def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") in [4663, 4656],
            event.deep_get("AccessMask", default="")
            in [
                "0x100000",
                "0x1010",
                "0x1400",
                "0x1410",
                "0x1418",
                "0x1438",
                "0x143a",
                "0x1f0fff",
                "0x1f1fff",
                "0x1f2fff",
                "0x1f3fff",
                "0x40",
                "143a",
                "1f0fff",
                "1f1fff",
                "1f2fff",
                "1f3fff",
            ],
            event.deep_get("ObjectType", default="") == "Process",
            event.deep_get("ObjectName", default="").endswith("\\lsass.exe"),
            not any(
                [
                    event.deep_get("SubjectUserName", default="").endswith("$"),
                    any(
                        [
                            ":\\Program Files\\" in event.deep_get("ProcessName", default=""),
                            ":\\Program Files (x86)\\" in event.deep_get("ProcessName", default=""),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("ProcessName", default="")
                            == "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
                            event.deep_get("AccessMask", default="") == "0x1410",
                        ]
                    ),
                ]
            ),
            not "\\SteamLibrary\\steamapps\\" in event.deep_get("ProcessName", default=""),
        ]
    ):
        return True
    return False
