def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") in [4699, 4701],
            any(
                [
                    "\\Windows\\SystemRestore\\SR" in event.deep_get("TaskName", default=""),
                    "\\Windows\\Windows Defender\\" in event.deep_get("TaskName", default=""),
                    "\\Windows\\BitLocker" in event.deep_get("TaskName", default=""),
                    "\\Windows\\WindowsBackup\\" in event.deep_get("TaskName", default=""),
                    "\\Windows\\WindowsUpdate\\" in event.deep_get("TaskName", default=""),
                    "\\Windows\\UpdateOrchestrator\\Schedule"
                    in event.deep_get("TaskName", default=""),
                    "\\Windows\\ExploitGuard" in event.deep_get("TaskName", default=""),
                ]
            ),
            not all(
                [
                    event.deep_get("EventID", default="") == 4699,
                    event.deep_get("SubjectUserName", default="").endswith("$"),
                    "\\Windows\\Windows Defender\\" in event.deep_get("TaskName", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
