config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains " -s cmd" or 
 action_process_image_command_line contains " /s cmd" or 
 action_process_image_command_line contains " –s cmd" or 
 action_process_image_command_line contains " —s cmd" or 
 action_process_image_command_line contains " ―s cmd" or 
 action_process_image_command_line contains " -s -i cmd" or 
 action_process_image_command_line contains " -s /i cmd" or 
 action_process_image_command_line contains " -s –i cmd" or 
 action_process_image_command_line contains " -s —i cmd" or 
 action_process_image_command_line contains " -s ―i cmd" or 
 action_process_image_command_line contains " /s -i cmd" or 
 action_process_image_command_line contains " /s /i cmd" or 
 action_process_image_command_line contains " /s –i cmd" or 
 action_process_image_command_line contains " /s —i cmd" or 
 action_process_image_command_line contains " /s ―i cmd" or 
 action_process_image_command_line contains " –s -i cmd" or 
 action_process_image_command_line contains " –s /i cmd" or 
 action_process_image_command_line contains " –s –i cmd" or 
 action_process_image_command_line contains " –s —i cmd" or 
 action_process_image_command_line contains " –s ―i cmd" or 
 action_process_image_command_line contains " —s -i cmd" or 
 action_process_image_command_line contains " —s /i cmd" or 
 action_process_image_command_line contains " —s –i cmd" or 
 action_process_image_command_line contains " —s —i cmd" or 
 action_process_image_command_line contains " —s ―i cmd" or 
 action_process_image_command_line contains " ―s -i cmd" or 
 action_process_image_command_line contains " ―s /i cmd" or 
 action_process_image_command_line contains " ―s –i cmd" or 
 action_process_image_command_line contains " ―s —i cmd" or 
 action_process_image_command_line contains " ―s ―i cmd" or 
 action_process_image_command_line contains " -i -s cmd" or 
 action_process_image_command_line contains " -i /s cmd" or 
 action_process_image_command_line contains " -i –s cmd" or 
 action_process_image_command_line contains " -i —s cmd" or 
 action_process_image_command_line contains " -i ―s cmd" or 
 action_process_image_command_line contains " /i -s cmd" or 
 action_process_image_command_line contains " /i /s cmd" or 
 action_process_image_command_line contains " /i –s cmd" or 
 action_process_image_command_line contains " /i —s cmd" or 
 action_process_image_command_line contains " /i ―s cmd" or 
 action_process_image_command_line contains " –i -s cmd" or 
 action_process_image_command_line contains " –i /s cmd" or 
 action_process_image_command_line contains " –i –s cmd" or 
 action_process_image_command_line contains " –i —s cmd" or 
 action_process_image_command_line contains " –i ―s cmd" or 
 action_process_image_command_line contains " —i -s cmd" or 
 action_process_image_command_line contains " —i /s cmd" or 
 action_process_image_command_line contains " —i –s cmd" or 
 action_process_image_command_line contains " —i —s cmd" or 
 action_process_image_command_line contains " —i ―s cmd" or 
 action_process_image_command_line contains " ―i -s cmd" or 
 action_process_image_command_line contains " ―i /s cmd" or 
 action_process_image_command_line contains " ―i –s cmd" or 
 action_process_image_command_line contains " ―i —s cmd" or 
 action_process_image_command_line contains " ―i ―s cmd" or 
 action_process_image_command_line contains " -s pwsh" or 
 action_process_image_command_line contains " /s pwsh" or 
 action_process_image_command_line contains " –s pwsh" or 
 action_process_image_command_line contains " —s pwsh" or 
 action_process_image_command_line contains " ―s pwsh" or 
 action_process_image_command_line contains " -s -i pwsh" or 
 action_process_image_command_line contains " -s /i pwsh" or 
 action_process_image_command_line contains " -s –i pwsh" or 
 action_process_image_command_line contains " -s —i pwsh" or 
 action_process_image_command_line contains " -s ―i pwsh" or 
 action_process_image_command_line contains " /s -i pwsh" or 
 action_process_image_command_line contains " /s /i pwsh" or 
 action_process_image_command_line contains " /s –i pwsh" or 
 action_process_image_command_line contains " /s —i pwsh" or 
 action_process_image_command_line contains " /s ―i pwsh" or 
 action_process_image_command_line contains " –s -i pwsh" or 
 action_process_image_command_line contains " –s /i pwsh" or 
 action_process_image_command_line contains " –s –i pwsh" or 
 action_process_image_command_line contains " –s —i pwsh" or 
 action_process_image_command_line contains " –s ―i pwsh" or 
 action_process_image_command_line contains " —s -i pwsh" or 
 action_process_image_command_line contains " —s /i pwsh" or 
 action_process_image_command_line contains " —s –i pwsh" or 
 action_process_image_command_line contains " —s —i pwsh" or 
 action_process_image_command_line contains " —s ―i pwsh" or 
 action_process_image_command_line contains " ―s -i pwsh" or 
 action_process_image_command_line contains " ―s /i pwsh" or 
 action_process_image_command_line contains " ―s –i pwsh" or 
 action_process_image_command_line contains " ―s —i pwsh" or 
 action_process_image_command_line contains " ―s ―i pwsh" or 
 action_process_image_command_line contains " -i -s pwsh" or 
 action_process_image_command_line contains " -i /s pwsh" or 
 action_process_image_command_line contains " -i –s pwsh" or 
 action_process_image_command_line contains " -i —s pwsh" or 
 action_process_image_command_line contains " -i ―s pwsh" or 
 action_process_image_command_line contains " /i -s pwsh" or 
 action_process_image_command_line contains " /i /s pwsh" or 
 action_process_image_command_line contains " /i –s pwsh" or 
 action_process_image_command_line contains " /i —s pwsh" or 
 action_process_image_command_line contains " /i ―s pwsh" or 
 action_process_image_command_line contains " –i -s pwsh" or 
 action_process_image_command_line contains " –i /s pwsh" or 
 action_process_image_command_line contains " –i –s pwsh" or 
 action_process_image_command_line contains " –i —s pwsh" or 
 action_process_image_command_line contains " –i ―s pwsh" or 
 action_process_image_command_line contains " —i -s pwsh" or 
 action_process_image_command_line contains " —i /s pwsh" or 
 action_process_image_command_line contains " —i –s pwsh" or 
 action_process_image_command_line contains " —i —s pwsh" or 
 action_process_image_command_line contains " —i ―s pwsh" or 
 action_process_image_command_line contains " ―i -s pwsh" or 
 action_process_image_command_line contains " ―i /s pwsh" or 
 action_process_image_command_line contains " ―i –s pwsh" or 
 action_process_image_command_line contains " ―i —s pwsh" or 
 action_process_image_command_line contains " ―i ―s pwsh" or 
 action_process_image_command_line contains " -s powershell" or 
 action_process_image_command_line contains " /s powershell" or 
 action_process_image_command_line contains " –s powershell" or 
 action_process_image_command_line contains " —s powershell" or 
 action_process_image_command_line contains " ―s powershell" or 
 action_process_image_command_line contains " -s -i powershell" or 
 action_process_image_command_line contains " -s /i powershell" or 
 action_process_image_command_line contains " -s –i powershell" or 
 action_process_image_command_line contains " -s —i powershell" or 
 action_process_image_command_line contains " -s ―i powershell" or 
 action_process_image_command_line contains " /s -i powershell" or 
 action_process_image_command_line contains " /s /i powershell" or 
 action_process_image_command_line contains " /s –i powershell" or 
 action_process_image_command_line contains " /s —i powershell" or 
 action_process_image_command_line contains " /s ―i powershell" or 
 action_process_image_command_line contains " –s -i powershell" or 
 action_process_image_command_line contains " –s /i powershell" or 
 action_process_image_command_line contains " –s –i powershell" or 
 action_process_image_command_line contains " –s —i powershell" or 
 action_process_image_command_line contains " –s ―i powershell" or 
 action_process_image_command_line contains " —s -i powershell" or 
 action_process_image_command_line contains " —s /i powershell" or 
 action_process_image_command_line contains " —s –i powershell" or 
 action_process_image_command_line contains " —s —i powershell" or 
 action_process_image_command_line contains " —s ―i powershell" or 
 action_process_image_command_line contains " ―s -i powershell" or 
 action_process_image_command_line contains " ―s /i powershell" or 
 action_process_image_command_line contains " ―s –i powershell" or 
 action_process_image_command_line contains " ―s —i powershell" or 
 action_process_image_command_line contains " ―s ―i powershell" or 
 action_process_image_command_line contains " -i -s powershell" or 
 action_process_image_command_line contains " -i /s powershell" or 
 action_process_image_command_line contains " -i –s powershell" or 
 action_process_image_command_line contains " -i —s powershell" or 
 action_process_image_command_line contains " -i ―s powershell" or 
 action_process_image_command_line contains " /i -s powershell" or 
 action_process_image_command_line contains " /i /s powershell" or 
 action_process_image_command_line contains " /i –s powershell" or 
 action_process_image_command_line contains " /i —s powershell" or 
 action_process_image_command_line contains " /i ―s powershell" or 
 action_process_image_command_line contains " –i -s powershell" or 
 action_process_image_command_line contains " –i /s powershell" or 
 action_process_image_command_line contains " –i –s powershell" or 
 action_process_image_command_line contains " –i —s powershell" or 
 action_process_image_command_line contains " –i ―s powershell" or 
 action_process_image_command_line contains " —i -s powershell" or 
 action_process_image_command_line contains " —i /s powershell" or 
 action_process_image_command_line contains " —i –s powershell" or 
 action_process_image_command_line contains " —i —s powershell" or 
 action_process_image_command_line contains " —i ―s powershell" or 
 action_process_image_command_line contains " ―i -s powershell" or 
 action_process_image_command_line contains " ―i /s powershell" or 
 action_process_image_command_line contains " ―i –s powershell" or 
 action_process_image_command_line contains " ―i —s powershell" or 
 action_process_image_command_line contains " ―i ―s powershell") and 
 (not 
 (action_process_image_command_line in ("*paexec*", "*PsExec*", "*accepteula*")))))