config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*~1\*", "*~2\*")) and 
 (not 
 ((actor_process_image_path in ("C:\Windows\System32\Dism.exe", "C:\Windows\System32\cleanmgr.exe")) or 
 (actor_process_image_path in ("*\winget.exe", "*\AppData\Local\Temp\WinGet\*")) or 
 (actor_process_image_path contains "C:\Windows\Microsoft.NET\Framework64\v" and 
 actor_process_image_path contains "\csc.exe") or 
 ((action_process_image_path contains "\AppData\" and 
 action_process_image_path contains "\Temp\") or 
 action_process_image_command_line contains "\AppData\Local\Temp\"))) and 
 (not 
 (actor_process_image_path = "C:\Program Files\GPSoftware\Directory Opus\dopus.exe" or 
 (actor_process_image_path in ("*\aurora-agent-64.exe", "*\aurora-agent.exe")) or 
 actor_process_image_path contains "\thor\thor64.exe" or 
 (action_process_image_command_line in ("*C:\Program Files\Git\post-install.bat*", "*C:\Program Files\Git\cmd\scalar.exe*")) or 
 (actor_process_image_path contains "\WebEx\webexhost.exe" or 
 action_process_image_command_line contains "\appdata\local\webex\webex64\meetings\wbxreport.exe") or 
 actor_process_image_path contains "\veeam.backup.shell.exe" or 
 actor_process_image_path contains "\Everything\Everything.exe"))))