def rule(event):
    if all(
        [
            any(
                [
                    "\\Sophos Endpoint Defense\\TamperProtection\\Config\\SAVEnabled"
                    in event.deep_get("TargetObject", default=""),
                    "\\Sophos Endpoint Defense\\TamperProtection\\Config\\SEDEnabled"
                    in event.deep_get("TargetObject", default=""),
                    "\\Sophos\\SAVService\\TamperProtection\\Enabled"
                    in event.deep_get("TargetObject", default=""),
                ]
            ),
            event.deep_get("Details", default="") == "DWORD (0x00000000)",
        ]
    ):
        return True
    return False
