def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Description", default="") == "System.Management.Automation",
                    event.deep_get("OriginalFileName", default="")
                    == "System.Management.Automation.dll",
                    any(
                        [
                            event.deep_get("ImageLoaded", default="").endswith(
                                "\\System.Management.Automation.dll"
                            ),
                            event.deep_get("ImageLoaded", default="").endswith(
                                "\\System.Management.Automation.ni.dll"
                            ),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    event.deep_get("Image", default="")
                    in [
                        "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe",
                        "C:\\Program Files\\PowerShell\\7\\pwsh.exe",
                        "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
                        "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
                        "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
                        "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
                    ],
                    all(
                        [
                            any(
                                [
                                    "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview"
                                    in event.deep_get("Image", default=""),
                                    "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview"
                                    in event.deep_get("Image", default=""),
                                ]
                            ),
                            event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                        ]
                    ),
                    event.deep_get("Image", default="")
                    in [
                        "C:\\Windows\\System32\\dsac.exe",
                        "C:\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe",
                        "C:\\Windows\\System32\\runscripthelper.exe",
                        "C:\\WINDOWS\\System32\\sdiagnhost.exe",
                        "C:\\Windows\\System32\\ServerManager.exe",
                        "C:\\Windows\\System32\\SyncAppvPublishingServer.exe",
                        "C:\\Windows\\System32\\winrshost.exe",
                        "C:\\Windows\\System32\\wsmprovhost.exe",
                        "C:\\Windows\\SysWOW64\\winrshost.exe",
                        "C:\\Windows\\SysWOW64\\wsmprovhost.exe",
                    ],
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").startswith(
                                        "C:\\Windows\\Microsoft.NET\\Framework\\"
                                    ),
                                    event.deep_get("Image", default="").startswith(
                                        "C:\\Windows\\Microsoft.NET\\FrameworkArm\\"
                                    ),
                                    event.deep_get("Image", default="").startswith(
                                        "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\"
                                    ),
                                    event.deep_get("Image", default="").startswith(
                                        "C:\\Windows\\Microsoft.NET\\Framework64\\"
                                    ),
                                ]
                            ),
                            event.deep_get("Image", default="").endswith("\\mscorsvw.exe"),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").startswith(
                                        "C:\\Program Files (x86)\\Microsoft SQL Server Management Studio"
                                    ),
                                    event.deep_get("Image", default="").startswith(
                                        "C:\\Program Files\\Microsoft SQL Server Management Studio"
                                    ),
                                ]
                            ),
                            event.deep_get("Image", default="").endswith("\\IDE\\Ssms.exe"),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").startswith(
                                        "C:\\Program Files (x86)\\Microsoft SQL Server\\"
                                    ),
                                    event.deep_get("Image", default="").startswith(
                                        "C:\\Program Files\\Microsoft SQL Server\\"
                                    ),
                                ]
                            ),
                            event.deep_get("Image", default="").endswith(
                                "\\Tools\\Binn\\SQLPS.exe"
                            ),
                        ]
                    ),
                    event.deep_get("Image", default="").endswith(
                        "\\Citrix\\ConfigSync\\ConfigSyncRun.exe"
                    ),
                    any(
                        [
                            event.deep_get("Image", default="").startswith(
                                "C:\\Program Files (x86)\\Microsoft Visual Studio\\"
                            ),
                            event.deep_get("Image", default="").startswith(
                                "C:\\Program Files\\Microsoft Visual Studio\\"
                            ),
                        ]
                    ),
                    event.deep_get("Image", default="").startswith(
                        "C:\\ProgramData\\chocolatey\\choco.exe"
                    ),
                    all(
                        [
                            event.deep_get("Image", default="").startswith(
                                "C:\\Windows\\Temp\\asgard2-agent\\"
                            ),
                            any(
                                [
                                    event.deep_get("Image", default="").endswith("\\thor64.exe"),
                                    event.deep_get("Image", default="").endswith("\\thor.exe"),
                                ]
                            ),
                        ]
                    ),
                    event.deep_get("Image", default="") == "",
                ]
            ),
        ]
    ):
        return True
    return False
