import re


def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\schtasks.exe"),
                    event.deep_get("OriginalFileName", default="") == "schtasks.exe",
                ]
            ),
            any(
                [
                    "/create" in event.deep_get("CommandLine", default=""),
                    "-create" in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    "/xml" in event.deep_get("CommandLine", default=""),
                    "-xml" in event.deep_get("CommandLine", default=""),
                ]
            ),
            not any(
                [
                    ".xml" in event.deep_get("CommandLine", default=""),
                    event.deep_get("IntegrityLevel", default="") in ["System", "S-1-16-16384"],
                    all(
                        [
                            event.deep_get("ParentImage", default="").endswith("\\rundll32.exe"),
                            ":\\WINDOWS\\Installer\\MSI"
                            in event.deep_get("ParentCommandLine", default=""),
                            ".tmp,zzzzInvokeManagedCustomActionOutOfProc"
                            in event.deep_get("ParentCommandLine", default=""),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    re.match(
                        r"^.*:\\ProgramData\\OEM\\UpgradeTool\\CareCenter_.*\\BUnzip\\Setup_msi.exe$",
                        event.deep_get("ParentImage", default=""),
                    ),
                    event.deep_get("ParentImage", default="").endswith(
                        ":\\Program Files\\Axis Communications\\AXIS Camera Station\\SetupActions.exe"
                    ),
                    event.deep_get("ParentImage", default="").endswith(
                        ":\\Program Files\\Axis Communications\\AXIS Device Manager\\AdmSetupActions.exe"
                    ),
                    event.deep_get("ParentImage", default="").endswith(
                        ":\\Program Files (x86)\\Zemana\\AntiMalware\\AntiMalware.exe"
                    ),
                    event.deep_get("ParentImage", default="").endswith(
                        ":\\Program Files\\Dell\\SupportAssist\\pcdrcui.exe"
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
