def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") in [2004, 2071, 2097],
            event.deep_get("Action", default="") == 3,
            event.deep_get("ModifyingApplication", default="").endswith(
                ":\\Windows\\System32\\wbem\\WmiPrvSE.exe"
            ),
        ]
    ):
        return True
    return False
