def rule(event):
    if all(
        [
            event.deep_get("ContextInfo", default="") != "",
            not any(
                [
                    any(
                        [
                            "= powershell" in event.deep_get("ContextInfo", default=""),
                            "= C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell"
                            in event.deep_get("ContextInfo", default=""),
                            "= C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell"
                            in event.deep_get("ContextInfo", default=""),
                            "= C:/Windows/System32/WindowsPowerShell/v1.0/powershell"
                            in event.deep_get("ContextInfo", default=""),
                            "= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell"
                            in event.deep_get("ContextInfo", default=""),
                            "= \\\\?\\?\\C:Windows\\System32\\WindowsPowerShell\\v1.0\\powershell"
                            in event.deep_get("ContextInfo", default=""),
                            "= \\\\?\\?\\C:Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell"
                            in event.deep_get("ContextInfo", default=""),
                        ]
                    ),
                    "= C:\\WINDOWS\\System32\\sdiagnhost.exe -Embedding"
                    in event.deep_get("ContextInfo", default=""),
                    "ConfigSyncRun.exe" in event.deep_get("ContextInfo", default=""),
                    "C:\\Windows\\system32\\dsac.exe" in event.deep_get("ContextInfo", default=""),
                    "C:\\Windows\\system32\\wsmprovhost.exe -Embedding"
                    in event.deep_get("ContextInfo", default=""),
                    any(
                        [
                            "Update-Help" in event.deep_get("Payload", default=""),
                            "Failed to update Help for the module"
                            in event.deep_get("Payload", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
