def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("type", default="") == "PATH",
                    event.deep_get("name", default="")
                    in ["/etc/lsb-release", "/etc/redhat-release", "/etc/issue"],
                ]
            ),
            all(
                [
                    event.deep_get("type", default="") == "EXECVE",
                    event.deep_get("a0", default="")
                    in ["uname", "uptime", "lsmod", "hostname", "env"],
                ]
            ),
            all(
                [
                    event.deep_get("type", default="") == "EXECVE",
                    event.deep_get("a0", default="") == "grep",
                    any(
                        [
                            "vbox" in event.deep_get("a1", default=""),
                            "vm" in event.deep_get("a1", default=""),
                            "xen" in event.deep_get("a1", default=""),
                            "virtio" in event.deep_get("a1", default=""),
                            "hv" in event.deep_get("a1", default=""),
                        ]
                    ),
                ]
            ),
            all(
                [
                    event.deep_get("type", default="") == "EXECVE",
                    event.deep_get("a0", default="") == "kmod",
                    event.deep_get("a1", default="") == "list",
                ]
            ),
        ]
    ):
        return True
    return False
