config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((action_process_image_path in ("*/crackmapexec", "*/havoc", "*/merlin-agent", "*/merlinServer-Linux-x64", "*/msfconsole", "*/msfvenom", "*/ps-empire server", "*/ps-empire", "*/sliver-client", "*/sliver-server", "*/Villain.py")) or 
 (action_process_image_path in ("*/cobaltstrike*", "*/teamserver*")) or 
 (action_process_image_path in ("*/autorecon", "*/httpx", "*/legion", "*/naabu", "*/netdiscover", "*/nuclei", "*/recon-ng")) or 
 action_process_image_path contains "/sniper" or 
 (action_process_image_path in ("*/dirb", "*/dirbuster", "*/eyewitness", "*/feroxbuster", "*/ffuf", "*/gobuster", "*/wfuzz", "*/whatweb")) or 
 (action_process_image_path in ("*/joomscan", "*/nikto", "*/wpscan")) or 
 (action_process_image_path in ("*/aircrack-ng", "*/bloodhound-python", "*/bpfdos", "*/ebpfki", "*/evil-winrm", "*/hashcat", "*/hoaxshell.py", "*/hydra", "*/john", "*/ncrack", "*/nxc-ubuntu-latest", "*/pidhide", "*/pspy32", "*/pspy32s", "*/pspy64", "*/pspy64s", "*/setoolkit", "*/sqlmap", "*/writeblocker")) or 
 action_process_image_path contains "/linpeas"))