config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name contains "\Local\Microsoft\Windows\SchCache\" and 
 action_file_name contains ".sch") and 
 (not 
 (((actor_process_image_path in ("*:\Program Files\Cylance\Desktop\CylanceSvc.exe", "*:\Windows\CCM\CcmExec.exe", "*:\windows\system32\dllhost.exe", "*:\Windows\system32\dsac.exe", "*:\Windows\system32\efsui.exe", "*:\windows\system32\mmc.exe", "*:\windows\system32\svchost.exe", "*:\Windows\System32\wbem\WmiPrvSE.exe", "*:\windows\system32\WindowsPowerShell\v1.0\powershell.exe")) or 
 (actor_process_image_path in ("*:\Windows\ccmsetup\autoupgrade\ccmsetup*", "*:\Program Files\SentinelOne\Sentinel Agent*"))) or 
 ((actor_process_image_path contains ":\Program Files\" and 
 actor_process_image_path contains "\Microsoft Office") and 
 actor_process_image_path contains "\OUTLOOK.EXE"))) and 
 (not 
 (actor_process_image_path in ("*\LANDesk\LDCLient\ldapwhoami.exe", "*:\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe")))))