config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path contains "\lazagne.exe" or 
 ((action_process_image_path in ("*:\PerfLogs\*", "*:\ProgramData\*", "*:\Temp\*", "*:\Tmp\*", "*:\Users\Public\*", "*:\Windows\Temp\*", "*\$Recycle.bin*", "*\AppData\*", "*\Desktop\*", "*\Downloads\*", "*\Favorites\*", "*\Links\*", "*\Music\*", "*\Photos\*", "*\Pictures\*", "*\Saved Games\*", "*\Searches\*", "*\Users\Contacts\*", "*\Users\Default\*", "*\Users\Searches\*", "*\Videos\*", "*\Windows\addins\*", "*\Windows\Fonts\*", "*\Windows\IME\*")) and 
 (action_process_image_command_line in ("*.exe all", "*.exe browsers", "*.exe chats", "*.exe databases", "*.exe games", "*.exe git", "*.exe mails", "*.exe maven", "*.exe memory", "*.exe multimedia", "*.exe sysadmin", "*.exe unused", "*.exe wifi", "*.exe windows")))) or 
 ((action_process_image_command_line in ("* all *", "* browsers *", "* chats *", "* databases *", "* games *", "* mails *", "* maven *", "* memory *", "* multimedia *", "* php *", "* svn *", "* sysadmin *", "* unused *", "* wifi *")) and 
 (action_process_image_command_line in ("*-1Password*", "*-apachedirectorystudio*", "*-autologon*", "*-ChromiumBased*", "*-coreftp*", "*-credfiles*", "*-credman*", "*-cyberduck*", "*-dbvis*", "*-EyeCon*", "*-filezilla*", "*-filezillaserver*", "*-ftpnavigator*", "*-galconfusion*", "*-gitforwindows*", "*-hashdump*", "*-iisapppool*", "*-IISCentralCertP*", "*-kalypsomedia*", "*-keepass*", "*-keepassconfig*", "*-lsa_secrets*", "*-mavenrepositories*", "*-memory_dump*", "*-Mozilla*", "*-mRemoteNG*", "*-mscache*", "*-opensshforwindows*", "*-openvpn*", "*-outlook*", "*-pidgin*", "*-postgresql*", "*-psi-im*", "*-puttycm*", "*-pypykatz*", "*-Rclone*", "*-rdpmanager*", "*-robomongo*", "*-roguestale*", "*-skype*", "*-SQLDeveloper*", "*-squirrel*", "*-tortoise*", "*-turba*", "*-UCBrowser*", "*-unattended*", "*-vault*", "*-vaultfiles*", "*-vnc*", "*-winscp*")))))