config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((((action_process_image_path in ("*/cat", "*/echo", "*/grep", "*/head", "*/more", "*/tail")) and 
 action_process_image_command_line contains ">") or 
 (action_process_image_path in ("*/emacs", "*/nano", "*/sed", "*/vi", "*/vim"))) and 
 (action_process_image_command_line in ("*/bin/login*", "*/bin/passwd*", "*/boot/*", "*/etc/*.conf*", "*/etc/cron.*", "*/etc/crontab*", "*/etc/hosts*", "*/etc/init.d*", "*/etc/sudoers*", "*/opt/bin/*", "*/sbin*", "*/usr/bin/*", "*/usr/local/bin/*")) and 
 (not 
 (action_process_image_path contains "/bin/sed" and 
 (action_process_image_command_line in ("sed -i /^*", "sed -ne s/^*")) and 
 action_process_image_command_line contains "/etc/mdadm/mdadm.conf"))))