def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\UsageLogs\\cmstp.exe.log"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\UsageLogs\\cscript.exe.log"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\UsageLogs\\mshta.exe.log"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\UsageLogs\\msxsl.exe.log"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\UsageLogs\\regsvr32.exe.log"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\UsageLogs\\rundll32.exe.log"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\UsageLogs\\svchost.exe.log"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\UsageLogs\\wscript.exe.log"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\UsageLogs\\wmic.exe.log"
                    ),
                ]
            ),
            not all(
                [
                    event.deep_get("ParentImage", default="").endswith("\\MsiExec.exe"),
                    " -Embedding" in event.deep_get("ParentCommandLine", default=""),
                    event.deep_get("Image", default="").endswith("\\rundll32.exe"),
                    "Temp" in event.deep_get("CommandLine", default=""),
                    "zzzzInvokeManagedCustomActionOutOfProc"
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
