config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_command_line in ("*cmd.exe/c*", "*\cmd/c*", "*\"cmd/c*", "*cmd.exe/k*", "*\cmd/k*", "*\"cmd/k*", "*cmd.exe/r*", "*\cmd/r*", "*\"cmd/r*")) or 
 (action_process_image_command_line in ("*/cwhoami*", "*/cpowershell*", "*/cschtasks*", "*/cbitsadmin*", "*/ccertutil*", "*/kwhoami*", "*/kpowershell*", "*/kschtasks*", "*/kbitsadmin*", "*/kcertutil*")) or 
 (action_process_image_command_line in ("*cmd.exe /c*", "*cmd /c*", "*cmd.exe /k*", "*cmd /k*", "*cmd.exe /r*", "*cmd /r*"))) and 
 (not 
 ((action_process_image_command_line in ("*cmd.exe /c *", "*cmd /c *", "*cmd.exe /k *", "*cmd /k *", "*cmd.exe /r *", "*cmd /r *")) or 
 (action_process_image_command_line in ("*AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules*", "*cmd.exe/c .", "cmd.exe /c", "cmd /c"))))))