import re


def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("EventID", default="") == 30,
                    any(
                        [
                            "(groupType:1.2.840.113556.1.4.803:=2147483648)"
                            in event.deep_get("SearchFilter", default=""),
                            "(groupType:1.2.840.113556.1.4.803:=2147483656)"
                            in event.deep_get("SearchFilter", default=""),
                            "(groupType:1.2.840.113556.1.4.803:=2147483652)"
                            in event.deep_get("SearchFilter", default=""),
                            "(groupType:1.2.840.113556.1.4.803:=2147483650)"
                            in event.deep_get("SearchFilter", default=""),
                            "(sAMAccountType=805306369)"
                            in event.deep_get("SearchFilter", default=""),
                            "(sAMAccountType=805306368)"
                            in event.deep_get("SearchFilter", default=""),
                            "(sAMAccountType=536870913)"
                            in event.deep_get("SearchFilter", default=""),
                            "(sAMAccountType=536870912)"
                            in event.deep_get("SearchFilter", default=""),
                            "(sAMAccountType=268435457)"
                            in event.deep_get("SearchFilter", default=""),
                            "(sAMAccountType=268435456)"
                            in event.deep_get("SearchFilter", default=""),
                            "(objectCategory=groupPolicyContainer)"
                            in event.deep_get("SearchFilter", default=""),
                            "(objectCategory=organizationalUnit)"
                            in event.deep_get("SearchFilter", default=""),
                            "(objectCategory=nTDSDSA)"
                            in event.deep_get("SearchFilter", default=""),
                            "(objectCategory=server)" in event.deep_get("SearchFilter", default=""),
                            "(objectCategory=domain)" in event.deep_get("SearchFilter", default=""),
                            "(objectCategory=person)" in event.deep_get("SearchFilter", default=""),
                            "(objectCategory=group)" in event.deep_get("SearchFilter", default=""),
                            "(objectCategory=user)" in event.deep_get("SearchFilter", default=""),
                            "(objectClass=trustedDomain)"
                            in event.deep_get("SearchFilter", default=""),
                            "(objectClass=computer)" in event.deep_get("SearchFilter", default=""),
                            "(objectClass=server)" in event.deep_get("SearchFilter", default=""),
                            "(objectClass=group)" in event.deep_get("SearchFilter", default=""),
                            "(objectClass=user)" in event.deep_get("SearchFilter", default=""),
                            "(primaryGroupID=521)" in event.deep_get("SearchFilter", default=""),
                            "(primaryGroupID=516)" in event.deep_get("SearchFilter", default=""),
                            "(primaryGroupID=515)" in event.deep_get("SearchFilter", default=""),
                            "(primaryGroupID=512)" in event.deep_get("SearchFilter", default=""),
                            "Domain Admins" in event.deep_get("SearchFilter", default=""),
                            re.match(
                                r"^.*objectGUID=\\.*.*$", event.deep_get("SearchFilter", default="")
                            ),
                            re.match(
                                r"^.*(schemaIDGUID=\\.*).*$",
                                event.deep_get("SearchFilter", default=""),
                            ),
                            "admincount=1" in event.deep_get("SearchFilter", default=""),
                        ]
                    ),
                    not all(
                        [
                            event.deep_get("EventID", default="") == 30,
                            any(
                                [
                                    re.match(
                                        r"^.*(domainSid=.*).*$",
                                        event.deep_get("SearchFilter", default=""),
                                    ),
                                    re.match(
                                        r"^.*(objectSid=.*).*$",
                                        event.deep_get("SearchFilter", default=""),
                                    ),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            all(
                [
                    event.deep_get("EventID", default="") == 30,
                    any(
                        [
                            "(userAccountControl:1.2.840.113556.1.4.803:=4194304)"
                            in event.deep_get("SearchFilter", default=""),
                            "(userAccountControl:1.2.840.113556.1.4.803:=2097152)"
                            in event.deep_get("SearchFilter", default=""),
                            "!(userAccountControl:1.2.840.113556.1.4.803:=1048574)"
                            in event.deep_get("SearchFilter", default=""),
                            "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
                            in event.deep_get("SearchFilter", default=""),
                            "(userAccountControl:1.2.840.113556.1.4.803:=65536)"
                            in event.deep_get("SearchFilter", default=""),
                            "(userAccountControl:1.2.840.113556.1.4.803:=8192)"
                            in event.deep_get("SearchFilter", default=""),
                            "(userAccountControl:1.2.840.113556.1.4.803:=544)"
                            in event.deep_get("SearchFilter", default=""),
                            "!(UserAccountControl:1.2.840.113556.1.4.803:=2)"
                            in event.deep_get("SearchFilter", default=""),
                            "msDS-AllowedToActOnBehalfOfOtherIdentity"
                            in event.deep_get("SearchFilter", default=""),
                            "msDS-AllowedToDelegateTo"
                            in event.deep_get("SearchFilter", default=""),
                            "msDS-GroupManagedServiceAccount"
                            in event.deep_get("SearchFilter", default=""),
                            "(accountExpires=9223372036854775807)"
                            in event.deep_get("SearchFilter", default=""),
                            "(accountExpires=0)" in event.deep_get("SearchFilter", default=""),
                            "(adminCount=1)" in event.deep_get("SearchFilter", default=""),
                            "ms-MCS-AdmPwd" in event.deep_get("SearchFilter", default=""),
                        ]
                    ),
                ]
            ),
            all(
                [
                    event.deep_get("EventID", default="") == 30,
                    re.match(r"^(objectclass=\\.*)$", event.deep_get("SearchFilter", default="")),
                    any(
                        [
                            "CN=Domain Admins" in event.deep_get("DistinguishedName", default=""),
                            "CN=Enterprise Admins"
                            in event.deep_get("DistinguishedName", default=""),
                            "CN=Group Policy Creator Owners"
                            in event.deep_get("DistinguishedName", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
