config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path contains "\cmd.exe" and 
 (actor_process_image_path in ("*\csrss.exe", "*\ctfmon.exe", "*\dllhost.exe", "*\epad.exe", "*\FlashPlayerUpdateService.exe", "*\GoogleUpdate.exe", "*\jucheck.exe", "*\jusched.exe", "*\LogonUI.exe", "*\lsass.exe", "*\regsvr32.exe", "*\SearchIndexer.exe", "*\SearchProtocolHost.exe", "*\SIHClient.exe", "*\sihost.exe", "*\slui.exe", "*\spoolsv.exe", "*\sppsvc.exe", "*\taskhostw.exe", "*\unsecapp.exe", "*\WerFault.exe", "*\wermgr.exe", "*\wlanext.exe", "*\WUDFHost.exe"))))