def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("type", default="") == "execve",
                    event.deep_get("a0", default="") == "tcpdump",
                    event.deep_get("a1", default="") == "-c",
                    "-i" in event.deep_get("a3", default=""),
                ]
            ),
            all(
                [
                    event.deep_get("type", default="") == "execve",
                    event.deep_get("a0", default="") == "tshark",
                    event.deep_get("a1", default="") == "-c",
                    event.deep_get("a3", default="") == "-i",
                ]
            ),
        ]
    ):
        return True
    return False
