def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 4656,
            event.deep_get("ProcessName", default="").endswith("\\lsass.exe"),
            event.deep_get("AccessMask", default="") == "0x705",
            event.deep_get("ObjectType", default="") == "SAM_DOMAIN",
        ]
    ):
        return True
    return False
