def rule(event):
    if any(
        [
            all(
                [
                    any(
                        [
                            ":\\Windows\\Sysmon.exe" in event.deep_get("TargetImage", default=""),
                            ":\\Windows\\Sysmon64.exe" in event.deep_get("TargetImage", default=""),
                        ]
                    ),
                    event.deep_get("GrantedAccess", default="") == "0x1400",
                    not any(
                        [
                            any(
                                [
                                    ":\\Program Files (x86)\\"
                                    in event.deep_get("SourceImage", default=""),
                                    ":\\Program Files\\"
                                    in event.deep_get("SourceImage", default=""),
                                    ":\\Windows\\System32\\"
                                    in event.deep_get("SourceImage", default=""),
                                    ":\\Windows\\SysWOW64\\"
                                    in event.deep_get("SourceImage", default=""),
                                ]
                            ),
                            all(
                                [
                                    ":\\ProgramData\\Microsoft\\Windows Defender\\Platform\\"
                                    in event.deep_get("SourceImage", default=""),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\MsMpEng.exe"
                                    ),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            event.deep_get("CallTrace", default="") == "Ente",
        ]
    ):
        return True
    return False
