def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\reg.exe"),
                    event.deep_get("OriginalFileName", default="") == "reg.exe",
                ]
            ),
            any(
                [
                    "SOFTWARE\\Microsoft\\Windows Defender\\"
                    in event.deep_get("CommandLine", default=""),
                    "SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center"
                    in event.deep_get("CommandLine", default=""),
                    "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\"
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    all(
                        [
                            " add " in event.deep_get("CommandLine", default=""),
                            "d 0" in event.deep_get("CommandLine", default=""),
                            any(
                                [
                                    "DisallowExploitProtectionOverride"
                                    in event.deep_get("CommandLine", default=""),
                                    "EnableControlledFolderAccess"
                                    in event.deep_get("CommandLine", default=""),
                                    "MpEnablePus" in event.deep_get("CommandLine", default=""),
                                    "PUAProtection" in event.deep_get("CommandLine", default=""),
                                    "SpynetReporting" in event.deep_get("CommandLine", default=""),
                                    "SubmitSamplesConsent"
                                    in event.deep_get("CommandLine", default=""),
                                    "TamperProtection" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            " add " in event.deep_get("CommandLine", default=""),
                            "d 1" in event.deep_get("CommandLine", default=""),
                            any(
                                [
                                    "DisableAccess" in event.deep_get("CommandLine", default=""),
                                    "DisableAntiSpyware"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableAntiSpywareRealtimeProtection"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableAntiVirus" in event.deep_get("CommandLine", default=""),
                                    "DisableAntiVirusSignatures"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableArchiveScanning"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableBehaviorMonitoring"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableBlockAtFirstSeen"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableCloudProtection"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableConfig" in event.deep_get("CommandLine", default=""),
                                    "DisableEnhancedNotifications"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableIntrusionPreventionSystem"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableIOAVProtection"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableNetworkProtection"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableOnAccessProtection"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisablePrivacyMode"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableRealtimeMonitoring"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableRoutinelyTakingAction"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableScanOnRealtimeEnable"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableScriptScanning"
                                    in event.deep_get("CommandLine", default=""),
                                    "DisableSecurityCenter"
                                    in event.deep_get("CommandLine", default=""),
                                    "Notification_Suppress"
                                    in event.deep_get("CommandLine", default=""),
                                    "SignatureDisableUpdateOnStartupWithoutEngine"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
