def rule(event):
    if all(
        [
            event.deep_get("User", default="") == "root",
            event.deep_get("LogonId", default="") == 0,
            event.deep_get("CurrentDirectory", default="") == "/var/opt/microsoft/scx/tmp",
            "/bin/sh" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False
