BootKey*", "*Get-KeyCredential*", "*Get-LsaBackupKey*", "*Get-LsaPolicy*", "*Get-SamPasswordPolicy*", "*Get-SysKey*", "*Get-SystemKey*", "*New-ADDBRestoreFromMediaScript*", "*New-ADKeyCredential*", "*New-ADNgcKey*", "*New-NTHashSet*", "*Remove-ADDBObject*", "*Save-DPAPIBlob*", "*Set-ADAccountPasswordHash*", "*Set-ADDBAccountPassword*", "*Set-ADDBBootKey*", "*Set-ADDBDomainController*", "*Set-ADDBPrimaryGroup*", "*Set-ADDBSysKey*", "*Set-AzureADUserEx*", "*Set-LsaPolicy*", "*Set-SamAccountPasswordHash*", "*Set-WinUserPasswordHash*", "*Test-ADDBPasswordQuality*", "*Test-ADPasswordQuality*", "*Test-ADReplPasswordQuality*", "*Test-PasswordQuality*", "*Unlock-ADDBAccount*", "*Write-ADNgcKey*", "*Write-ADReplNgcKey*")))