config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name in ("*\WindowsPowerShell\Modules\*", "*\PowerShell\7\Modules\*")) and 
 (not 
 ((actor_process_image_path in ("*:\Program Files\PowerShell\7-preview\pwsh.exe", "*:\Program Files\PowerShell\7\pwsh.exe", "*:\Windows\System32\poqexec.exe", "*:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe", "*:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "*:\Windows\SysWOW64\poqexec.exe", "*:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe", "*:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe")) or 
 (actor_process_image_path in ("C:\Windows\System32\msiexec.exe", "C:\Windows\SysWOW64\msiexec.exe"))))))