def rule(event):
    if all(
        [
            any(
                [
                    "\\SOFTWARE\\Microsoft\\Windows Defender\\"
                    in event.deep_get("TargetObject", default=""),
                    "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\"
                    in event.deep_get("TargetObject", default=""),
                    "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\"
                    in event.deep_get("TargetObject", default=""),
                ]
            ),
            any(
                [
                    all(
                        [
                            any(
                                [
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableAntiSpyware"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableAntiVirus"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableBehaviorMonitoring"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableBlockAtFirstSeen"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableEnhancedNotifications"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableIntrusionPreventionSystem"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableIOAVProtection"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableOnAccessProtection"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableRealtimeMonitoring"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableScanOnRealtimeEnable"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisableScriptScanning"
                                    ),
                                ]
                            ),
                            event.deep_get("Details", default="") == "DWORD (0x00000001)",
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\DisallowExploitProtectionOverride"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\Features\\TamperProtection"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\MpEngine\\MpEnablePus"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\PUAProtection"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\Signature Update\\ForceUpdateFromMU"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\SpyNet\\SpynetReporting"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\SpyNet\\SubmitSamplesConsent"
                                    ),
                                    event.deep_get("TargetObject", default="").endswith(
                                        "\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess"
                                    ),
                                ]
                            ),
                            event.deep_get("Details", default="") == "DWORD (0x00000000)",
                        ]
                    ),
                ]
            ),
            not all(
                [
                    event.deep_get("Image", default="").startswith(
                        "C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\"
                    ),
                    event.deep_get("Image", default="").endswith("\\sepWscSvc64.exe"),
                ]
            ),
        ]
    ):
        return True
    return False
