def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("Image", default="") == "/usr/bin/security",
                    any(
                        [
                            "find-certificate" in event.deep_get("CommandLine", default=""),
                            " export " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            any(
                [
                    " dump-keychain " in event.deep_get("CommandLine", default=""),
                    " login-keychain " in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
