config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name in ("*\AtBroker.exe", "*\audiodg.exe", "*\backgroundTaskHost.exe", "*\bcdedit.exe", "*\bitsadmin.exe", "*\cmdl32.exe", "*\cmstp.exe", "*\conhost.exe", "*\csrss.exe", "*\dasHost.exe", "*\dfrgui.exe", "*\dllhost.exe", "*\dwm.exe", "*\eventcreate.exe", "*\eventvwr.exe", "*\explorer.exe", "*\extrac32.exe", "*\fontdrvhost.exe", "*\fsquirt.exe", "*\ipconfig.exe", "*\iscsicli.exe", "*\iscsicpl.exe", "*\logman.exe", "*\LogonUI.exe", "*\LsaIso.exe", "*\lsass.exe", "*\lsm.exe", "*\msiexec.exe", "*\msinfo32.exe", "*\mstsc.exe", "*\nbtstat.exe", "*\odbcconf.exe", "*\powershell.exe", "*\pwsh.exe", "*\regini.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\RuntimeBroker.exe", "*\schtasks.exe", "*\SearchFilterHost.exe", "*\SearchIndexer.exe", "*\SearchProtocolHost.exe", "*\SecurityHealthService.exe", "*\SecurityHealthSystray.exe", "*\services.exe", "*\ShellAppRuntime.exe", "*\sihost.exe", "*\smartscreen.exe", "*\smss.exe", "*\spoolsv.exe", "*\svchost.exe", "*\SystemSettingsBroker.exe", "*\taskhost.exe", "*\taskhostw.exe", "*\Taskmgr.exe", "*\TiWorker.exe", "*\vssadmin.exe", "*\w32tm.exe", "*\WerFault.exe", "*\WerFaultSecure.exe", "*\wermgr.exe", "*\wevtutil.exe", "*\wininit.exe", "*\winlogon.exe", "*\winrshost.exe", "*\WinRTNetMUAHostServer.exe", "*\wlanext.exe", "*\wlrmdr.exe", "*\WmiPrvSE.exe", "*\wslhost.exe", "*\WSReset.exe", "*\WUDFHost.exe", "*\WWAHost.exe")) and 
 (not 
 ((action_file_name in ("*C:\$WINDOWS.~BT\*", "*C:\$WinREAgent\*", "*C:\Windows\SoftwareDistribution\*", "*C:\Windows\System32\*", "*C:\Windows\SysWOW64\*", "*C:\Windows\WinSxS\*", "*C:\Windows\uus\*")) or 
 ((actor_process_image_path in ("*\TiWorker.exe", "*\wuaucltcore.exe")) and 
 action_file_name contains "C:\Windows\Temp\") or 
 ((actor_process_image_path in ("*C:\Windows\system32\svchost.exe", "*C:\Windows\SysWOW64\svchost.exe")) and 
 (action_file_name in ("*C:\Program Files\WindowsApps\*", "*C:\Program Files (x86)\WindowsApps\*", "*\AppData\Local\Microsoft\WindowsApps\*"))) or 
 (actor_process_image_path in ("C:\Windows\System32\wuauclt.exe", "C:\Windows\SysWOW64\wuauclt.exe", "C:\Windows\UUS\arm64\wuaucltcore.exe")) or 
 action_file_name contains "C:\Windows\explorer.exe" or 
 ((actor_process_image_path in ("*C:\WINDOWS\system32\msiexec.exe", "*C:\WINDOWS\SysWOW64\msiexec.exe")) and 
 (action_file_name in ("C:\Program Files\PowerShell\7\pwsh.exe*", "C:\Program Files\PowerShell\7-preview\pwsh.exe*", "C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\*"))) or 
 (action_file_name contains "C:\Windows\System32\SecurityHealth\" and 
 action_file_name contains "\SecurityHealthSystray.exe" and 
 actor_process_image_path contains "\SecurityHealthSetup.exe")))))