def rule(event):
    if all(
        [
            event.deep_get("PipeName", default="") == "\\MICROSOFT##WID\\tsql\\query",
            not any(
                [
                    event.deep_get("Image", default="").endswith(":\\Windows\\System32\\mmc.exe"),
                    event.deep_get("Image", default="").endswith(
                        ":\\Windows\\system32\\svchost.exe"
                    ),
                    event.deep_get("Image", default="").endswith(
                        ":\\Windows\\System32\\wsmprovhost.exe"
                    ),
                    event.deep_get("Image", default="").endswith(":\\Windows\\SysWOW64\\mmc.exe"),
                    event.deep_get("Image", default="").endswith(
                        ":\\Windows\\SysWOW64\\wsmprovhost.exe"
                    ),
                    event.deep_get("Image", default="").endswith(
                        ":\\Windows\\WID\\Binn\\sqlwriter.exe"
                    ),
                    event.deep_get("Image", default="").endswith("\\AzureADConnect.exe"),
                    event.deep_get("Image", default="").endswith(
                        "\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe"
                    ),
                    event.deep_get("Image", default="").endswith(
                        "\\Microsoft.IdentityServer.ServiceHost.exe"
                    ),
                    event.deep_get("Image", default="").endswith("\\Microsoft.Tri.Sensor.exe"),
                    event.deep_get("Image", default="").endswith("\\sqlservr.exe"),
                    event.deep_get("Image", default="").endswith("\\tssdis.exe"),
                ]
            ),
        ]
    ):
        return True
    return False
