def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\powershell.exe"),
                            event.deep_get("Image", default="").endswith("\\powershell_ise.exe"),
                            event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                            event.deep_get("Image", default="").endswith("\\cmd.exe"),
                        ]
                    ),
                    event.deep_get("OriginalFileName", default="")
                    in ["PowerShell.EXE", "powershell_ise.EXE", "pwsh.dll", "Cmd.Exe"],
                ]
            ),
            any(
                [
                    "AUTHORI" in event.deep_get("User", default=""),
                    "AUTORI" in event.deep_get("User", default=""),
                ]
            ),
            event.deep_get("LogonId", default="") == "0x3e7",
            not any(
                [
                    any(
                        [
                            ":\\Program Files (x86)\\" in event.deep_get("ParentImage", default=""),
                            ":\\Program Files\\" in event.deep_get("ParentImage", default=""),
                            ":\\ProgramData\\" in event.deep_get("ParentImage", default=""),
                            ":\\Windows\\System32\\" in event.deep_get("ParentImage", default=""),
                            ":\\Windows\\SysWOW64\\" in event.deep_get("ParentImage", default=""),
                            ":\\Windows\\Temp\\" in event.deep_get("ParentImage", default=""),
                            ":\\Windows\\WinSxS\\" in event.deep_get("ParentImage", default=""),
                        ]
                    ),
                    event.deep_get("ParentImage", default="") == "",
                    event.deep_get("ParentImage", default="") in ["", "-"],
                ]
            ),
            not any(
                [
                    all(
                        [
                            event.deep_get("ParentImage", default="").endswith(
                                ":\\ManageEngine\\ADManager Plus\\pgsql\\bin\\postgres.exe"
                            ),
                            event.deep_get("Image", default="").endswith("\\cmd.exe"),
                        ]
                    ),
                    all(
                        [
                            ':\\WINDOWS\\system32\\cmd.exe /c "'
                            in event.deep_get("CommandLine", default=""),
                            ":\\WINDOWS\\Temp\\asgard2-agent\\"
                            in event.deep_get("CurrentDirectory", default=""),
                        ]
                    ),
                    all(
                        [
                            ":\\IBM\\SpectrumProtect\\webserver\\scripts\\"
                            in event.deep_get("ParentImage", default=""),
                            ":\\IBM\\SpectrumProtect\\webserver\\scripts\\"
                            in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
