def rule(event):
    if all(
        [
            event.deep_get("DestinationPort", default="") == 3389,
            event.deep_get("Initiated", default="") == "true",
            not event.deep_get("Image", default="")
            in ["C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe"],
            not any(
                [
                    all(
                        [
                            event.deep_get("Image", default="") == "C:\\Windows\\System32\\dns.exe",
                            event.deep_get("SourcePort", default="") == 53,
                            event.deep_get("Protocol", default="") == "udp",
                        ]
                    ),
                    any(
                        [
                            event.deep_get("Image", default="").endswith(
                                "\\Avast Software\\Avast\\AvastSvc.exe"
                            ),
                            event.deep_get("Image", default="").endswith("\\Avast\\AvastSvc.exe"),
                        ]
                    ),
                    event.deep_get("Image", default="").endswith("\\RDCMan.exe"),
                    event.deep_get("Image", default="")
                    == "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\FSAssessment.exe"),
                            event.deep_get("Image", default="").endswith("\\FSDiscovery.exe"),
                            event.deep_get("Image", default="").endswith("\\MobaRTE.exe"),
                            event.deep_get("Image", default="").endswith("\\mRemote.exe"),
                            event.deep_get("Image", default="").endswith("\\mRemoteNG.exe"),
                            event.deep_get("Image", default="").endswith("\\Passwordstate.exe"),
                            event.deep_get("Image", default="").endswith(
                                "\\RemoteDesktopManager.exe"
                            ),
                            event.deep_get("Image", default="").endswith(
                                "\\RemoteDesktopManager64.exe"
                            ),
                            event.deep_get("Image", default="").endswith(
                                "\\RemoteDesktopManagerFree.exe"
                            ),
                            event.deep_get("Image", default="").endswith("\\RSSensor.exe"),
                            event.deep_get("Image", default="").endswith("\\RTS2App.exe"),
                            event.deep_get("Image", default="").endswith("\\RTSApp.exe"),
                            event.deep_get("Image", default="").endswith("\\spiceworks-finder.exe"),
                            event.deep_get("Image", default="").endswith("\\Terminals.exe"),
                            event.deep_get("Image", default="").endswith("\\ws_TunnelService.exe"),
                        ]
                    ),
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\thor.exe"),
                            event.deep_get("Image", default="").endswith("\\thor64.exe"),
                        ]
                    ),
                    event.deep_get("Image", default="").startswith(
                        "C:\\Program Files\\SplunkUniversalForwarder\\bin\\"
                    ),
                    event.deep_get("Image", default="").endswith("\\Ranger\\SentinelRanger.exe"),
                    event.deep_get("Image", default="")
                    == "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
                    event.deep_get("Image", default="")
                    in [
                        "C:\\Program Files\\TSplus\\Java\\bin\\HTML5service.exe",
                        "C:\\Program Files (x86)\\TSplus\\Java\\bin\\HTML5service.exe",
                    ],
                    event.deep_get("Image", default="") == "",
                    event.deep_get("Image", default="") == "",
                    event.deep_get("Image", default="") == "<unknown process>",
                ]
            ),
        ]
    ):
        return True
    return False
