def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\curl.exe"),
                            event.deep_get("Image", default="").endswith("\\wget.exe"),
                        ]
                    ),
                    any(
                        [
                            "Invoke-WebRequest" in event.deep_get("CommandLine", default=""),
                            "iwr " in event.deep_get("CommandLine", default=""),
                            "curl " in event.deep_get("CommandLine", default=""),
                            "wget " in event.deep_get("CommandLine", default=""),
                            "Start-BitsTransfer" in event.deep_get("CommandLine", default=""),
                            ".DownloadFile(" in event.deep_get("CommandLine", default=""),
                            ".DownloadString(" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            any(
                [
                    "https://attachment.outlook.live.net/owa/"
                    in event.deep_get("CommandLine", default=""),
                    "https://onenoteonlinesync.onenote.com/onenoteonlinesync/"
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
