def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\wscript.exe"),
                    event.deep_get("Image", default="").endswith("\\cscript.exe"),
                ]
            ),
            "." in event.deep_get("QueryName", default=""),
            not event.deep_get("QueryName", default="") == "%internal_domains%",
            not any(
                [
                    event.deep_get("QueryName", default="")
                    in [
                        "crl.starfieldtech.com",
                        "ocsp.usertrust.com",
                        "officecdn.microsoft.com",
                        "oneocsp.microsoft.com",
                        "oscp.comodoca.com",
                        "oscp.sectigo.com",
                        "oscp.starfieldtech.com",
                        "www.python.org",
                    ],
                    any(
                        [
                            event.deep_get("QueryName", default="").endswith(".digicert.com"),
                            event.deep_get("QueryName", default="").endswith(".entrust.net"),
                            event.deep_get("QueryName", default="").endswith(".globalsign.net"),
                            event.deep_get("QueryName", default="").endswith(".verisign.com"),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
