def rule(event):
    if all(
        [
            event.deep_get("cs-method", default="") == "POST",
            event.deep_get("sc-status", default="") == 200,
            "/owa/" in event.deep_get("cs-uri-query", default=""),
            "/powershell" in event.deep_get("cs-uri-query", default=""),
            any(
                [
                    "@" in event.deep_get("cs-uri-query", default=""),
                    "%40" in event.deep_get("cs-uri-query", default=""),
                ]
            ),
            not event.deep_get("cs-user-agent", default="")
            in ["ClientInfo", "Microsoft WinRM Client", "Exchange BackEnd Probes"],
        ]
    ):
        return True
    return False
