config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((action_process_image_path in ("*/nc", "*/ncat")) and 
 (action_process_image_command_line in ("* -c *", "* -e *")) and 
 (action_process_image_command_line in ("* ash*", "* bash*", "* bsh*", "* csh*", "* ksh*", "* pdksh*", "* sh*", "* tcsh*", "*/bin/ash*", "*/bin/bash*", "*/bin/bsh*", "*/bin/csh*", "*/bin/ksh*", "*/bin/pdksh*", "*/bin/sh*", "*/bin/tcsh*", "*/bin/zsh*", "*$IFSash*", "*$IFSbash*", "*$IFSbsh*", "*$IFScsh*", "*$IFSksh*", "*$IFSpdksh*", "*$IFSsh*", "*$IFStcsh*", "*$IFSzsh*"))))