def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 4662,
            any(
                [
                    "Replicating Directory Changes All" in event.deep_get("Properties", default=""),
                    "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
                    in event.deep_get("Properties", default=""),
                    "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
                    in event.deep_get("Properties", default=""),
                    "9923a32a-3607-11d2-b9be-0000f87a36b2"
                    in event.deep_get("Properties", default=""),
                    "89e95b76-444d-4c62-991a-0facbeda640c"
                    in event.deep_get("Properties", default=""),
                ]
            ),
            event.deep_get("AccessMask", default="") == "0x100",
            not any(
                [
                    event.deep_get("SubjectDomainName", default="") == "Window Manager",
                    any(
                        [
                            event.deep_get("SubjectUserName", default="").startswith("NT AUT"),
                            event.deep_get("SubjectUserName", default="").startswith("MSOL_"),
                        ]
                    ),
                    event.deep_get("SubjectUserName", default="").endswith("$"),
                ]
            ),
        ]
    ):
        return True
    return False
