def rule(event):
    if all(
        [
            event.deep_get("ParentImage", default="").endswith("/node"),
            any(
                [
                    "--experimental-https" in event.deep_get("ParentCommandLine", default=""),
                    "--experimental-next-config-strip-types"
                    in event.deep_get("ParentCommandLine", default=""),
                    "/node_modules/next" in event.deep_get("ParentCommandLine", default=""),
                    "next dev" in event.deep_get("ParentCommandLine", default=""),
                    "next start" in event.deep_get("ParentCommandLine", default=""),
                    "node_modules/.bin" in event.deep_get("ParentCommandLine", default=""),
                    "react-scripts start" in event.deep_get("ParentCommandLine", default=""),
                    "start-server.js" in event.deep_get("ParentCommandLine", default=""),
                ]
            ),
            any(
                [
                    any(
                        [
                            any(
                                [
                                    any(
                                        [
                                            event.deep_get("Image", default="").endswith(
                                                "/busybox"
                                            ),
                                            event.deep_get("Image", default="").endswith("/cat"),
                                            event.deep_get("Image", default="").endswith("/curl"),
                                            event.deep_get("Image", default="").endswith("/dash"),
                                            event.deep_get("Image", default="").endswith("/dig"),
                                            event.deep_get("Image", default="").endswith("/head"),
                                            event.deep_get("Image", default="").endswith("/id"),
                                            event.deep_get("Image", default="").endswith(
                                                "/ifconfig"
                                            ),
                                            event.deep_get("Image", default="").endswith("/ip"),
                                            event.deep_get("Image", default="").endswith("/java"),
                                            event.deep_get("Image", default="").endswith("/less"),
                                            event.deep_get("Image", default="").endswith("/lua"),
                                            event.deep_get("Image", default="").endswith("/more"),
                                            event.deep_get("Image", default="").endswith("/nc"),
                                            event.deep_get("Image", default="").endswith("/ncat"),
                                            event.deep_get("Image", default="").endswith("/netcat"),
                                            event.deep_get("Image", default="").endswith(
                                                "/netstat"
                                            ),
                                            event.deep_get("Image", default="").endswith(
                                                "/nslookup"
                                            ),
                                            event.deep_get("Image", default="").endswith("/perl"),
                                            event.deep_get("Image", default="").endswith("/ping"),
                                            event.deep_get("Image", default="").endswith("/python"),
                                            event.deep_get("Image", default="").endswith(
                                                "/python2"
                                            ),
                                            event.deep_get("Image", default="").endswith("/ruby"),
                                            event.deep_get("Image", default="").endswith("/socat"),
                                            event.deep_get("Image", default="").endswith("/tail"),
                                            event.deep_get("Image", default="").endswith("/wget"),
                                            event.deep_get("Image", default="").endswith("/whoami"),
                                        ]
                                    ),
                                    "/python" in event.deep_get("Image", default=""),
                                ]
                            ),
                            any(
                                [
                                    "/dev/tcp/" in event.deep_get("CommandLine", default=""),
                                    "/dev/udp/" in event.deep_get("CommandLine", default=""),
                                    "/etc/hosts" in event.deep_get("CommandLine", default=""),
                                    "/etc/passwd" in event.deep_get("CommandLine", default=""),
                                    "/etc/shadow" in event.deep_get("CommandLine", default=""),
                                    "base64" in event.deep_get("CommandLine", default=""),
                                    "cat " in event.deep_get("CommandLine", default=""),
                                    "curl" in event.deep_get("CommandLine", default=""),
                                    "dig" in event.deep_get("CommandLine", default=""),
                                    "ifconfig" in event.deep_get("CommandLine", default=""),
                                    "IO::Socket::INET" in event.deep_get("CommandLine", default=""),
                                    "java" in event.deep_get("CommandLine", default=""),
                                    "less " in event.deep_get("CommandLine", default=""),
                                    "lua" in event.deep_get("CommandLine", default=""),
                                    "mkfifo " in event.deep_get("CommandLine", default=""),
                                    "more" in event.deep_get("CommandLine", default=""),
                                    "nc " in event.deep_get("CommandLine", default=""),
                                    "ncat" in event.deep_get("CommandLine", default=""),
                                    "netcat" in event.deep_get("CommandLine", default=""),
                                    "netstat" in event.deep_get("CommandLine", default=""),
                                    "nslookup" in event.deep_get("CommandLine", default=""),
                                    "perl" in event.deep_get("CommandLine", default=""),
                                    "php" in event.deep_get("CommandLine", default=""),
                                    "ping" in event.deep_get("CommandLine", default=""),
                                    "ps -ef" in event.deep_get("CommandLine", default=""),
                                    "ps aux" in event.deep_get("CommandLine", default=""),
                                    "python" in event.deep_get("CommandLine", default=""),
                                    "rcat" in event.deep_get("CommandLine", default=""),
                                    "ruby" in event.deep_get("CommandLine", default=""),
                                    "sh -i 2>&1" in event.deep_get("CommandLine", default=""),
                                    "-c id" in event.deep_get("CommandLine", default=""),
                                    "socat" in event.deep_get("CommandLine", default=""),
                                    "uname" in event.deep_get("CommandLine", default=""),
                                    "wget" in event.deep_get("CommandLine", default=""),
                                    "whoami" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Image", default="").endswith("/sh"),
                            not event.deep_get("Image", default="").endswith("-c"),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Image", default="").endswith("/sh"),
                            event.deep_get("Image", default="").endswith("-c"),
                            any(
                                [
                                    "/dev/tcp/" in event.deep_get("CommandLine", default=""),
                                    "/dev/udp/" in event.deep_get("CommandLine", default=""),
                                    "/etc/hosts" in event.deep_get("CommandLine", default=""),
                                    "/etc/passwd" in event.deep_get("CommandLine", default=""),
                                    "/etc/shadow" in event.deep_get("CommandLine", default=""),
                                    "base64" in event.deep_get("CommandLine", default=""),
                                    "cat " in event.deep_get("CommandLine", default=""),
                                    "curl" in event.deep_get("CommandLine", default=""),
                                    "dig" in event.deep_get("CommandLine", default=""),
                                    "ifconfig" in event.deep_get("CommandLine", default=""),
                                    "IO::Socket::INET" in event.deep_get("CommandLine", default=""),
                                    "java" in event.deep_get("CommandLine", default=""),
                                    "less " in event.deep_get("CommandLine", default=""),
                                    "lua" in event.deep_get("CommandLine", default=""),
                                    "mkfifo " in event.deep_get("CommandLine", default=""),
                                    "more" in event.deep_get("CommandLine", default=""),
                                    "nc " in event.deep_get("CommandLine", default=""),
                                    "ncat" in event.deep_get("CommandLine", default=""),
                                    "netcat" in event.deep_get("CommandLine", default=""),
                                    "netstat" in event.deep_get("CommandLine", default=""),
                                    "nslookup" in event.deep_get("CommandLine", default=""),
                                    "perl" in event.deep_get("CommandLine", default=""),
                                    "php" in event.deep_get("CommandLine", default=""),
                                    "ping" in event.deep_get("CommandLine", default=""),
                                    "ps -ef" in event.deep_get("CommandLine", default=""),
                                    "ps aux" in event.deep_get("CommandLine", default=""),
                                    "python" in event.deep_get("CommandLine", default=""),
                                    "rcat" in event.deep_get("CommandLine", default=""),
                                    "ruby" in event.deep_get("CommandLine", default=""),
                                    "sh -i 2>&1" in event.deep_get("CommandLine", default=""),
                                    "-c id" in event.deep_get("CommandLine", default=""),
                                    "socat" in event.deep_get("CommandLine", default=""),
                                    "uname" in event.deep_get("CommandLine", default=""),
                                    "wget" in event.deep_get("CommandLine", default=""),
                                    "whoami" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
