config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_command_line in ("*Add-MpPreference *", "*Set-MpPreference *")) and 
 (action_process_image_command_line in ("*DisableArchiveScanning *", "*DisableRealtimeMonitoring *", "*DisableIOAVProtection *", "*DisableBehaviorMonitoring *", "*DisableBlockAtFirstSeen *", "*DisableCatchupFullScan *", "*DisableCatchupQuickScan *")) and 
 (action_process_image_command_line in ("*$true*", "* 1 *"))) or 
 ((action_process_image_command_line contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or 
 action_process_image_command_line contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or 
 action_process_image_command_line contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or 
 action_process_image_command_line contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or 
 action_process_image_command_line contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or 
 action_process_image_command_line contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or 
 action_process_image_command_line contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or 
 action_process_image_command_line contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or 
 action_process_image_command_line contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or 
 action_process_image_command_line contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or 
 action_process_image_command_line contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or 
 action_process_image_command_line contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or 
 action_process_image_command_line contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or 
 action_process_image_command_line contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or 
 action_process_image_command_line contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or 
 action_process_image_command_line contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or 
 action_process_image_command_line contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or 
 action_process_image_command_line contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or 
 action_process_image_command_line contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or 
 action_process_image_command_line contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or 
 action_process_image_command_line contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or 
 action_process_image_command_line contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or 
 action_process_image_command_line contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or 
 action_process_image_command_line contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or 
 action_process_image_command_line contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or 
 action_process_image_command_line contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or 
 action_process_image_command_line contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or 
 action_process_image_command_line contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or 
 action_process_image_command_line contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or 
 action_process_image_command_line contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or 
 action_process_image_command_line contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or 
 action_process_image_command_line contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or 
 action_process_image_command_line contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or 
 action_process_image_command_line contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or 
 action_process_image_command_line contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or 
 action_process_image_command_line contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or 
 action_process_image_command_line contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or 
 action_process_image_command_line contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or 
 action_process_image_command_line contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or 
 action_process_image_command_line contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or 
 action_process_image_command_line contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or 
 action_process_image_command_line contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI") or 
 (action_process_image_command_line in ("*RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA*", "*QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA*", "*EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA*", "*RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA*", "*QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA*", "*EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA*", "*RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA*", "*QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA*", "*EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA*", "*RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA*", "*QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA*", "*EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA*", "*ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA*", "*QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA*", "*kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA*", "*ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA*", "*QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA*", "*kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA*", "*ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA*", "*QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA*", "*kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA*", "*ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA*", "*QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA*", "*kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA*", "*RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA*", "*RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA*", "*RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA*")))))