config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path contains "\csc.exe" and 
 ((action_process_image_command_line in ("*:\Perflogs\*", "*:\Users\Public\*", "*\AppData\Local\Temp\*", "*\Temporary Internet*", "*\Windows\Temp\*")) or 
 ((action_process_image_command_line contains ":\Users\" and 
 action_process_image_command_line contains "\Favorites\") or 
 (action_process_image_command_line contains ":\Users\" and 
 action_process_image_command_line contains "\Favourites\") or 
 (action_process_image_command_line contains ":\Users\" and 
 action_process_image_command_line contains "\Contacts\") or 
 (action_process_image_command_line contains ":\Users\" and 
 action_process_image_command_line contains "\Pictures\")) or 
 action_process_image_command_line ~= "(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$") and 
 (not 
 ((actor_process_image_path in ("C:\Program Files (x86)\*", "C:\Program Files\*")) or 
 actor_process_image_path = "C:\Windows\System32\sdiagnhost.exe" or 
 actor_process_image_path = "C:\Windows\System32\inetsrv\w3wp.exe")) and 
 (not 
 ((actor_process_image_path in ("C:\ProgramData\chocolatey\choco.exe", "C:\ProgramData\chocolatey\tools\shimgen.exe")) or 
 actor_process_command_line contains "\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" or 
 (actor_process_command_line in ("*JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw*", "*cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA*", "*nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA*"))))))