def rule(event):
    if any(
        [
            all(
                [
                    "/var/log/syslog" in event.deep_get("CommandLine", default=""),
                    any(
                        [
                            all(
                                [
                                    event.deep_get("Image", default="").endswith("/rm"),
                                    any(
                                        [
                                            " -r " in event.deep_get("CommandLine", default=""),
                                            " -f " in event.deep_get("CommandLine", default=""),
                                            " -rf " in event.deep_get("CommandLine", default=""),
                                            "/var/log/syslog"
                                            in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                ]
                            ),
                            event.deep_get("Image", default="").endswith("/unlink"),
                            event.deep_get("Image", default="").endswith("/mv"),
                            all(
                                [
                                    event.deep_get("Image", default="").endswith("/truncate"),
                                    "0 " in event.deep_get("CommandLine", default=""),
                                    "/var/log/syslog" in event.deep_get("CommandLine", default=""),
                                    any(
                                        [
                                            "-s " in event.deep_get("CommandLine", default=""),
                                            "-c " in event.deep_get("CommandLine", default=""),
                                            "--size" in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                ]
                            ),
                            all(
                                [
                                    event.deep_get("Image", default="").endswith("/ln"),
                                    "/dev/null " in event.deep_get("CommandLine", default=""),
                                    "/var/log/syslog" in event.deep_get("CommandLine", default=""),
                                    any(
                                        [
                                            "-sf " in event.deep_get("CommandLine", default=""),
                                            "-sfn " in event.deep_get("CommandLine", default=""),
                                            "-sfT " in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                ]
                            ),
                            all(
                                [
                                    event.deep_get("Image", default="").endswith("/cp"),
                                    "/dev/null" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            all(
                                [
                                    event.deep_get("Image", default="").endswith("/shred"),
                                    "-u " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            any(
                [
                    any(
                        [
                            " > /var/log/syslog" in event.deep_get("CommandLine", default=""),
                            " >/var/log/syslog" in event.deep_get("CommandLine", default=""),
                            " >| /var/log/syslog" in event.deep_get("CommandLine", default=""),
                            ": > /var/log/syslog" in event.deep_get("CommandLine", default=""),
                            ":> /var/log/syslog" in event.deep_get("CommandLine", default=""),
                            ":>/var/log/syslog" in event.deep_get("CommandLine", default=""),
                            ">|/var/log/syslog" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            "journalctl --vacuum" in event.deep_get("CommandLine", default=""),
                            "journalctl --rotate" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
