def rule(event):
    if all(
        [
            event.deep_get("responseStatus", "code", default="") == "ALLOW",
            any(
                [
                    any(
                        [
                            "%2fbin%2fash" in event.deep_get("requestURI", default=""),
                            "%2fbin%2fbash" in event.deep_get("requestURI", default=""),
                            "%2fbin%2fbusybox" in event.deep_get("requestURI", default=""),
                            "%2fbin%2fdash" in event.deep_get("requestURI", default=""),
                            "%2fbin%2fsh" in event.deep_get("requestURI", default=""),
                            "%2fbin%2fzsh" in event.deep_get("requestURI", default=""),
                            "/bin/ash" in event.deep_get("requestURI", default=""),
                            "/bin/bash" in event.deep_get("requestURI", default=""),
                            "/bin/busybox" in event.deep_get("requestURI", default=""),
                            "/bin/dash" in event.deep_get("requestURI", default=""),
                            "/bin/sh" in event.deep_get("requestURI", default=""),
                            "/bin/zsh" in event.deep_get("requestURI", default=""),
                            "%2fusr%2fbin%2fcurl" in event.deep_get("requestURI", default=""),
                            "%2fusr%2fbin%2fkubectl" in event.deep_get("requestURI", default=""),
                            "%2fusr%2fbin%2fperl" in event.deep_get("requestURI", default=""),
                            "%2fusr%2fbin%2fpython" in event.deep_get("requestURI", default=""),
                            "%2fusr%2fbin%2fwget" in event.deep_get("requestURI", default=""),
                            "/usr/bin/curl" in event.deep_get("requestURI", default=""),
                            "/usr/bin/kubectl" in event.deep_get("requestURI", default=""),
                            "/usr/bin/perl" in event.deep_get("requestURI", default=""),
                            "/usr/bin/python" in event.deep_get("requestURI", default=""),
                            "/usr/bin/wget" in event.deep_get("requestURI", default=""),
                        ]
                    ),
                    any(
                        [
                            "access_matrix" in event.deep_get("userAgent", default=""),
                            "trufflehog" in event.deep_get("userAgent", default=""),
                            "azurehound" in event.deep_get("userAgent", default=""),
                            "micro-scanner" in event.deep_get("userAgent", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
