def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            event.deep_get("ParentImage", default="").endswith("\\caddy.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\httpd.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\nginx.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\php-cgi.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\php.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\tomcat.exe"),
                            event.deep_get("ParentImage", default="").endswith(
                                "\\UMWorkerProcess.exe"
                            ),
                            event.deep_get("ParentImage", default="").endswith("\\w3wp.exe"),
                            event.deep_get("ParentImage", default="").endswith(
                                "\\ws_TomcatService.exe"
                            ),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("ParentImage", default="").endswith(
                                        "\\java.exe"
                                    ),
                                    event.deep_get("ParentImage", default="").endswith(
                                        "\\javaw.exe"
                                    ),
                                ]
                            ),
                            any(
                                [
                                    "-tomcat-" in event.deep_get("ParentImage", default=""),
                                    "\\tomcat" in event.deep_get("ParentImage", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("ParentImage", default="").endswith(
                                        "\\java.exe"
                                    ),
                                    event.deep_get("ParentImage", default="").endswith(
                                        "\\javaw.exe"
                                    ),
                                ]
                            ),
                            any(
                                [
                                    "CATALINA_HOME"
                                    in event.deep_get("ParentCommandLine", default=""),
                                    "catalina.home"
                                    in event.deep_get("ParentCommandLine", default=""),
                                    "catalina.jar"
                                    in event.deep_get("ParentCommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            any(
                [
                    event.deep_get("Image", default="").endswith("\\arp.exe"),
                    event.deep_get("Image", default="").endswith("\\at.exe"),
                    event.deep_get("Image", default="").endswith("\\bash.exe"),
                    event.deep_get("Image", default="").endswith("\\bitsadmin.exe"),
                    event.deep_get("Image", default="").endswith("\\certutil.exe"),
                    event.deep_get("Image", default="").endswith("\\cmd.exe"),
                    event.deep_get("Image", default="").endswith("\\cscript.exe"),
                    event.deep_get("Image", default="").endswith("\\dsget.exe"),
                    event.deep_get("Image", default="").endswith("\\hostname.exe"),
                    event.deep_get("Image", default="").endswith("\\nbtstat.exe"),
                    event.deep_get("Image", default="").endswith("\\net.exe"),
                    event.deep_get("Image", default="").endswith("\\net1.exe"),
                    event.deep_get("Image", default="").endswith("\\netdom.exe"),
                    event.deep_get("Image", default="").endswith("\\netsh.exe"),
                    event.deep_get("Image", default="").endswith("\\nltest.exe"),
                    event.deep_get("Image", default="").endswith("\\ntdsutil.exe"),
                    event.deep_get("Image", default="").endswith("\\powershell_ise.exe"),
                    event.deep_get("Image", default="").endswith("\\powershell.exe"),
                    event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                    event.deep_get("Image", default="").endswith("\\qprocess.exe"),
                    event.deep_get("Image", default="").endswith("\\query.exe"),
                    event.deep_get("Image", default="").endswith("\\qwinsta.exe"),
                    event.deep_get("Image", default="").endswith("\\reg.exe"),
                    event.deep_get("Image", default="").endswith("\\rundll32.exe"),
                    event.deep_get("Image", default="").endswith("\\sc.exe"),
                    event.deep_get("Image", default="").endswith("\\sh.exe"),
                    event.deep_get("Image", default="").endswith("\\wmic.exe"),
                    event.deep_get("Image", default="").endswith("\\wscript.exe"),
                    event.deep_get("Image", default="").endswith("\\wusa.exe"),
                ]
            ),
            not any(
                [
                    all(
                        [
                            event.deep_get("ParentImage", default="").endswith("\\java.exe"),
                            event.deep_get("CommandLine", default="").endswith(
                                'Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager "Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
                            ),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("ParentImage", default="").endswith("\\java.exe"),
                            "sc query" in event.deep_get("CommandLine", default=""),
                            "ADManager Plus" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
