def rule(event):
    if all(
        [
            event.deep_get("Image", default="") == "/usr/bin/grep",
            any(
                [
                    any(
                        [
                            "nessusd" in event.deep_get("CommandLine", default=""),
                            "santad" in event.deep_get("CommandLine", default=""),
                            "CbDefense" in event.deep_get("CommandLine", default=""),
                            "falcond" in event.deep_get("CommandLine", default=""),
                            "td-agent" in event.deep_get("CommandLine", default=""),
                            "packetbeat" in event.deep_get("CommandLine", default=""),
                            "filebeat" in event.deep_get("CommandLine", default=""),
                            "auditbeat" in event.deep_get("CommandLine", default=""),
                            "osqueryd" in event.deep_get("CommandLine", default=""),
                            "BlockBlock" in event.deep_get("CommandLine", default=""),
                            "LuLu" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "Little" in event.deep_get("CommandLine", default=""),
                            "Snitch" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
