def rule(event):
    if all(
        [
            event.deep_get("Provider_Name", default="") == "ESENT",
            event.deep_get("EventID", default="") == 325,
            "ntds.dit" in event.deep_get("Data", default=""),
            any(
                [
                    ":\\ntds.dit" in event.deep_get("Data", default=""),
                    "\\Appdata\\" in event.deep_get("Data", default=""),
                    "\\Desktop\\" in event.deep_get("Data", default=""),
                    "\\Downloads\\" in event.deep_get("Data", default=""),
                    "\\Perflogs\\" in event.deep_get("Data", default=""),
                    "\\Temp\\" in event.deep_get("Data", default=""),
                    "\\Users\\Public\\" in event.deep_get("Data", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
