config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name contains "C:\Windows\Temp\ScreenConnect\" and 
 action_file_name contains "\LB3.exe") or 
 (action_file_name in ("*C:\mpyutd.msi*", "*C:\perflogs\RunSchedulerTaskOnce.ps1*", "*C:\ProgramData\1.msi*", "*C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutd.msi*", "*C:\ProgramData\update.dat*", "*C:\Users\oldadmin\Documents\MilsoftConnect\Files\ta.exe*", "*C:\Windows\Help\Help\SentinelAgentCore.dll*", "*C:\Windows\Help\Help\SentinelUI.exe*", "*C:\Windows\spsrv.exe*", "*C:\Windows\Temp\svchost.exe*"))))