def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("EventID", default="") == 5136,
                    event.deep_get("AttributeLDAPDisplayName", default="")
                    in ["gPCMachineExtensionNames", "gPCUserExtensionNames"],
                    any(
                        [
                            "CAB54552-DEEA-4691-817E-ED4A4D1AFC72"
                            in event.deep_get("AttributeValue", default=""),
                            "AADCED64-746C-4633-A97C-D61349046527"
                            in event.deep_get("AttributeValue", default=""),
                        ]
                    ),
                ]
            ),
            all(
                [
                    event.deep_get("EventID", default="") == 5145,
                    event.deep_get("ShareName", default="").endswith("\\SYSVOL"),
                    event.deep_get("RelativeTargetName", default="").endswith("ScheduledTasks.xml"),
                    any(
                        [
                            "WriteData" in event.deep_get("AccessList", default=""),
                            "%%4417" in event.deep_get("AccessList", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
