def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 104,
            event.deep_get("Provider_Name", default="") == "Microsoft-Windows-Eventlog",
            not event.deep_get("Channel", default="")
            in [
                "Microsoft-Windows-PowerShell/Operational",
                "Microsoft-Windows-Sysmon/Operational",
                "PowerShellCore/Operational",
                "Security",
                "System",
                "Windows PowerShell",
            ],
        ]
    ):
        return True
    return False
