def rule(event):
    if all(
        [
            "\\Microsoft\\Windows Defender\\Features\\TamperProtection"
            in event.deep_get("TargetObject", default=""),
            event.deep_get("Details", default="") == "DWORD (0x00000000)",
            not any(
                [
                    all(
                        [
                            event.deep_get("Image", default="").startswith(
                                "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\"
                            ),
                            event.deep_get("Image", default="").endswith("\\MsMpEng.exe"),
                        ]
                    ),
                    event.deep_get("Image", default="")
                    == "C:\\Program Files\\Windows Defender\\MsMpEng.exe",
                ]
            ),
        ]
    ):
        return True
    return False
