def rule(event):
    if "SOFTWARE\\Microsoft\\Provisioning\\Commands\\" in event.deep_get("CommandLine", default=""):
        return True
    return False
