def rule(event):
    if any(
        [
            any(
                [
                    "SharpHound" in event.deep_get("Product", default=""),
                    "SharpHound" in event.deep_get("Description", default=""),
                    any(
                        [
                            "SpecterOps" in event.deep_get("Company", default=""),
                            "evil corp" in event.deep_get("Company", default=""),
                        ]
                    ),
                    any(
                        [
                            "\\Bloodhound.exe" in event.deep_get("Image", default=""),
                            "\\SharpHound.exe" in event.deep_get("Image", default=""),
                        ]
                    ),
                ]
            ),
            any(
                [
                    " -CollectionMethod All " in event.deep_get("CommandLine", default=""),
                    " --CollectionMethods Session " in event.deep_get("CommandLine", default=""),
                    " --Loop --Loopduration " in event.deep_get("CommandLine", default=""),
                    " --PortScanTimeout " in event.deep_get("CommandLine", default=""),
                    ".exe -c All -d " in event.deep_get("CommandLine", default=""),
                    "Invoke-Bloodhound" in event.deep_get("CommandLine", default=""),
                    "Get-BloodHoundData" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    " -JsonFolder " in event.deep_get("CommandLine", default=""),
                    " -ZipFileName " in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    " DCOnly " in event.deep_get("CommandLine", default=""),
                    " --NoSaveCache " in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
