Suspicious Path Invocation from Command Line

event.category:process and host.os.type:linux and event.type:start and event.action:exec and
process.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and process.args:-c and
process.command_line:*PATH=* and
not (
  process.command_line:(*_PATH=* or *PYTHONPATH=* or sh*/run/motd.dynamic.new) or
  process.parent.executable:(
    "/opt/puppetlabs/puppet/bin/puppet" or /var/lib/docker/overlay2/* or /vz/root/*/dovecot or
    "/usr/libexec/dovecot/auth" or /home/*/.local/share/containers/* or /vz/root/*/dovecot/auth or
    "/usr/local/bin/ansible-playbook" or "/opt/puppetlabs/puppet/bin/ruby" or /tmp/CVU_19_resource_*/exectask or
    "/opt/ds_agent/ds_agent" or "/usr/lib/systemd/systemd" or "/opt/TrendMicro/vls_agent/vls_agent" or
    "/opt/Tanium/TaniumClient/TaniumCX"
  ) or
  process.parent.command_line:"runc init" or
  process.parent.name:(gmake or sshd or sudo or make or ninja or ninja-build or steam or sshd-session)
)