config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains "[Type]::GetTypeFromCLSID(" and 
 (action_process_image_command_line in ("*0002DF01-0000-0000-C000-000000000046*", "*F6D90F16-9C73-11D3-B32E-00C04F990BB4*", "*F5078F35-C551-11D3-89B9-0000F81FE221*", "*88d96a0a-f192-11d4-a65f-0040963251e5*", "*AFBA6B42-5692-48EA-8141-DC517DCF0EF1*", "*AFB40FFD-B609-40A3-9828-F88BBE11E4E3*", "*88d96a0b-f192-11d4-a65f-0040963251e5*", "*2087c2f4-2cef-4953-a8ab-66779b670495*", "*000209FF-0000-0000-C000-000000000046*", "*00024500-0000-0000-C000-000000000046*"))))