config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path contains ".exe" and 
 action_file_name contains ".exe") and 
 (not 
 ((actor_process_image_path in ("*:\Windows\System32\msiexec.exe", "*:\Windows\system32\cleanmgr.exe", "*:\Windows\explorer.exe", "*:\WINDOWS\system32\dxgiadaptercache.exe", "*:\WINDOWS\system32\Dism.exe", "*:\Windows\System32\wuauclt.exe")) or 
 (actor_process_image_path contains ":\WINDOWS\system32\svchost.exe" and 
 action_file_name contains ":\Windows\SoftwareDistribution\Download\") or 
 (actor_process_image_path contains ":\Windows\system32\svchost.exe" and 
 (action_file_name contains ":\WUDownloadCache\" and 
 action_file_name contains "\WindowsUpdateBox.exe")) or 
 (actor_process_image_path contains ":\WINDOWS\SoftwareDistribution\Download\" and 
 actor_process_image_path contains "\WindowsUpdateBox.Exe" and 
 action_file_name contains ":\$WINDOWS.~BT\Sources\") or 
 (actor_process_image_path contains ":\Windows\WinSxS\" and 
 actor_process_image_path contains "\TiWorker.exe") or 
 ((actor_process_image_path in ("*:\Program Files\*", "*:\Program Files (x86)\*")) or 
 (action_file_name in ("*:\Program Files\*", "*:\Program Files (x86)\*"))) or 
 (actor_process_image_path in ("*:\ProgramData\Microsoft\Windows Defender\*", "*:\Program Files\Windows Defender\*")) or 
 action_file_name contains "\AppData\Local\Microsoft\WindowsApps\" or 
 (actor_process_image_path contains "\AppData\Local\Microsoft\Teams\Update.exe" and 
 (action_file_name in ("*\AppData\Local\Microsoft\Teams\stage\Teams.exe", "*\AppData\Local\Microsoft\Teams\stage\Squirrel.exe", "*\AppData\Local\Microsoft\SquirrelTemp\tempb\"))) or 
 ((actor_process_image_path in ("*:\Windows\Microsoft.NET\Framework\*", "*:\Windows\Microsoft.NET\Framework64\*", "*:\Windows\Microsoft.NET\FrameworkArm\*", "*:\Windows\Microsoft.NET\FrameworkArm64\*")) and 
 actor_process_image_path contains "\mscorsvw.exe" and 
 action_file_name contains ":\Windows\assembly\NativeImages_") or 
 (actor_process_image_path contains "\AppData\Local\" and 
 actor_process_image_path contains "\Microsoft VS Code\Code.exe" and 
 action_file_name contains "\.vscode\extensions\") or 
 (actor_process_image_path contains "\AppData\Local\GitHubDesktop\Update.exe" and 
 action_file_name contains "\AppData\Local\SquirrelTemp\") or 
 (actor_process_image_path contains ":\WINDOWS\TEMP\" or 
 action_file_name contains ":\WINDOWS\TEMP\") or 
 (actor_process_image_path contains "\AppData\Local\Temp\" or 
 action_file_name contains "\AppData\Local\Temp\") or 
 (actor_process_image_path contains ":\Windows\Microsoft.NET\Framework" and 
 actor_process_image_path contains "\mscorsvw.exe" and 
 action_file_name contains ":\Windows\assembly"))) and 
 (not 
 ((actor_process_image_path contains "\Python27\python.exe" and 
 (action_file_name in ("*\Python27\Lib\site-packages\*", "*\Python27\Scripts\*", "*\AppData\Local\Temp\*"))) or 
 (actor_process_image_path contains "\AppData\Local\SquirrelTemp\Update.exe" and 
 action_file_name contains "\AppData\Local") or 
 (actor_process_image_path contains "\ChromeSetup.exe" and 
 action_file_name contains "\Google")))))