def rule(event):
    if any(
        [
            "[System.Environment]::UserName" in event.deep_get("ScriptBlockText", default=""),
            "$env:UserName" in event.deep_get("ScriptBlockText", default=""),
            "[System.Security.Principal.WindowsIdentity]::GetCurrent()"
            in event.deep_get("ScriptBlockText", default=""),
        ]
    ):
        return True
    return False
