config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((action_process_image_path contains "/service" and 
 (action_process_image_command_line contains "iptables" and 
 action_process_image_command_line contains "stop")) or 
 (action_process_image_path contains "/service" and 
 (action_process_image_command_line contains "ip6tables" and 
 action_process_image_command_line contains "stop")) or 
 (action_process_image_path contains "/chkconfig" and 
 (action_process_image_command_line contains "iptables" and 
 action_process_image_command_line contains "stop")) or 
 (action_process_image_path contains "/chkconfig" and 
 (action_process_image_command_line contains "ip6tables" and 
 action_process_image_command_line contains "stop")) or 
 (action_process_image_path contains "/systemctl" and 
 (action_process_image_command_line contains "firewalld" and 
 action_process_image_command_line contains "stop")) or 
 (action_process_image_path contains "/systemctl" and 
 (action_process_image_command_line contains "firewalld" and 
 action_process_image_command_line contains "disable")) or 
 (action_process_image_path contains "/service" and 
 (action_process_image_command_line contains "cbdaemon" and 
 action_process_image_command_line contains "stop")) or 
 (action_process_image_path contains "/chkconfig" and 
 (action_process_image_command_line contains "cbdaemon" and 
 action_process_image_command_line contains "off")) or 
 (action_process_image_path contains "/systemctl" and 
 (action_process_image_command_line contains "cbdaemon" and 
 action_process_image_command_line contains "stop")) or 
 (action_process_image_path contains "/systemctl" and 
 (action_process_image_command_line contains "cbdaemon" and 
 action_process_image_command_line contains "disable")) or 
 (action_process_image_path contains "/setenforce" and 
 action_process_image_command_line contains "0") or 
 (action_process_image_path contains "/systemctl" and 
 (action_process_image_command_line contains "stop" and 
 action_process_image_command_line contains "falcon-sensor")) or 
 (action_process_image_path contains "/systemctl" and 
 (action_process_image_command_line contains "disable" and 
 action_process_image_command_line contains "falcon-sensor"))))