def rule(event):
    if all(
        [
            any(
                [
                    "\\Microsoft\\Windows\\PowerShell\\"
                    in event.deep_get("TargetObject", default=""),
                    "\\Microsoft\\PowerShellCore\\" in event.deep_get("TargetObject", default=""),
                ]
            ),
            any(
                [
                    event.deep_get("TargetObject", default="").endswith(
                        "\\ModuleLogging\\EnableModuleLogging"
                    ),
                    event.deep_get("TargetObject", default="").endswith(
                        "\\ScriptBlockLogging\\EnableScriptBlockLogging"
                    ),
                    event.deep_get("TargetObject", default="").endswith(
                        "\\ScriptBlockLogging\\EnableScriptBlockInvocationLogging"
                    ),
                    event.deep_get("TargetObject", default="").endswith(
                        "\\Transcription\\EnableTranscripting"
                    ),
                    event.deep_get("TargetObject", default="").endswith(
                        "\\Transcription\\EnableInvocationHeader"
                    ),
                    event.deep_get("TargetObject", default="").endswith("\\EnableScripts"),
                ]
            ),
            event.deep_get("Details", default="") == "DWORD (0x00000000)",
        ]
    ):
        return True
    return False
