config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((actor_process_image_path contains "/node" and 
 (actor_process_command_line in ("*--experimental-https*", "*--experimental-next-config-strip-types*", "*/node_modules/next*", "*next dev*", "*next start*", "*node_modules/.bin*", "*react-scripts start*", "*start-server.js*"))) and 
 ((((action_process_image_path in ("*/busybox", "*/cat", "*/curl", "*/dash", "*/dig", "*/head", "*/id", "*/ifconfig", "*/ip", "*/java", "*/less", "*/lua", "*/more", "*/nc", "*/ncat", "*/netcat", "*/netstat", "*/nslookup", "*/perl", "*/ping", "*/python", "*/python2", "*/ruby", "*/socat", "*/tail", "*/wget", "*/whoami")) or 
 action_process_image_path contains "/python") or 
 (action_process_image_command_line in ("*/dev/tcp/*", "*/dev/udp/*", "*/etc/hosts*", "*/etc/passwd*", "*/etc/shadow*", "*base64*", "*cat *", "*curl*", "*dig*", "*ifconfig*", "*IO::Socket::INET*", "*java*", "*less *", "*lua*", "*mkfifo *", "*more*", "*nc *", "*ncat*", "*netcat*", "*netstat*", "*nslookup*", "*perl*", "*php*", "*ping*", "*ps -ef*", "*ps aux*", "*python*", "*rcat*", "*ruby*", "*sh -i 2>&1*", "*-c id*", "*socat*", "*uname*", "*wget*", "*whoami*"))) or 
 (action_process_image_path contains "/sh" and 
 (not 
 action_process_image_path contains "-c")) or 
 ((action_process_image_path contains "/sh" and 
 action_process_image_path contains "-c") and 
 (action_process_image_command_line in ("*/dev/tcp/*", "*/dev/udp/*", "*/etc/hosts*", "*/etc/passwd*", "*/etc/shadow*", "*base64*", "*cat *", "*curl*", "*dig*", "*ifconfig*", "*IO::Socket::INET*", "*java*", "*less *", "*lua*", "*mkfifo *", "*more*", "*nc *", "*ncat*", "*netcat*", "*netstat*", "*nslookup*", "*perl*", "*php*", "*ping*", "*ps -ef*", "*ps aux*", "*python*", "*rcat*", "*ruby*", "*sh -i 2>&1*", "*-c id*", "*socat*", "*uname*", "*wget*", "*whoami*"))))))