config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_path in ("*\squirrel.exe", "*\update.exe")) and 
 (action_process_image_command_line in ("*--processStart*", "*--processStartAndWait*", "*--createShortcut*"))) and 
 (not 
 (((action_process_image_command_line contains ":\Users\" and 
 action_process_image_command_line contains "\AppData\Local\Discord\Update.exe" and 
 action_process_image_command_line contains "Discord.exe") and 
 (action_process_image_command_line in ("*--createShortcut*", "*--processStart*"))) or 
 ((action_process_image_command_line contains ":\Users\" and 
 action_process_image_command_line contains "\AppData\Local\GitHubDesktop\Update.exe" and 
 action_process_image_command_line contains "GitHubDesktop.exe") and 
 (action_process_image_command_line in ("*--createShortcut*", "*--processStartAndWait*"))) or 
 ((action_process_image_command_line contains ":\Users\" and 
 action_process_image_command_line contains "\AppData\Local\Microsoft\Teams\Update.exe" and 
 action_process_image_command_line contains "Teams.exe") and 
 (action_process_image_command_line in ("*--processStart*", "*--createShortcut*"))) or 
 ((action_process_image_command_line contains ":\Users\" and 
 action_process_image_command_line contains "\AppData\Local\yammerdesktop\Update.exe" and 
 action_process_image_command_line contains "Yammer.exe") and 
 (action_process_image_command_line in ("*--processStart*", "*--createShortcut*")))))))