def rule(event):
    if all(
        [
            "\\Windows\\System32\\CodeIntegrity\\" in event.deep_get("TargetFilename", default=""),
            not any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith(
                                "\\Microsoft.ConfigurationManagement.exe"
                            ),
                            event.deep_get("Image", default="").endswith("\\WDAC Wizard.exe"),
                            event.deep_get("Image", default="").endswith(
                                "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe"
                            ),
                            event.deep_get("Image", default="").endswith(
                                "C:\\Program Files\\PowerShell\\7\\pwsh.exe"
                            ),
                            event.deep_get("Image", default="").endswith(
                                "C:\\Windows\\System32\\dllhost.exe"
                            ),
                            event.deep_get("Image", default="").endswith(
                                "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe"
                            ),
                            event.deep_get("Image", default="").endswith(
                                "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
                            ),
                            event.deep_get("Image", default="").endswith(
                                "C:\\Windows\\SysWOW64\\dllhost.exe"
                            ),
                            event.deep_get("Image", default="").endswith(
                                "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe"
                            ),
                            event.deep_get("Image", default="").endswith(
                                "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"
                            ),
                        ]
                    ),
                    any(
                        [
                            all(
                                [
                                    "ConvertFrom-CIPolicy -XmlFilePath"
                                    in event.deep_get("CommandLine", default=""),
                                    "-BinaryFilePath " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            "CiTool --update-policy" in event.deep_get("CommandLine", default=""),
                            all(
                                [
                                    "Copy-Item -Path" in event.deep_get("CommandLine", default=""),
                                    "-Destination" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    event.deep_get("Image", default="") == "System",
                    event.deep_get("Image", default="") == "C:\\Windows\\System32\\wuauclt.exe",
                    event.deep_get("Image", default="")
                    in [
                        "C:\\Windows\\UUS\\arm64\\wuaucltcore.exe",
                        "C:\\Windows\\UUS\\Packages\\Preview\\arm64\\wuaucltcore.exe",
                    ],
                ]
            ),
        ]
    ):
        return True
    return False
