config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path contains "\node.exe" and 
 (actor_process_command_line in ("*--experimental-https*", "*--experimental-next-config-strip-types*", "*\node_modules\next*", "*next dev*", "*next start*", "*next\" start*", "*node_modules\.bin\\..\next*", "*react-scripts start*", "*start-server.js*"))) and 
 ((((action_process_image_path in ("*\bash.exe", "*\bitsadmin.exe", "*\certutil.exe", "*\cscript.exe", "*\curl.exe", "*\ipconfig.exe", "*\mshta.exe", "*\net.exe", "*\net1.exe", "*\netsh.exe", "*\nslookup.exe", "*\OpenConsole.exe", "*\perl.exe", "*\ping.exe", "*\powershell.exe", "*\pwsh.exe", "*\py.exe", "*\python.exe", "*\pythonw.exe", "*\pyw.exe", "*\reg.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\sc.exe", "*\sh.exe", "*\systeminfo.exe", "*\wget.exe", "*\whoami.exe", "*\wmic.exe", "*\wscript.exe", "*\wt.exe")) or 
 action_process_image_path contains "\python") or 
 (action_process_image_command_line in ("*\net*", "*bitsadmin*", "*certutil *", "*conhost --headless*", "*cscript *", "*curl*", "*ipconfig*", "*java*", "*lua*", "*mshta*", "*netsh*", "*nslookup *", "*perl*", "*ping *", "*powershell*", "*pwsh*", "*python*", "*reg *", "*reg.exe*", "*regsvr32*", "*ruby*", "*rundll32*", "*sc.exe*", "*systeminfo*", "*wget*", "*whoami*", "*wmic*", "*wscript*"))) or 
 (action_process_image_path contains "\cmd.exe" and 
 (not 
 action_process_image_command_line contains "/d /s /c ")) or 
 ((action_process_image_path contains "\cmd.exe" and 
 action_process_image_command_line contains "/d /s /c ") and 
 (not 
 (action_process_image_command_line contains "git config --local --get remote.origin.url" or 
 (action_process_image_command_line contains "netstat -ano | findstr /C:" and 
 action_process_image_command_line contains " | findstr LISTENING") or 
 (action_process_image_command_line contains "\mkcert\" and 
 action_process_image_command_line contains " -install ") or 
 (action_process_image_command_line contains "\mkcert\" and 
 action_process_image_command_line contains " -CAROOT")))))))