def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 4673,
            event.deep_get("PrivilegeList", default="") == "SeLoadDriverPrivilege",
            event.deep_get("Service", default="") == "-",
            not any(
                [
                    event.deep_get("ProcessName", default="")
                    in [
                        "C:\\Windows\\explorer.exe",
                        "C:\\Windows\\HelpPane.exe",
                        "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe",
                        "C:\\Windows\\System32\\Dism.exe",
                        "C:\\Windows\\System32\\fltMC.exe",
                        "C:\\Windows\\System32\\mmc.exe",
                        "C:\\Windows\\System32\\rundll32.exe",
                        "C:\\Windows\\System32\\RuntimeBroker.exe",
                        "C:\\Windows\\System32\\ShellHost.exe",
                        "C:\\Windows\\System32\\svchost.exe",
                        "C:\\Windows\\System32\\SystemSettingsBroker.exe",
                        "C:\\Windows\\System32\\wimserv.exe",
                    ],
                    event.deep_get("ProcessName", default="").startswith(
                        "C:\\Program Files\\WindowsApps\\Microsoft"
                    ),
                ]
            ),
            not any(
                [
                    any(
                        [
                            event.deep_get("ProcessName", default="").endswith(
                                "\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe"
                            ),
                            event.deep_get("ProcessName", default="").endswith(
                                "\\Google\\Chrome\\Application\\chrome.exe"
                            ),
                            event.deep_get("ProcessName", default="").endswith("\\procexp.exe"),
                            event.deep_get("ProcessName", default="").endswith("\\procexp64.exe"),
                            event.deep_get("ProcessName", default="").endswith("\\procmon.exe"),
                            event.deep_get("ProcessName", default="").endswith("\\procmon64.exe"),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    event.deep_get("ProcessName", default="").startswith(
                                        "C:\\Program Files (x86)\\Dropbox\\"
                                    ),
                                    event.deep_get("ProcessName", default="").startswith(
                                        "C:\\Program Files\\Dropbox\\"
                                    ),
                                ]
                            ),
                            event.deep_get("ProcessName", default="").endswith("\\Dropbox.exe"),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
