def rule(event):
    if any(
        [
            event.deep_get("TargetFilename", default="").endswith("\\All.cab"),
            event.deep_get("TargetFilename", default="").endswith(".ntds.cleartext"),
        ]
    ):
        return True
    return False
