def rule(event):
    if all(
        [
            "\\Local\\Microsoft\\Windows\\SchCache\\"
            in event.deep_get("TargetFilename", default=""),
            event.deep_get("TargetFilename", default="").endswith(".sch"),
            not any(
                [
                    any(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith(
                                        ":\\Program Files\\Cylance\\Desktop\\CylanceSvc.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith(
                                        ":\\Windows\\CCM\\CcmExec.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith(
                                        ":\\windows\\system32\\dllhost.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith(
                                        ":\\Windows\\system32\\dsac.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith(
                                        ":\\Windows\\system32\\efsui.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith(
                                        ":\\windows\\system32\\mmc.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith(
                                        ":\\windows\\system32\\svchost.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith(
                                        ":\\Windows\\System32\\wbem\\WmiPrvSE.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith(
                                        ":\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe"
                                    ),
                                ]
                            ),
                            any(
                                [
                                    ":\\Windows\\ccmsetup\\autoupgrade\\ccmsetup"
                                    in event.deep_get("Image", default=""),
                                    ":\\Program Files\\SentinelOne\\Sentinel Agent"
                                    in event.deep_get("Image", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            ":\\Program Files\\" in event.deep_get("Image", default=""),
                            "\\Microsoft Office" in event.deep_get("Image", default=""),
                            event.deep_get("Image", default="").endswith("\\OUTLOOK.EXE"),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    event.deep_get("Image", default="").endswith(
                        "\\LANDesk\\LDCLient\\ldapwhoami.exe"
                    ),
                    event.deep_get("Image", default="").endswith(
                        ":\\Program Files\\Citrix\\Receiver StoreFront\\Services\\DefaultDomainServices\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe"
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
