config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_command_line contains "wmic" and 
 action_process_image_command_line contains "product where " and 
 action_process_image_command_line contains "call" and 
 action_process_image_command_line contains "uninstall" and 
 action_process_image_command_line contains "/nointeractive") or 
 ((action_process_image_command_line contains "wmic" and 
 action_process_image_command_line contains "caption like ") and 
 (action_process_image_command_line in ("*call delete*", "*call terminate*"))) or 
 (action_process_image_command_line contains "process " and 
 action_process_image_command_line contains "where " and 
 action_process_image_command_line contains "delete")) and 
 (action_process_image_command_line in ("*%carbon%*", "*%cylance%*", "*%endpoint%*", "*%eset%*", "*%malware%*", "*%Sophos%*", "*%symantec%*", "*Antivirus*", "*AVG *", "*Carbon Black*", "*CarbonBlack*", "*Cb Defense Sensor 64-bit*", "*Crowdstrike Sensor*", "*Cylance *", "*Dell Threat Defense*", "*DLP Endpoint*", "*Endpoint Detection*", "*Endpoint Protection*", "*Endpoint Security*", "*Endpoint Sensor*", "*ESET File Security*", "*LogRhythm System Monitor Service*", "*Malwarebytes*", "*McAfee Agent*", "*Microsoft Security Client*", "*Sophos Anti-Virus*", "*Sophos AutoUpdate*", "*Sophos Credential Store*", "*Sophos Management Console*", "*Sophos Management Database*", "*Sophos Management Server*", "*Sophos Remote Management System*", "*Sophos Update Manager*", "*Threat Protection*", "*VirusScan*", "*Webroot SecureAnywhere*", "*Windows Defender*"))))