def rule(event):
    if all(
        [
            event.deep_get("TargetImage", default="").endswith("\\lsass.exe"),
            any(
                [
                    "0x1038" in event.deep_get("GrantedAccess", default=""),
                    "0x1438" in event.deep_get("GrantedAccess", default=""),
                    "0x143a" in event.deep_get("GrantedAccess", default=""),
                    "0x1fffff" in event.deep_get("GrantedAccess", default=""),
                ]
            ),
            any(
                [
                    "dbgcore.dll" in event.deep_get("CallTrace", default=""),
                    "dbghelp.dll" in event.deep_get("CallTrace", default=""),
                    "kernel32.dll" in event.deep_get("CallTrace", default=""),
                    "kernelbase.dll" in event.deep_get("CallTrace", default=""),
                    "ntdll.dll" in event.deep_get("CallTrace", default=""),
                ]
            ),
            not any(
                [
                    "AUTHORI" in event.deep_get("SourceUser", default=""),
                    "AUTORI" in event.deep_get("SourceUser", default=""),
                ]
            ),
            not any(
                [
                    all(
                        [
                            ":\\Windows\\Temp\\asgard2-agent\\"
                            in event.deep_get("CallTrace", default=""),
                            "\\thor\\thor64.exe+" in event.deep_get("CallTrace", default=""),
                            "|UNKNOWN(" in event.deep_get("CallTrace", default=""),
                            event.deep_get("GrantedAccess", default="") == "0x103800",
                        ]
                    ),
                    event.deep_get("SourceImage", default="").endswith(":\\Windows\\Sysmon64.exe"),
                ]
            ),
        ]
    ):
        return True
    return False
