config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path in ("*\atbroker.exe", "*\audiodg.exe", "*\bcdedit.exe", "*\bitsadmin.exe", "*\certreq.exe", "*\certutil.exe", "*\cmstp.exe", "*\conhost.exe", "*\consent.exe", "*\cscript.exe", "*\csrss.exe", "*\dashost.exe", "*\defrag.exe", "*\dfrgui.exe", "*\dism.exe", "*\dllhost.exe", "*\dllhst3g.exe", "*\dwm.exe", "*\eventvwr.exe", "*\fsquirt.exe", "*\finger.exe", "*\logonui.exe", "*\LsaIso.exe", "*\lsass.exe", "*\lsm.exe", "*\msiexec.exe", "*\ntoskrnl.exe", "*\powershell_ise.exe", "*\powershell.exe", "*\pwsh.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\runonce.exe", "*\RuntimeBroker.exe", "*\schtasks.exe", "*\services.exe", "*\sihost.exe", "*\smartscreen.exe", "*\smss.exe", "*\spoolsv.exe", "*\svchost.exe", "*\taskhost.exe", "*\taskhostw.exe", "*\Taskmgr.exe", "*\userinit.exe", "*\werfault.exe", "*\werfaultsecure.exe", "*\wininit.exe", "*\winlogon.exe", "*\winver.exe", "*\wlanext.exe", "*\wscript.exe", "*\wsl.exe", "*\wsmprovhost.exe")) and 
 (not 
 ((action_process_image_path in ("C:\$WINDOWS.~BT\*", "C:\$WinREAgent\*", "C:\Windows\SoftwareDistribution\*", "C:\Windows\System32\*", "C:\Windows\SystemTemp\*", "C:\Windows\SysWOW64\*", "C:\Windows\uus\*", "C:\Windows\WinSxS\*")) or 
 ((action_process_image_path in ("*C:\Program Files\PowerShell\7\*", "*C:\Program Files\PowerShell\7-preview\*", "*C:\Program Files\WindowsApps\Microsoft.PowerShellPreview*", "*\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview*")) and 
 action_process_image_path contains "\pwsh.exe") or 
 ((action_process_image_path in ("C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux*", "C:\Program Files\WSL\*")) and 
 action_process_image_path contains "\wsl.exe") or 
 (action_process_image_path contains "C:\Users\'" and 
 action_process_image_path contains "\AppData\Local\Microsoft\WindowsApps\" and 
 action_process_image_path contains "\wsl.exe"))) and 
 (not 
 action_process_image_path contains "\SystemRoot\System32\")))