config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*C:\Windows\cert.exe*", "*del /q /f c:\kworking\agent.crt*", "*Kaseya VSA Agent Hot-fix*", "*\AppData\Local\Temp\MsMpEng.exe*", "*rmdir /s /q %SystemDrive%\inetpub\logs*", "*del /s /q /f %SystemDrive%\*.log*", "*c:\kworking1\agent.exe*", "*c:\kworking1\agent.crt*")) or 
 (action_process_image_path in ("C:\Windows\MsMpEng.exe", "C:\Windows\cert.exe", "C:\kworking\agent.exe", "C:\kworking1\agent.exe")) or 
 (action_process_image_command_line contains "del /s /q /f" and 
 action_process_image_command_line contains "WebPages\Errors\webErrorLog.txt")))