def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 4624,
            event.deep_get("LogonType", default="") == 3,
            event.deep_get("AuthenticationPackageName", default="") == "Kerberos",
            event.deep_get("IpAddress", default="") == "127.0.0.1",
            event.deep_get("TargetUserSid", default="").startswith("S-1-5-21-"),
            event.deep_get("TargetUserSid", default="").endswith("-500"),
            not event.deep_get("IpPort", default="") == "0",
        ]
    ):
        return True
    return False
