def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") in [5136, 5145],
            any(
                [
                    all(
                        [
                            event.deep_get("AttributeLDAPDisplayName", default="")
                            in ["gPCMachineExtensionNames", "gPCUserExtensionNames"],
                            "42B5FAAE-6536-11D2-AE5A-0000F87571E3"
                            in event.deep_get("AttributeValue", default=""),
                            any(
                                [
                                    "40B6664F-4972-11D1-A7CA-0000F87571E3"
                                    in event.deep_get("AttributeValue", default=""),
                                    "40B66650-4972-11D1-A7CA-0000F87571E3"
                                    in event.deep_get("AttributeValue", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("ShareName", default="").endswith("\\SYSVOL"),
                            any(
                                [
                                    event.deep_get("RelativeTargetName", default="").endswith(
                                        "\\scripts.ini"
                                    ),
                                    event.deep_get("RelativeTargetName", default="").endswith(
                                        "\\psscripts.ini"
                                    ),
                                ]
                            ),
                            "%%4417" in event.deep_get("AccessList", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
