def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            "Microsoft-Windows-PowerShell"
                            in event.deep_get("CommandLine", default=""),
                            "Microsoft-Windows-Security-Auditing"
                            in event.deep_get("CommandLine", default=""),
                            "Microsoft-Windows-TerminalServices-LocalSessionManager"
                            in event.deep_get("CommandLine", default=""),
                            "Microsoft-Windows-TerminalServices-RemoteConnectionManager"
                            in event.deep_get("CommandLine", default=""),
                            "Microsoft-Windows-Windows Defender"
                            in event.deep_get("CommandLine", default=""),
                            "PowerShellCore" in event.deep_get("CommandLine", default=""),
                            "Security" in event.deep_get("CommandLine", default=""),
                            "Windows PowerShell" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            "-InstanceId 462?" in event.deep_get("CommandLine", default=""),
                            ".eventid -eq 462?" in event.deep_get("CommandLine", default=""),
                            ".ID -eq 462?" in event.deep_get("CommandLine", default=""),
                            "EventCode=?462?" in event.deep_get("CommandLine", default=""),
                            "EventIdentifier=?462?" in event.deep_get("CommandLine", default=""),
                            "System[EventID=462?]" in event.deep_get("CommandLine", default=""),
                            "-InstanceId 4778" in event.deep_get("CommandLine", default=""),
                            ".eventid -eq 4778" in event.deep_get("CommandLine", default=""),
                            ".ID -eq 4778" in event.deep_get("CommandLine", default=""),
                            "EventCode=?4778?" in event.deep_get("CommandLine", default=""),
                            "EventIdentifier=?4778?" in event.deep_get("CommandLine", default=""),
                            "System[EventID=4778]" in event.deep_get("CommandLine", default=""),
                            "-InstanceId 25" in event.deep_get("CommandLine", default=""),
                            ".eventid -eq 25" in event.deep_get("CommandLine", default=""),
                            ".ID -eq 25" in event.deep_get("CommandLine", default=""),
                            "EventCode=?25?" in event.deep_get("CommandLine", default=""),
                            "EventIdentifier=?25?" in event.deep_get("CommandLine", default=""),
                            "System[EventID=25]" in event.deep_get("CommandLine", default=""),
                            "-InstanceId 1149" in event.deep_get("CommandLine", default=""),
                            ".eventid -eq 1149" in event.deep_get("CommandLine", default=""),
                            ".ID -eq 1149" in event.deep_get("CommandLine", default=""),
                            "EventCode=?1149?" in event.deep_get("CommandLine", default=""),
                            "EventIdentifier=?1149?" in event.deep_get("CommandLine", default=""),
                            "System[EventID=1149]" in event.deep_get("CommandLine", default=""),
                            "-InstanceId 21" in event.deep_get("CommandLine", default=""),
                            ".eventid -eq 21" in event.deep_get("CommandLine", default=""),
                            ".ID -eq 21" in event.deep_get("CommandLine", default=""),
                            "EventCode=?21?" in event.deep_get("CommandLine", default=""),
                            "EventIdentifier=?21?" in event.deep_get("CommandLine", default=""),
                            "System[EventID=21]" in event.deep_get("CommandLine", default=""),
                            "-InstanceId 22" in event.deep_get("CommandLine", default=""),
                            ".eventid -eq 22" in event.deep_get("CommandLine", default=""),
                            ".ID -eq 22" in event.deep_get("CommandLine", default=""),
                            "EventCode=?22?" in event.deep_get("CommandLine", default=""),
                            "EventIdentifier=?22?" in event.deep_get("CommandLine", default=""),
                            "System[EventID=22]" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            any(
                [
                    all(
                        [
                            "Select" in event.deep_get("CommandLine", default=""),
                            "Win32_NTLogEvent" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith("\\wevtutil.exe"),
                                    event.deep_get("OriginalFileName", default="")
                                    == "wevtutil.exe",
                                ]
                            ),
                            any(
                                [
                                    " qe " in event.deep_get("CommandLine", default=""),
                                    " query-events " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith("\\wmic.exe"),
                                    event.deep_get("OriginalFileName", default="") == "wmic.exe",
                                ]
                            ),
                            " ntevent" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            "Get-WinEvent " in event.deep_get("CommandLine", default=""),
                            "get-eventlog " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
