def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 4662,
            event.deep_get("AccessMask", default="") == "0x100",
            any(
                [
                    "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
                    in event.deep_get("Properties", default=""),
                    "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
                    in event.deep_get("Properties", default=""),
                    "89e95b76-444d-4c62-991a-0facbeda640c"
                    in event.deep_get("Properties", default=""),
                ]
            ),
            not any(
                [
                    event.deep_get("SubjectUserName", default="").endswith("$"),
                    event.deep_get("SubjectUserName", default="").startswith("MSOL_"),
                ]
            ),
        ]
    ):
        return True
    return False
