def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\svchost.exe"),
            event.deep_get("Initiated", default="") == "true",
            event.deep_get("SourcePort", default="") == 3389,
            event.deep_get("DestinationPort", default="") in [80, 443],
        ]
    ):
        return True
    return False
