def rule(event):
    if all(
        [
            event.deep_get("IntegrityLevel", default="")
            in ["High", "System", "S-1-16-16384", "S-1-16-12288"],
            event.deep_get("ParentImage", default="").endswith(
                "\\AppData\\Local\\Temp\\system32\\winsat.exe"
            ),
            "C:\\Windows \\system32\\winsat.exe" in event.deep_get("ParentCommandLine", default=""),
        ]
    ):
        return True
    return False
