def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") in [4656, 4663],
            event.deep_get("ObjectType", default="") == "Key",
            event.deep_get("ObjectName", default="")
            == "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent",
            not any(
                [
                    "Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe"
                    in event.deep_get("ProcessName", default=""),
                    "Microsoft.Identity.Health.Adfs.InsightsService.exe"
                    in event.deep_get("ProcessName", default=""),
                    "Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe"
                    in event.deep_get("ProcessName", default=""),
                    "Microsoft.Identity.Health.Adfs.PshSurrogate.exe"
                    in event.deep_get("ProcessName", default=""),
                    "Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe"
                    in event.deep_get("ProcessName", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
