def rule(event):
    if event.deep_get("TargetFilename", default="").endswith("ebpfbackdoor"):
        return True
    return False
