def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("EventID", default="") == 4657,
                    any(
                        [
                            "WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"
                            in event.deep_get("ObjectName", default=""),
                            "WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational"
                            in event.deep_get("ObjectName", default=""),
                        ]
                    ),
                    event.deep_get("ObjectValueName", default="") == "Enabled",
                    event.deep_get("NewValue", default="") == 0,
                ]
            ),
            all(
                [
                    event.deep_get("EventID", default="") == 4663,
                    any(
                        [
                            "WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"
                            in event.deep_get("ObjectName", default=""),
                            "WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational"
                            in event.deep_get("ObjectName", default=""),
                        ]
                    ),
                    event.deep_get("AccessMask", default="") == "0x10000",
                ]
            ),
        ]
    ):
        return True
    return False
