def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 5136,
            event.deep_get("AttributeLDAPDisplayName", default="") == "ntSecurityDescriptor",
            any(
                [
                    "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
                    in event.deep_get("AttributeValue", default=""),
                    "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
                    in event.deep_get("AttributeValue", default=""),
                    "89e95b76-444d-4c62-991a-0facbeda640c"
                    in event.deep_get("AttributeValue", default=""),
                ]
            ),
            not event.deep_get("ObjectClass", default="") in ["dnsNode", "dnsZoneScope", "dnsZone"],
        ]
    ):
        return True
    return False
