def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\Sysmon64.exe"),
                            event.deep_get("Image", default="").endswith("\\Sysmon.exe"),
                        ]
                    ),
                    event.deep_get("Description", default="") == "System activity monitor",
                ]
            ),
            any(
                [
                    "-u" in event.deep_get("CommandLine", default=""),
                    "/u" in event.deep_get("CommandLine", default=""),
                    "–u" in event.deep_get("CommandLine", default=""),
                    "—u" in event.deep_get("CommandLine", default=""),
                    "―u" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
